- Forums
- Knowledge Base
- Customer Service
- FortiGate
- FortiClient
- FortiAP
- FortiAnalyzer
- FortiADC
- FortiAuthenticator
- FortiBridge
- FortiCache
- FortiCarrier
- FortiCASB
- FortiConnect
- FortiConverter
- FortiCNP
- FortiDAST
- FortiDDoS
- FortiDB
- FortiDNS
- FortiDeceptor
- FortiDevSec
- FortiDirector
- FortiEDR
- FortiExtender
- FortiGate Cloud
- FortiGuard
- FortiHypervisor
- FortiInsight
- FortiIsolator
- FortiMail
- FortiManager
- FortiMonitor
- FortiNAC
- FortiNAC-F
- FortiNDR (on-premise)
- FortiNDRCloud
- FortiPAM
- FortiPortal
- FortiProxy
- FortiRecon
- FortiRecorder
- FortiSandbox
- FortiSASE
- FortiScan
- FortiSIEM
- FortiSOAR
- FortiSwitch
- FortiTester
- FortiToken
- FortiVoice
- FortiWAN
- FortiWeb
- Wireless Controller
- RMA Information and Announcements
- FortiCloud Products
- ZTNA
- 4D Documents
- Customer Service
- Community Groups
- Blogs
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
- Fortinet Community
- Forums
- Support Forum
- Fortinet 101F - Management Interface
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Mute
- Printer Friendly Page
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Fortinet 101F - Management Interface
HI Everyone,
I have just acquired this Fortinet Firewall for the purpose of site to site VPN between two sites and i don't have previous experience deploying it the live network.My questions are very basic and i hope you don't mind answering them. I have tried to gather information from google but didn't get what i want.
1. I have tried to change IP of management interface (10.10.10.x is reserved for management) so that i can access it from within the LAN but there is no option to assign a Gateway IP therefore its not accessible unless i access it from the same subnet. Question is how can i change the IP to 10.x.x.x range and access it from 11.x.x.x or 12 .x.x.x?
2. Can i use port 1 as a local VPN interface to connect to the other site as i have got the IP and subnet, gateway is not required.
our end IP 172.16.x.1 and their end IP is 172.16.x.2
3. Other switch ports doesn't have the option to assign gateway, so how can i assign a static IP Address to introduce the interface to my LAN.
I will appreciate your help.
Thanks
Ali
10 REPLIES 10
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
hi,
and welcome to the forums.
I will try to give you hints as far as I've understood your questions. As you come from a different vendor your expectations as well as terminology might cause some confusion. But, in reality it's quite simple.
rule 1:
you can only assign one subnet (address + mask) to one port. You cannot assign any other address from that subnet to any other port on the FGT.
FortiOS will automatically create a static route to this interface for this subnet (look it up in Monitor > Routing monitor).
rule 2:
the only exception to this is the management interface (if present in hardware) or one port "dedicated to management" (all models). This is meant so that you can access all members of a cluster because this setting will not be synchronized across all cluster members. This means that you can access passive or slave members on their own local interface while the cluster itself carries a different address from the same subnet.
rule 3:
rule 2 leads to the idea that you don't HAVE to use the management port to manage the FGT. You can choose any port and allow access via HTTPS or SSH. I personally wouldn't allow that on WAN ports but there are cases where this comes in handy.
Next question about VPN:
yes, you can terminate an IPsec VPN on any port, using any address. My advice: do not use the VPN wizard but build your phase1 and phase2 by hand. You'll encounter all relevant parameters and find the spot where you specify the outbound port and address.
If you specify the 'remote address' the FGT of course needs a valid route to that address.
Question about gateway:
hmm, maybe you are looking for a way to create routes? Network > Static routes.
If your FGT features a switch (a compound of interfaces internally connected by a switch hardware) then only one port will carry an address & netmask.
Maybe I didn't understand your questions fully, then please continue to ask.
Ede
"Kernel panic: Aiee, killing interrupt handler!"
Ede"Kernel panic: Aiee, killing interrupt handler!"
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thanks and i appreciate your help EDE.
My environment is Cisco that is why i am having difficulties but i am trying to learn. In my scenario i tried assigning IP 10.10.10.10 but i was unable to access it from my desktop PC having IP from a different subnet. I also made sure that the port on the switch is in the right VLAN and also tested the same IP on my laptop that worked straight away.
I will try again on Monday and see if it makes any difference.
Thanks for the tips regarding VPN. I don't use wizards anyway. I assume i can introduce my LAN to the WAN ports or any switch port of FGT ?
If incase it doesn't work then i will try to upload a simple network diagram to show what exactly i want.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Diagrams are ALWAYS a big help.
One thing you should know is that a FGT is a security device. One consequence of this is that it will DROP traffic from networks it doesn't know.
Say, your LAN is 10.10.10.0/24 and port1 has 10.10.10.1. Somewhere on the LAN there is a second router which provides access to 10.3.4.0/24. If you ping the FGT from 10.3.4.5, maybe it will reach port1 but then the FGT will silently discard that traffic.
Fix:
you create a static route on the FGT how to reach the subnet 10.3.4.0
subnet 10.3.4.0/24
gateway 10.10.10.254 (must be on a known subnet of the FGT)
Now the remote subnet is known to the FGT and will be allowed if additionally there is a policy allowing it. (for direct access to a FGT port you would not need a policy).
Ede
"Kernel panic: Aiee, killing interrupt handler!"
Ede"Kernel panic: Aiee, killing interrupt handler!"
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
https://forum.fortinet.com/tm.aspx?m=148995
See emnoc's comment on the management interface gateway setting.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
toshiesumi wrote:Thanks Toshie, i am not comfortable using Vdoms as it will make things complex. I have seen few videos for changing it from root to your own and i tried too but didnt find an option of adding a new Vdom. Only root and FGT management was available for editing and configuration and i had to execute factory reset in the end.https://forum.fortinet.com/tm.aspx?m=148995
See emnoc's comment on the management interface gateway setting.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Ken's(emnoc's) first suggestion in the thread should work without VDOM. "dedicated-to-managment" interface doesn't live in regular routing-table (out-of-band). It doesn't follow the regular default gateway.
config sys ha set ha-mgmt-status enable set ha-mgmt-interface "mgmt" set ha-mgmt-interface-gateway x.x.x.x end
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
"our end IP 172.16.x.1 and their end IP is 172.16.x.2"
Does that mean that's overlapping subnets? Or is that indeed two seperate subnets?
If it is overlapping you would have to map it to make it accessible over the vpn. There is a KB article on that somwhere at Fortinet.com. Google might find it.
if not it's fine and Ede and Toshi already mentioned all other things.
--
"It is a mistake to think you can solve any major problems just with potatoes." - Douglas Adams
--
"It is a mistake to think you can solve any major problems just with
potatoes." - Douglas Adams
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
We are not using this 172 IP address anywhere , infact this IP is given by the users of other end who wanted to have a VPN connection with us. They are currently using this scheme with many other clients. Their end is .1 and all other clients are .2,3,4 etc.
i have not had a chance to do any configuration on it yet but i am planning to do it during this week.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
the end is different yes. But does the rest difer?
Iif e.g. Client is 172.16.1.1 and you have 172.16.1.2 3 or 4 that is overlapping subnets! it is different ips on both side but the same subnet. This doesn't even cannot be done by subnetting as no matter hwat mask you use at lest .1 to .3 will bei on the same subnet.
In this case that cannot be routed successfully as it is local on an interface on both sides then. So you would have to map it as I said to bei able to route traffic. That would have to be done on both sides of course. ANd then both sides would have to use the mapped subnet instead of the original to get to the other side.
There is a KB Article on how that can be done if there is a FGT on both sides. I once had to do that too and it did work this way here as long as we needed it (we changed the remote subnet as soon as it were possible).
--
"It is a mistake to think you can solve any major problems just with potatoes." - Douglas Adams
--
"It is a mistake to think you can solve any major problems just with
potatoes." - Douglas Adams
Related Posts
- Cisco Trunk port to Fortiswitch 155 Views
- Policy based routing to IPsec tunnel 138 Views
- Connecting Two SIP Trunks with Different... 233 Views
- How to manage Fortianalyzer VM from... 99 Views
- Cisco Multicast Ping ICMP reply not... 184 Views
Labels
-
FortiGate
6,451 -
FortiClient
1,288 -
5.2
801 -
5.4
639 -
FortiManager
562 -
6.0
416 -
FortiAnalyzer
410 -
5.6
362 -
FortiSwitch
331 -
FortiAP
327 -
FortiClient EMS
259 -
6.2
251 -
FortiMail
239 -
FortiAuthenticator v5.5
234 -
5.0
196 -
FortiWeb
148 -
6.4
128 -
FortiNAC
103 -
FortiGuard
102 -
FortiGateCloud
86 -
FortiSIEM
85 -
FortiCloud Products
82 -
FortiToken
69 -
Customer Service
69 -
IPsec
66 -
4.0MR3
64 -
Wireless Controller
58 -
SSL-VPN
54 -
FortiProxy
44 -
FortiADC
42 -
Fortivoice
41 -
FortiEDR
38 -
FortiGate v5.4
34 -
FortiDNS
34 -
FortiExtender
31 -
FortiSandbox
30 -
FortiSwitch v6.4
28 -
FortiConnect
23 -
SD-WAN
23 -
FortiWAN
22 -
FortiConverter
21 -
High Availability
20 -
Firewall policy
20 -
VLAN
18 -
FortiPortal
17 -
FortiSwitch v6.2
16 -
FortiGate v5.2
16 -
ZTNA
15 -
FortiMonitor
14 -
Certificate
14 -
FortiDDoS
13 -
Routing
12 -
FortiCASB
12 -
SAML
11 -
DNS
11 -
Interface
11 -
BGP
10 -
FortiGate v5.0
10 -
FortiRecorder
10 -
VDOM
10 -
FortiWeb v5.0
9 -
LDAP
9 -
FortiManager v5.0
9 -
4.0MR2
9 -
Logging
9 -
RADIUS
8 -
Traffic shaping
8 -
Virtual IP
8 -
RMA Information and Announcements
7 -
FortiSOAR
7 -
fortilink
7 -
FortiAnalyzer v5.0
7 -
NAT
7 -
FortiAuthenticator
7 -
Admin
7 -
FortiGate v4.0 MR3
7 -
4.0
7 -
Fortigate Cloud
6 -
IP address management - IPAM
6 -
SSID
5 -
Security profile
5 -
Traffic shaping policy
5 -
Authentication
5 -
FortiBridge
5 -
SNMP
5 -
SSO
5 -
Application control
5 -
Static route
5 -
FortiManager v4.0
5 -
FortiDirector
4 -
SSL SSH inspection
4 -
WAN optimization
4 -
Web application firewall profile
4 -
DNS Filter
4 -
FortiCarrier
4 -
FortiCache
4 -
OSPF
4 -
3.6
4 -
FortiScan
4 -
Proxy policy
4 -
packet capture
3 -
FortiToken Cloud
3 -
Automation
3 -
Intrusion prevention
3 -
DoS policy
3 -
FortiTester
3 -
Port policy
3 -
FortiDB
3 -
IPS signature
3 -
FortiDeceptor
2 -
FortiInsight
2 -
Antivirus profile
2 -
VoIP profile
2 -
Traffic shaping profile
2 -
Web profile
2 -
FortiAP profile
2 -
FortiAI
2 -
FortiHypervisor
2 -
Netflow
2 -
trunk
2 -
NAC policy
1 -
SDN connector
1 -
4.0MR1
1 -
Users
1 -
Subscription Renewal Policy
1 -
FortiCWP
1 -
FortiNDR
1 -
Web rating
1 -
Application signature
1 -
Authentication rule and scheme
1 -
Multicast routing
1 -
Zone
1 -
FortiManager-VM
1 -
Fabric connector
1 -
Internet Service Database
1 -
Fortinet Engage Partner Program
1 -
System settings
1 -
Explicit proxy
1 -
TACACS
1
Broad. Integrated. Automated.
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Security Research
Company
News & Articles
Copyright 2024 Fortinet, Inc. All Rights Reserved.