Hot!Fortigate 100E: Correct way to use Management Interface

Author
capricorn80
Bronze Member
  • Total Posts : 30
  • Scores: 0
  • Reward points: 0
  • Joined: 2017/08/17 05:05:31
  • Status: offline
2018/08/18 03:09:40 (permalink)
0

Fortigate 100E: Correct way to use Management Interface

Hi!
 
I have posted static route issue in my another post but after reading few posts it looks like I need to have mgmt vdom for correct mgmt interface working but asking this here.
 
I have a dedicated mgmt interface but I cannot access it from my normal VLAN. I can access it via my laptop in the mangament subnet. As I am putting my firewall in production then I need to know the right steps to configure on it so that I can access the managment interface from the normal vlan.
 
Can any provide the right way to do it?
 
Thanks 
 
 
#1

2 Replies Related Threads

    Nicholas Doropoulos
    Silver Member
    • Total Posts : 72
    • Scores: 2
    • Reward points: 0
    • Joined: 2018/05/03 13:49:11
    • Status: offline
    Re: Fortigate 100E: Correct way to use Management Interface 2018/08/18 12:40:46 (permalink)
    0
    Hi,
     
    The first thing I would do is to check the status of the management interface and see if it has been configured correctly in terms of the management protocols that need to be enabled along with its associated IP address, subnet mask etc. This can be checked under Network >> Interfaces on the GUI.
     
    Then, I would check that there are no trusted hosts configured. 
     
    Failing that, just for testing purposes, I would enable Local Traffic Log under Log & Report >> Log Settings. The local traffic log includes management traffic and it will provide you with more information during the testing process.
     
    Next, I would proceed to running a sniffer. On the CLI, run the following command:
     
    diag sniffer packet [management-interface-goes-here] 'host [ip adddress that you test from goes here]' 6
     
    Moreover, under Network >> Packet Capture, you can set a filter to capture the interesting traffic which you can then analyse on Wireshark.
     
    For deeper troubleshooting, you can also run a debug by following the instructions below:
     
    diag debug disable
    diag debug flow trace stop
    diag debug flow filter clear
    diag debug reset
    diag debug flow filter addr [ip address you test from goes here]
    diagnose debug flow show console enable
    diagnose debug flow show function-name enable
    diagnose debug console timestamp enable
    diag debug flow trace start 100
    diag debug enable
     
    Once you have collected the output of the above ensure that debugging is disabled:
     
    diag debug disable
    diag debug flow trace stop
    diag debug flow filter clear
    diag debug reset
     
    Provided that local traffic logging was enabled at the very start, you should also be able to see more information on the resulting log.
     
    Feel free to post the outputs of all of the above here along with a diagram of your topology as well if possible so we can assist you further.
     
     

    NSE5, NSE 4, CCSA, CCNA R&S, CompTIA A+, CompTIA Network+, CompTIA Security+, MTA Security, ITIL v3
    #2
    capricorn80
    Bronze Member
    • Total Posts : 30
    • Scores: 0
    • Reward points: 0
    • Joined: 2017/08/17 05:05:31
    • Status: offline
    Re: Fortigate 100E: Correct way to use Management Interface 2018/08/18 13:05:42 (permalink)
    0
    I will check that but I did diag and I can see echo request and ssh Sync coming to firewall but FW not sending ACK or echo reply.
    #3
    Jump to:
    © 2018 APG vNext Commercial Version 5.5