Help
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
Netadmin-ccl-org
New Contributor

Created on ‎02-12-2024 08:17 AM

Using Mgmt interfaces for fortiguard servers updates

Since you cannot have two default routes with two different source interfaces...I hate that. How do I get my mgmt interfaces to be used to contact fortinet servers? Is there a range of destination IPs that I can set statics to via the mgmt interface?

Labels:
386
0 Kudos
8 REPLIES 8
AEK
SuperUser
SuperUser

Created on ‎02-12-2024 08:47 AM

You can specify as follows.

config system fortiguard
  set interface-select-method specify
  set interface mgmt
  set source-ip x.x.x.x
AEK
AEK
374
0 Kudos
Netadmin-ccl-org
New Contributor
In response to AEK

Created on ‎02-12-2024 09:04 AM

But without a default route tied to the mgmt interface how does it know where to go?

372
0 Kudos
AEK
SuperUser
SuperUser
In response to Netadmin-ccl-org

Created on ‎02-12-2024 09:14 AM

Oh so you have SD-WAN?

Your solution then is to set mgmt interface as dedicated to management. The condition is to have no firewall policy with mgmt as source interface or destination interface.

config system interface
  edit "mgmt"
    set dedicated-to management

You will then be able to add default route through mgmt interface.

AEK
AEK
368
0 Kudos
Netadmin-ccl-org
New Contributor
In response to AEK

Created on ‎02-12-2024 09:35 AM

Already have the mgmt interface set to dedicated to mgmt. I do not have any policies at all at this point tied to mgmt but it does not let me add static default route. 

360
0 Kudos
Netadmin-ccl-org
New Contributor
In response to Netadmin-ccl-org

Created on ‎02-12-2024 09:36 AM

Says you cannot have duplicate routes on sdwan and non sdwan interface.

359
0 Kudos
AEK
SuperUser
SuperUser
In response to Netadmin-ccl-org

Created on ‎02-12-2024 09:47 AM

Ok I admit I was wrong.

So your solution is to add a route to "Internet Service" > FortiGuard, via mgmt.

https://community.fortinet.com/t5/FortiGate/Technical-Tip-Creating-a-static-route-for-Predefined-Int...

AEK
AEK
356
0 Kudos
Netadmin-ccl-org
New Contributor
In response to AEK

Created on ‎02-12-2024 11:59 AM

This does not seem to fix my fortigates not being able to talk to the fortiguard servers over my mgmt network.

334
0 Kudos
AEK
SuperUser
SuperUser
In response to Netadmin-ccl-org

Created on ‎02-12-2024 12:31 PM

So I summarize..

You forced FortiGuard local-out-routing through mgmt, like this:

config system fortiguard
  set interface-select-method specify
  set interface mgmt
  set source-ip x.x.x.x

And you added a route towards "Internet Service" > FortiGuard, via mgmt through the gateway in front of mgmt.

Right?

So now you need to check with "diag sniffer" from where the FortiGuard traffic is flowing. You can run "exec update now" to generate traffic with FortiGuard.

AEK
AEK
321
0 Kudos
Labels
Top Kudoed Authors
View all
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2024 Fortinet, Inc. All Rights Reserved.