The management interface should be used exclusively by the FortiADC administrator to manage the devices, physical or virtual, (such as configuring or debugging it). It should be an interface through which FortiADC's management traffic (such as license authenticating) can traverse at any time without affecting normal network traffic. It is especially useful for slave devices in HA active-passive mode. The management interface has the highest access permissions, and the FortiADC administrator should make sure that it is used for management traffic only, and avoid using it for normal traffic.
You can configure the management interface from either the GUI or the CLI. This section discusses how to configure the management interface from the GUI. For instructions on how to configure management interface using the CLI, see the section "Moving from 'Dedicated HA Management IP' to 'Management Interface'" at the end of this section.
- It must be noted that, because the management interface is a global configuration, it must and can only be configured from the "global" system interface and used by the "global" administrator. Therefore, the option is NOT available on any VDOM.
- This "management interface" is a virtual interface, which is quite different from the default, factory-set, "physical" management interface used to set up the appliance for the first time, as discussed in Step 2: Configure the management interface, Chapter 3: "Getting Started", of this Handbook.
To configure the management interface:
- From FortiADC's global interface, click Networking > Interface to open the interface configuration page.
- In the Management Interface section, click the edit button, the pencil, in the top right corner to enable the management interface. The fields for management interface configuration appear on the page.
- Make the desired selections and entries as described in Management interface configuration.
- Click Save when done.
Enable this option.
Select an interface (port) from the list menu.
Note: The management interface handles all incoming and outgoing management traffic. Note: It must be promiscuous mode to work. Promiscuous mode is required because dedicated management interface is a virtual interface and does not share the physical port mac address.
Enter the IP address of the management interface.
Note: Once enabled, the management network IP becomes active in all each modes (i.e., standalone, active-passive, active-active, and VRRP). Therefore, the management interface IP address must be unique and must NOT be used in regular functions, such as the virtual server IP addresses, source NAT pool IP addresses, source NAT pool trans-to IP addresses, 1-to-1 NAT external/mapped IP addresses, and all the other IP addresses configured on the interface. Otherwise. it will conflict with the HA functions.
|Management IP Allow Access||
Select the type or types of management traffic that are allows to access the Management interface.
|Management MAC Address||
Note: If you do not specify a management MAC address, FortiADC will automatically populate the field with a random MAC address when you click the Save button
In pre-FortiADC 4.8.1 releases, the GUI had an option in interface configuration (Networking > Interface > Add) which allows you to set an interface as the "Dedicated HA Management IP", which functions exactly the same as the "Management Interface" in 4.8.1. With the 4.8.1 release, that option is removed from the GUI (even though it is still available in the Console) is replaced by the "Management Interface". If you have a dedicated HA management IP configured on a pre-4.8.1 version of FortiADC, we highly recommend that you delete it, and then configure a management interface instead, after you've upgraded to 4.8.1. This will help streamline your interface configuration and make system management easier.
All this can be done through FortiADC's Console only. The following instructions show how to delete your old "Dedicated HA Management IP" and configure the "Management Interface" using the Console in FortiADC 4.8.1:
Execute the following commands:
config system interface
set dedicate-to-mgmt disable
Execute the following commands:
config system ha
set mgmt-status enable
set mgmt-interface port1
set mgmt-ip 10.106.129.120/24
set mgmt-ip-allowaccess https ping ssh snmp http telnet
set mgmt-mac-addr fe:02:98:41:93:f8