Posted in Firewall, Non classé

Fortigate : Dedicate an interface to Management purpose

   06/01/2022  Leave a comment

The goal was to monitore independantly each of the node. So you can query each one in SNMP per example. Moreover I had to find a configuration working with a Fortimanager.
My cluster was already functionnal and the mgmt interface was configured with one IP shared between the two unit.
The first configuration I made didn’t work in a HA cluster environnment managed by a Fortimanager.

If you try to configure directly the dedicated interface you can face this error :

FGT100F_Principal (global) # config system dedicated-mgmt
FGT100F_Principal (dedicated-mgmt) # set status enable
FGT100F_Principal (dedicated-mgmt) # set interface mgmt
node_check_object fail! for interface mgmt

After some research, you have to check the box “dedicated management port” in interface menu or in CLI :
set dedicated-to management

Once you have done that, you can affect the mgmt interface to the dedicated interface mode.

Note that you have to configure both firewall in order to have differents IP between the node.
Configuration bellow:

config system dedicated-mgmt
     set status enable
     set interface "mgmt"
     set default-gateway 192.168.X.Y
 end
config system interface
     edit "mgmt"
         set vdom "dmgmt-vdom"
         set ip 192.168.X.X 255.255.255.0
         set allowaccess ping https ssh http fgfm
         set type physical
         set dedicated-to management
         set role lan
         set snmp-index 2
     next
 end

As you can see, the interface is moved to a specific Vdom called “dmgmt-vdom”.

Unfortunately, this configuration was not working with Fortimanager, the discovery process was stucked at 35% and was not able to collect the policy.
According to this doc, you have to make a different config under the HA section. It allows the firewall to have 2 differents IP for mgmt purpose and to have a cluster interface used to communicate with FMG.

In an HA environment, the ha-direct option allows data from services such as syslog, FortiAnalyzer, FortiManager, SNMP, and NetFlow to be routed over the outgoing interface.
You can also configure which network will be routed through the mgmt interface by defining the set dst command.

config system ha
     set ha-mgmt-status enable
     config ha-mgmt-interfaces
         edit 1
             set interface "mgmt"
             set dst 192.168.Z.0 255.255.255.0
             set gateway 192.168.X.X
         next
     end
     set ha-direct enable
 end
 FGT100F_Principal (global) # show system interface mgmt
 config system interface
     edit "mgmt"
         set ip 192.168.X.X 255.255.255.0
         set allowaccess ping https ssh snmp fgfm ftm
         set type physical
         set dedicated-to management
     next
 end
From the Fortimanager POV the cluster is correctly discovered

Sources:
https://community.fortinet.com/t5/FortiGate/Technical-Note-How-to-dedicate-an-interface-to-management/ta-p/189625?externalId=FD37035
https://community.fortinet.com/t5/FortiGate/Technical-Tip-FortiGate-dedicated-mgmt-feature-Out-of-band/ta-p/193699
https://docs.fortinet.com/document/fortigate/6.0.0/cookbook/369323/configuring-a-management-interface

Author: Kévin SAS

I am Kévin SAS and live in France. I am an engineer in network and security. I worked for a lot of customers in these domains : Wireless, LAN, Datacenter, VoIP with several brands like Cisco, HPE, Aruba, Palo Alto amongst others. Previously working for a service provider. I currently work for an integrator while giving me lots of opportunity to learn. This blog stores some technicals notes I wanted to share.

Leave a Reply

Your email address will not be published. Required fields are marked *