FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
dbabic
Staff
Staff

Description

This article explains the purpose and functionality of the dedicated-mgmt feature also known as FortiGate Out-of-band Management.

By default SNMP trap and syslog/remote log should go out of a FortiGate from the dedicated management port.  The dedicated management port is useful for IT management regulation.  Two units of HA cluster should be able to send out log, SNMP trap and radius/LDAP packets initially on management port individually.  This management traffic should support communication in dedicated network.  The feature can also be used in standalone mode allowing a dedicated port used for management.

The feature might also be useful when using two management channels  in case when primary in-band management port is unreachable making it possible to reach the FortiGate and receive logs by secondary out-of-band channel.

For example, if using wan1 port as primary port for management, and the dedicated-mgmt feature is enabled by using for example mgmt1 port for out-of band management, there will be a redundant management port which is useful if the port wan1 becomes unavailable.  Such implementation needs to be used with consideration because it means that the logs such as SNMP traps will be sent out simultaneously from both port wan1 and port mgmt1.


Scope
FortiGate 100D, 200D, 900D, 1000D and 3040C running FortiOS 5.0, 5.2 or 5.4.
All FortiGate models running FortiOS 6.2.5+ or 6.4.2+


Solution

Implementation of dedicated-mgmt  feature is only possible through CLI.

Configuration CLI
# config system dedicated-mgmt
     edit {name}
          set status {enable | disable}
          set interface [mgmt | mgmt1 | mgmt2 ]
          set default-gateway x.x.x.x
          set dhcp-server {enable | disable}
          set dhcp-netmask
          set dhcp-start-ip
          set dhcp-end-ip
end

 

 

Related Articles

Technical Tip: FortiGate SNMP polling via the dedicated HA management port - HA status MIB OID

Contributors