Help
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
Mayoub
New Contributor

Created on ‎03-23-2024 09:57 AM

Dedicated management access

Hello,

 

i have a Firewall with sdwan ( 2 vpn links included ).

i try to access the management interface coming from the Vpn link inside the sdwan , but i noticed that my trrafic comes from the vpm goes to LAN port to a switch layer 3 and then mgmt

vpn-->port lan--> switch L3--> mgmt port.

i have a route to the management vlan that goes to lan port ( this is an existing configuration )

access to mgmt interface is not working any ideas ?

why the kernel route to management does not take precedence  ?

 

1000164731.jpg

 

Labels:
294
0 Kudos
5 REPLIES 5
AEK
SuperUser
SuperUser

Created on ‎03-23-2024 10:26 AM

Hy Mayoub

This is expected behavior if your management interface is "dedicated-to management".

You can check as follows:

config system interface edit mgmt  show

If you see the line "set dedicated-to management" then the management is out of band, and it is like if the VRF of this interface is not in the same as other firewall interfaces, and you can't route create policies with this interface.

Having this config is ok, you can leave it as is, but if it doesn't comply with your design requirement then you just need to disable "dedicated-to management" for this interface.

AEK
AEK
283
Mayoub
New Contributor
In response to AEK

Created on ‎03-23-2024 02:52 PM

Hello AEK,

 

yes i confirm that this interface is dedicated to management .

so what makes the acessing that interface impossible might be other thing oether than  the Fortigate ? 

265
0 Kudos
AEK
SuperUser
SuperUser
In response to Mayoub

Created on ‎03-24-2024 12:47 AM

Hi Mayoub

Check if there is a firewall policy that allows you access mgmt IP through VPN.

It should be defined like this:

  • src intf: VPN tunnel interface
  • dst intf: LAN
  • src: VPN IP pool
  • dst: mgmt IP
  • service: https, ssh, ping

Once you check this, try access mgmt from VPN then see what's happening in traffic logs.

You can also see how traffic is flowing:

diag sniffer packet any 'host <mgmt-IP> and host <vpn-vlient-IP> and port 443' 4

 

AEK
AEK
243
Mayoub
New Contributor
In response to AEK

Created on ‎03-24-2024 10:41 AM

Hello,

 

 

yes i do have a policy that authorises the traffic .

by doing the sniff is how i noticed that the trrafic is going to lan before mgmt port, do i have the following :

 

vpn in

lan out

mgmt in

mgmt out

lan in

vpn out

 

 

i also have when debugging some "no session matched" errors for the reply direction packets.

 

 

 

 

 

219
0 Kudos
hbac
Staff
Staff
In response to Mayoub

Created on ‎03-25-2024 08:55 AM

Hi @Mayoub,

 

Do you have policy route or SDWAN rule configured to route traffic via LAN instead of mgmt?

 

Regards,

187
Labels
Top Kudoed Authors
View all
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2024 Fortinet, Inc. All Rights Reserved.