Fortinet white logo
Fortinet docs logo DOCUMENT LIBRARY
Fortinet white logo
Fortinet docs logo DOCUMENT LIBRARY
Products Best Practices Hardware Guides Products A-Z
Summary
By Solution
By 4D Pillars
By Cloud
Secure Networking
Unified SASE
Security Operations
Secure SD-WAN
Secure Access Service Edge (SASE)
ZTNA
LAN Edge
Identity and Access Management
Next Generation Firewall
Public Cloud
Private Cloud
FortiCloud
Secure Networking
  • Hybrid Mesh Firewall
  • NOC Management
  • LAN
  • WAN
    • More >>
    Unified SASE
  • Single Vendor SASE
  • Cloud Network Security
  • Secure Endpoint Connectivity
  • Web Application / API Protection
    • More >>
    Security Operations
  • Security Operations Automation
  • Identity
  • Early Detection & Prevention
    • More >>
    Secure Networking
  • Hybrid Mesh Firewall
  • NOC Management
  • LAN
  • WAN
  • Communication & Surveillance
    • Unified SASE
  • Single Vendor SASE
  • Secure Endpoint Connectivity
  • Cloud Network Security
  • Cloud-Native Security
  • Web Application / API Protection
    • Security Operations
  • Security Operations Automation
  • Endpoint
  • Data Protection
  • Identity
  • Email
  • Early Detection & Prevention
  • Expert Services
  • Edge Firewall
  • Orchestration & management
  • SD Branch
  • Application Delivery
  • Single Vendor SASE
  • Secure Endpoint Connectivity
  • Secure Private Access
  • Thin Edge
  • Identity
  • Application Gateway
  • Enterprise Asset Management
  • Endpoint Agent
  • Agentless Security Posture
  • Identity
  • Wireless
  • Switching
  • Identity
  • Privilege Acccess Management
  • Next Generation Firewall
  • Orchestration & management
  • Expert Services
  • All
  • All
  • Account Management
  • SAAS Management
  • SAAS Application Security
  • Managed Services
  • Platform as a service (PAAS)
  • Other SAAS Services
    • 4D Resources
    Solution Hubs
  • 4D Pillars
  • Cloud
  • Popular Solutions

    • Handbook

    Home FortiADC 7.4.5 Handbook
    7.4.5
    7.4.5
    7.4.4
    7.4.3
    7.4.2
    7.4.1
    7.4.0
    7.2.7
    7.2.6
    7.2.5
    7.2.4
    7.2.3
    7.2.2
    7.2.1
    7.2.0
    7.1.4
    7.1.3
    7.1.2
    7.1.1
    7.1.0
    7.0.5
    7.0.4
    7.0.3
    7.0.2
    7.0.1
    7.0.0
    6.2.6
    6.2.5
    6.2.4
    6.2.3
    6.2.2
    6.2.1
    6.2.0
    6.1.6
    6.1.5
    6.1.4
    6.1.3
    6.1.2
    6.1.1
    6.1.0
    6.0.1
    6.0.0
    5.4.3
    5.4.2
    5.4.1
    5.4.0
    5.3.6
    5.3.5
    5.3.4
    5.3.3
    5.3.2
    5.3.1
    5.3.0
    5.2.7

    Configuring the management interface

    Configuring the management interface

    The management interface should be used exclusively by the FortiADC administrator to manage the devices, physical or virtual (such as configuring or debugging it). It should be an interface through which FortiADC's management traffic (such as license authenticating) can traverse at any time without affecting normal network traffic. It is especially useful for secondary devices in HA active-passive mode. The management interface has the highest access permissions, and the FortiADC administrator should make sure that it is used for management traffic only, and avoid using it for normal traffic.

    You can configure the management interface from either the GUI or the CLI. This section discusses how to configure the management interface from the GUI. For instructions on how to configure management interface using the CLI, see the section Configuring the management interface at the end of this section.

    • As the management interface is a global configuration, it can only be configured from the "global" system interface and used by the "global" administrator. Therefore, the option is NOT available on any VDOM.
    • This "management interface" is a virtual interface, which is different from the default, factory-set, "physical" management interface used to set up the appliance for the first time, as discussed in Step 2: Configure the management interface of the Getting Started section of this Handbook.
    To configure the management interface:
    1. From FortiADC's global interface, go to Networking > Interface to open the interface configuration page.
    2. In the Management Interface section, click the edit button, the pencil, in the top right corner to enable the management interface. The fields for management interface configuration appear on the page.
    3. Make the desired selections and entries as described in Management interface configuration.
    4. Click Save when done.

    Management interface configuration
    Option Guidelines
    Management Status

    Enable this option.
    Management Interface

    Select an interface (port) from the list menu.

    Note: The management interface handles all incoming and outgoing management traffic. Note: It must be promiscuous mode to work. Promiscuous mode is required because dedicated management interface is a virtual interface and does not share the physical port mac address.
    Management IP

    Enter the IP address of the management interface.

    Note: Once enabled, the management network IP becomes active in all each modes (i.e., standalone, active-passive, active-active, and VRRP). Therefore, the management interface IP address must be unique and must NOT be used in regular functions, such as the virtual server IP addresses, source NAT pool IP addresses, source NAT pool trans-to IP addresses, 1-to-1 NAT external/mapped IP addresses, and all the other IP addresses configured on the interface. Otherwise. it will conflict with the HA functions.
    Management IP Allow Access

    Select the type or types of management traffic that are allows to access the Management interface.

    Management Trust IP

    Enable/disable the Trust IPs Access Control (TIAC) feature to restrict access to the management interface according to the Trust IP Address List. If the source IP is not on the Management Trust IP Address List, the device will refuse the client directly.

    To add IP addresses to the Management Trust IP Address List, enable the feature and save the configuration. After you have saved it the first time, you can edit it to add IPs to the list.

    Note: For HA configurations, the Management Trust IP Address list will not be synchronized to peer nodes.

    Management Trust IP Address List

    Name

    		 Configuration name. Valid characters are A-Z, a-z, 0-9, _, and -. No spaces. After you initially save the configuration, you cannot edit the name.

    Type

    Select the IP address type:

    • IPv4/Netmask

    • IPv4 Address Range

    IPv4/Netmask

    Specify the IP address that can access the interface.

    Address Range

    Specify a range of IP addresses that can access the interface.

    "Dedicated HA Management IP" vs. "Management Interface"

    In pre-FortiADC 4.8.1 releases, the GUI had an option in interface configuration (Networking > Interface > Add) which allows you to set an interface as the "Dedicated HA Management IP", which functions exactly the same as the "Management Interface" in 4.8.1. With the 4.8.1 release, that option is removed from the GUI (even though it is still available in the Console) is replaced by the "Management Interface". If you have a dedicated HA management IP configured on a pre-4.8.1 version of FortiADC, we highly recommend that you delete it, and then configure a management interface instead, after you've upgraded to 4.8.1. This will help streamline your interface configuration and make system management easier.

    All this can be done through FortiADC's Console only. The following instructions show how to delete your old "Dedicated HA Management IP" and configure the "Management Interface" using the Console in FortiADC 4.8.1:

    Step 1: Remove the "Dedicate HA Management IP"

    Execute the following commands:

    config system interface

    edit "port1"

    set dedicate-to-mgmt disable

    unset ip

    next

    end

    Step 2: Configure the "Management Interface":

    Execute the following commands:

    config system ha

    set mgmt-status enable

    set mgmt-interface port1

    set mgmt-ip 10.106.129.120/24

    set mgmt-ip-allowaccess https ping ssh snmp http telnet

    end

    Previous
    Next

    Configuring the management interface

    Configuring the management interface

    The management interface should be used exclusively by the FortiADC administrator to manage the devices, physical or virtual (such as configuring or debugging it). It should be an interface through which FortiADC's management traffic (such as license authenticating) can traverse at any time without affecting normal network traffic. It is especially useful for secondary devices in HA active-passive mode. The management interface has the highest access permissions, and the FortiADC administrator should make sure that it is used for management traffic only, and avoid using it for normal traffic.

    You can configure the management interface from either the GUI or the CLI. This section discusses how to configure the management interface from the GUI. For instructions on how to configure management interface using the CLI, see the section Configuring the management interface at the end of this section.

    • As the management interface is a global configuration, it can only be configured from the "global" system interface and used by the "global" administrator. Therefore, the option is NOT available on any VDOM.
    • This "management interface" is a virtual interface, which is different from the default, factory-set, "physical" management interface used to set up the appliance for the first time, as discussed in Step 2: Configure the management interface of the Getting Started section of this Handbook.
    To configure the management interface:
    1. From FortiADC's global interface, go to Networking > Interface to open the interface configuration page.
    2. In the Management Interface section, click the edit button, the pencil, in the top right corner to enable the management interface. The fields for management interface configuration appear on the page.
    3. Make the desired selections and entries as described in Management interface configuration.
    4. Click Save when done.

    Management interface configuration
    Option Guidelines
    Management Status

    Enable this option.
    Management Interface

    Select an interface (port) from the list menu.

    Note: The management interface handles all incoming and outgoing management traffic. Note: It must be promiscuous mode to work. Promiscuous mode is required because dedicated management interface is a virtual interface and does not share the physical port mac address.
    Management IP

    Enter the IP address of the management interface.

    Note: Once enabled, the management network IP becomes active in all each modes (i.e., standalone, active-passive, active-active, and VRRP). Therefore, the management interface IP address must be unique and must NOT be used in regular functions, such as the virtual server IP addresses, source NAT pool IP addresses, source NAT pool trans-to IP addresses, 1-to-1 NAT external/mapped IP addresses, and all the other IP addresses configured on the interface. Otherwise. it will conflict with the HA functions.
    Management IP Allow Access

    Select the type or types of management traffic that are allows to access the Management interface.

    Management Trust IP

    Enable/disable the Trust IPs Access Control (TIAC) feature to restrict access to the management interface according to the Trust IP Address List. If the source IP is not on the Management Trust IP Address List, the device will refuse the client directly.

    To add IP addresses to the Management Trust IP Address List, enable the feature and save the configuration. After you have saved it the first time, you can edit it to add IPs to the list.

    Note: For HA configurations, the Management Trust IP Address list will not be synchronized to peer nodes.

    Management Trust IP Address List

    Name

    		 Configuration name. Valid characters are A-Z, a-z, 0-9, _, and -. No spaces. After you initially save the configuration, you cannot edit the name.

    Type

    Select the IP address type:

    • IPv4/Netmask

    • IPv4 Address Range

    IPv4/Netmask

    Specify the IP address that can access the interface.

    Address Range

    Specify a range of IP addresses that can access the interface.

    "Dedicated HA Management IP" vs. "Management Interface"

    In pre-FortiADC 4.8.1 releases, the GUI had an option in interface configuration (Networking > Interface > Add) which allows you to set an interface as the "Dedicated HA Management IP", which functions exactly the same as the "Management Interface" in 4.8.1. With the 4.8.1 release, that option is removed from the GUI (even though it is still available in the Console) is replaced by the "Management Interface". If you have a dedicated HA management IP configured on a pre-4.8.1 version of FortiADC, we highly recommend that you delete it, and then configure a management interface instead, after you've upgraded to 4.8.1. This will help streamline your interface configuration and make system management easier.

    All this can be done through FortiADC's Console only. The following instructions show how to delete your old "Dedicated HA Management IP" and configure the "Management Interface" using the Console in FortiADC 4.8.1:

    Step 1: Remove the "Dedicate HA Management IP"

    Execute the following commands:

    config system interface

    edit "port1"

    set dedicate-to-mgmt disable

    unset ip

    next

    end

    Step 2: Configure the "Management Interface":

    Execute the following commands:

    config system ha

    set mgmt-status enable

    set mgmt-interface port1

    set mgmt-ip 10.106.129.120/24

    set mgmt-ip-allowaccess https ping ssh snmp http telnet

    end

    Previous
    Next