FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
Article Id 193699


This article explains the purpose and functionality of the dedicated-mgmt feature also known as FortiGate Out-of-band Management.
Out-of-band: separate from the user traffic: separate routing table, separate routing altogether. 
This is done in two ways:
  • Dedicating an interface in HA for individual management of FortiGates (up to 4 interfaces).
  • On select models, a separate interface comes factory set-up with a 'dedicated-to management' configuration.

Note: both can be used at the same time.
This article refers to the 'dedicated-to management' part.
config system ha
set ha-mgmt-status enable
config ha-mgmt-interfaces
edit 1
set interface port10
set gateway

By default, the SNMP trap and Syslog/remote log should go out of a FortiGate from the dedicated management port. The dedicated management port is useful for IT management regulation.
Two units of the HA cluster should be able to send out logs, SNMP traps, and radius/LDAP packets initially on the management port individually. This management traffic should support communication in the dedicated network.
The feature can also be used in standalone mode allowing a dedicated port used for management.
The feature might also be useful when using two management channels in the case when the primary in-band management port is unreachable making it possible to reach the FortiGate and receive logs by the secondary out-of-band channel.

For example, if using the wan1 port as the primary port for management, and the dedicated-mgmt feature is enabled by using for example mgmt1 port for out-of-band management, there will be a redundant management port which is useful if the port wan1 becomes unavailable.
Such implementation needs to be used with consideration because it means that the logs such as SNMP traps will be sent out simultaneously from both port wan1 and port mgmt1.



All FortiGate models with mgmt interface running supported FortiOS versions (FortiGate 100D, 200D, 900D, 1000D and 3040C running FortiOS 5.0, 5.2 or 5.4).



Dedicating an interface to management can be done in GUI as well as CLI:



config system interface

    edit mgmt
        set dedicated-to management


When the mgmt interface is already set up with 'dedicated-to management', it will not show up in the interface selection in firewall policies. This interface cannot be used to configure routing entries such as the default static route (it is 'out-of-band' now), which means that normal internet access traffic from this interface is not possible.

For example: if firewall management access is taken on the dedicated-to-management interface from the user's PC, th
en that user's PC cannot access the internet via the dedicated-to-management interface from which firewall access is taken.
Further changes in the implementation of the dedicated-mgmt feature (adding DHCP server) are possible through CLI.
The mgmt interface must not be referenced elsewhere in order to be used here.
To check first, this command should not return anything, only then mgmt can be used:
diagnose sys cmdb refcnt show mgmt
Configuration CLI:
config system dedicated-mgmt
    edit {name}
        set status {enable | disable}
        set interface [mgmt | mgmt1 | mgmt2 ]
        set default-gateway x.x.x.x
        set dhcp-server {enable | disable}
        set dhcp-netmask
        set dhcp-start-ip
        set dhcp-end-ip


Related article:

Technical Tip: FortiGate SNMP polling via the dedicated HA management port - HA status MIB OID