Fortinet black logo

FortiGate-7000 Handbook

Using data interfaces for management traffic

Copy Link
Copy Doc ID 3c44971b-ce74-11e9-8977-00505692583a:948091
Download PDF

Using data interfaces for management traffic

You can set up in-band management connections to all FortiGate-7000 data interfaces by setting up administrative access for the data interface that you want to use to manage the FortiGate-7000. Connecting to a data interface for management is the same as connecting to one of the management interfaces. For example, you can log in to the GUI or CLI of the FortiGate-7000 primary FIM.

Administrators with VDOM-level access can log into to their VDOM if they connect to a data interface that is in their VDOM.

In-band management limitations

In-band management has the following limitations:

  • In-band management does not support using special port numbers to connect to individual FIMs or FPMs. If you have logged in using an in-band management connection, the special management HTTPS port numbers appear on the Security Fabric dashboard widget when you hover over individual FIMs or FPMs. You can click on an FIM or FPM in the Security Fabric dashboard widget and select Login to... to log into the GUI of that FIM or FPM. This action creates an out-of-band management connection by crafting a URL that includes the IP address of the mgmt interface, plus the special HTTPS port number required to connect to that FIM or FPM.
  • The data interfaces must have IPv4 IP addresses, IPv6 in-band management is not supported.
  • In-band management connections to the IP address of a VDOM link interface is not supported.
  • Large (or jumbo) packets from in-band management sessions are fragmented by the FPMs before they are forwarded to the primary (master) FIM.
  • SNMP in-band management is not supported.
  • VRF routes are not applied to outgoing in-band management traffic.
  • Changes made on the fly to administrative access settings are not enforced for in-progress in-band management sessions. The changes apply to new in-band sessions only. For example, if an administrator is using SSH for an in-band management connection and you change the SSH administrative port, that in-band management session can continue. Any out-of-band management sessions would need to be restarted with the new port number. New in-band SSH management sessions need to use the new port number. HTTPS access works the same way; however, HTTPS starts new sessions every time you navigate to a new GUI page. So an on the fly change would affect an HTTPS in-band management session whenever the administrator navigates to a new GUI page.
  • In-band management is not supported for connections to data interfaces that are in a transparent mode VDOM.

Using data interfaces for management traffic

You can set up in-band management connections to all FortiGate-7000 data interfaces by setting up administrative access for the data interface that you want to use to manage the FortiGate-7000. Connecting to a data interface for management is the same as connecting to one of the management interfaces. For example, you can log in to the GUI or CLI of the FortiGate-7000 primary FIM.

Administrators with VDOM-level access can log into to their VDOM if they connect to a data interface that is in their VDOM.

In-band management limitations

In-band management has the following limitations:

  • In-band management does not support using special port numbers to connect to individual FIMs or FPMs. If you have logged in using an in-band management connection, the special management HTTPS port numbers appear on the Security Fabric dashboard widget when you hover over individual FIMs or FPMs. You can click on an FIM or FPM in the Security Fabric dashboard widget and select Login to... to log into the GUI of that FIM or FPM. This action creates an out-of-band management connection by crafting a URL that includes the IP address of the mgmt interface, plus the special HTTPS port number required to connect to that FIM or FPM.
  • The data interfaces must have IPv4 IP addresses, IPv6 in-band management is not supported.
  • In-band management connections to the IP address of a VDOM link interface is not supported.
  • Large (or jumbo) packets from in-band management sessions are fragmented by the FPMs before they are forwarded to the primary (master) FIM.
  • SNMP in-band management is not supported.
  • VRF routes are not applied to outgoing in-band management traffic.
  • Changes made on the fly to administrative access settings are not enforced for in-progress in-band management sessions. The changes apply to new in-band sessions only. For example, if an administrator is using SSH for an in-band management connection and you change the SSH administrative port, that in-band management session can continue. Any out-of-band management sessions would need to be restarted with the new port number. New in-band SSH management sessions need to use the new port number. HTTPS access works the same way; however, HTTPS starts new sessions every time you navigate to a new GUI page. So an on the fly change would affect an HTTPS in-band management session whenever the administrator navigates to a new GUI page.
  • In-band management is not supported for connections to data interfaces that are in a transparent mode VDOM.