FortiOS 6.0.6 for FortiOS-6000 and FortiGate-7000 supports in-band management connections to all data interfaces. You can connect to physical interface IP addresses as well as in-band VLAN interfaces and LAGs.
No configuration changes are required to support in-band management, other than setting administrative access settings for the data interface that you want to use to manage the FortiGate-6000 or 7000. Connecting to a data interface for management is the same as connecting to one of the management interfaces. For example, you can log in to the GUI or CLI of the FortiGate-6000 management board or the FortiGate-7000 primary FIM. Administrators with VDOM-level access can log into to their VDOM if they connect to a data interface that is in their VDOM.
Previous versions of FortiOS for FortiGate-6000 and 7000 included the
config system set motherboard-traffic-forwarding command to allow limited in-band management. This command has been removed from FortiOS 6.0.6.
In-band management has the following limitations:
- In-band management does not support using special port numbers to connect to individual FPCs, FIMs, or FPMs. If you have logged in using an in-band management connection, the special management HTTPS port numbers appear on the Security Fabric dashboard widget when you hover over individual FPCs, FIMs, or FPMs. You can click on an FPC, FIM, or FPM in the Security Fabric dashboard widget and select Login to... to log into the GUI of that FPC, FIM, or FPM. This action creates an out-of-band management connection by crafting a URL that includes the IP address of the FortiGate-6000 mgmt1 interface or the FortiGate-7000 mgmt interface, plus the special HTTPS port number required to connect to that FPC, FIM, or FPM.
- The data interfaces must have IPv4 IP addresses, IPv6 in-band management is not supported.
- In-band management connections to the IP address of a VDOM link interface is not supported.
- Large (or jumbo) packets from in-band management sessions are fragmented by the FPCs or FPMs before they are forwarded to the management board or primary (master) FIM.
- SNMP in-band management is not supported.
- VRF routes are not applied to outgoing in-band management traffic.
- Changes made on the fly to administrative access settings are not enforced for in-progress in-band management sessions. The changes apply to new in-band sessions only. For example, if an administrator is using SSH for an in-band management connection and you change the SSH administrative port, that in-band management session can continue. Any out-of-band management sessions would need to be restarted with the new port number. New in-band SSH management sessions need to use the new port number. HTTPS access works the same way; however, HTTPS starts new sessions every time you navigate to a new GUI page. So an on the fly change would affect an HTTPS in-band management session whenever the administrator navigates to a new GUI page.
- In-band management is not supported for connections to data interfaces that are in a transparent mode VDOM.