Fortinet Document Library

Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:


Table of Contents

FortiGate-6000 Handbook

Using data interfaces for management traffic

You can set up IPv4 and IPv6 in-band management connections to all FortiGate-6000 data interfaces by setting up administrative access for the data interface that you want to use to manage the FortiGate-6000. For in-band management of a transparent mode VDOM, you must also set up the transparent mode management IP address.

Connecting to a data interface for management is the same as connecting to one of the management interfaces. For example, you can log in to the GUI or CLI of the FortiGate-6000 management board.

Administrators with VDOM-level access can log into to their VDOM if they connect to a data interface that is in their VDOM.

In-band management limitations

In-band management has the following limitations:

  • In-band management does not support using special port numbers to connect to individual FPCs or the management board. If you have logged in using an in-band management connection, the special management HTTPS port numbers appear on the Security Fabric dashboard widget when you hover over individual FPCs. You can click on an FPC in the Security Fabric dashboard widget and select Login to... to log into the GUI of that FPC. This action creates an out-of-band management connection by crafting a URL that includes the IP address of the FortiGate-6000 mgmt1 plus the special HTTPS port number required to connect to that FPC.
  • SNMP in-band management is not supported.
  • VRF routes are not applied to outgoing in-band management traffic.
  • Changes made on the fly to administrative access settings are not enforced for in-progress in-band management sessions. The changes apply to new in-band sessions only. For example, if an administrator is using SSH for an in-band management connection and you change the SSH administrative port, that in-band management session can continue. Any out-of-band management sessions would need to be restarted with the new port number. New in-band SSH management sessions need to use the new port number. HTTPS access works the same way, however, HTTPS starts new sessions every time you navigate to a new GUI page. So an on the fly change would affect an HTTPS in-band management session whenever the administrator navigates to a new GUI page.

Using data interfaces for management traffic

You can set up IPv4 and IPv6 in-band management connections to all FortiGate-6000 data interfaces by setting up administrative access for the data interface that you want to use to manage the FortiGate-6000. For in-band management of a transparent mode VDOM, you must also set up the transparent mode management IP address.

Connecting to a data interface for management is the same as connecting to one of the management interfaces. For example, you can log in to the GUI or CLI of the FortiGate-6000 management board.

Administrators with VDOM-level access can log into to their VDOM if they connect to a data interface that is in their VDOM.

In-band management limitations

In-band management has the following limitations:

  • In-band management does not support using special port numbers to connect to individual FPCs or the management board. If you have logged in using an in-band management connection, the special management HTTPS port numbers appear on the Security Fabric dashboard widget when you hover over individual FPCs. You can click on an FPC in the Security Fabric dashboard widget and select Login to... to log into the GUI of that FPC. This action creates an out-of-band management connection by crafting a URL that includes the IP address of the FortiGate-6000 mgmt1 plus the special HTTPS port number required to connect to that FPC.
  • SNMP in-band management is not supported.
  • VRF routes are not applied to outgoing in-band management traffic.
  • Changes made on the fly to administrative access settings are not enforced for in-progress in-band management sessions. The changes apply to new in-band sessions only. For example, if an administrator is using SSH for an in-band management connection and you change the SSH administrative port, that in-band management session can continue. Any out-of-band management sessions would need to be restarted with the new port number. New in-band SSH management sessions need to use the new port number. HTTPS access works the same way, however, HTTPS starts new sessions every time you navigate to a new GUI page. So an on the fly change would affect an HTTPS in-band management session whenever the administrator navigates to a new GUI page.