How to configure MGMT interface with an IP add of my LAN subnet (FG 200E)

mile123 · ‎04-24-2018

Hi everyone here!

I am new with FG devices and I am currently working with FG 200E but I am facing a problem and I cannot find a solution for my case; I need to configure the mgmt interface with the IP x.x.x.x but I also need to configure a LAN interface with an IP add in the same subnet as the mgmt interface which seems to be a problem because I am getting this error:

Conflicts with 'mgmt' subnet

I was reading in previous post some solutions by using the ha configuration but in my case I am not using high availability, I just have to configure this single device. Is there any solution for this problem?

Any answer is welcome, thanks so much for the help!

Markus · ‎04-24-2018

Hi,

Welcome to the Forums. You have to connect to the cli interface of the Fortigate (enable SSH on the Interface and use Putty or something similar). Use the following commands

config system settings

set allow-subnet-overlap enable This should do the trick.

________________________________________________________
--- NSE 4 ---
________________________________________________________

Toshi_Esumi · ‎04-24-2018

Depending on how you want to use mgmt interface, but another option is to create a new vdom and move the interface from "root" to the new management vdom. That would isolate management network (I assume that's the reason you have an overlap) from all other user networks but still can manage the 200E through the interface.

mile123 · ‎04-24-2018

Hi Markus,

Thanks so much for the info, I already configured those commands using the CLI from my browser but i still have the same problem, not just with mgmt interface but with any other other port that I want to configure in the same subnet, it seems like the command is note working yet even when I rebooted the FG... do I need to add something else?

Thanks so much!

mile123 · ‎04-24-2018

Hi Toshi,

Thanks so much for your answer, I still have one question, I created a new VDOM called Management: do I need to configure again my mgmt port selecting this VDOM; erase the mgmt interface from root vdom and let all my other ports in the root VDOM? That will be enough to be able to manage the device remotly through mgmt port while everything is still working in my LAN?

I will be waiting for your answer and thanks soooo much!

Toshi_Esumi · ‎04-24-2018

When you enabled vdom-admin under global config, everything should be in root vdom (or everything you configure without enabling vdom-admin goes into root vdom). So now the mgmt interface is in root. You just need to change it to "Management" vdom you created with below:

config sys int

edit mgmt

set vdom "Management"

mile123 · ‎04-24-2018

Amazing! thanks so much again for your help Toshi

Toshi_Esumi · ‎04-24-2018

Once you're in multi-vdom environment, CLI is much easier to handle configuration, especially copy&paste&compare when you have the same or similar things between vdoms.

By the way, if you have overlapping subnets on the user-side network (separated from management side) something is not right network design-wise, which you should correct. Otherwise it would lead to more problems down on the road.

streeb2021 · ‎05-25-2018

Along a very similar line I have a HA pair where I have opted to configure the ha-mgmt-status enable option so that we can reach the cluster units individually. I would however like to have the best of both worlds and be able to have a single address to manage the cluster as per the default (and use that for FortiManager etc.) but without using up another physical interface.

Any advice welcome on this.

Regards

Mike