Fortinet black logo

Handbook

Management IP configuration

6.0.0
Copy Link
Copy Doc ID 4afb0436-a998-11e9-81a4-00505692583a:336158
Download PDF

Management IP configuration

A FortiGate in transparent mode can be assigned with a single IP address for remote access management and multiple static routes can be configured. This can be used if in-band management wants to be applied.

When out-of-band management is desired (dedicated interface for remote management access), it is recommended to use a separate VDOM in NAT mode.

In-band management details and example

The management IP address is bound to all ports or VLANs belonging to the same VDOM. Remote access services are subject to the same rules as in NAT mode, and must be enabled/disabled on each port.

Example of management IP configuration in transparent mode:

config system settings

set manageip 10.1.1.100/255.255.255.0

end

config router static

edit 1

set gateway 10.1.1.254

next

end

config system interface

edit port1

set allowaccess ping ssh https snmp

end

It is also possible to add a second IP address for management and additional default routes:

config system settings

set opmode transparent

set manageip 192.168.182.136/255.255.254.0 10.1.1.1/255.255.255.0

end

config router static

edit 1

set gateway 192.168.183.254

next

edit 2

set gateway 10.1.1.254

next

end

ping-server (dead gateway detection) is not supported in transparent mode.

Out-of-band management details and example

When VDOM is enabled and the VDOMs are operating in transparent mode, it is recommended, to avoid L2 loops and allow more routing flexibility, to keep one VDOM (generally the root VDOM) in NAT mode, with one or more VLAN or physical interface as out-of-band management.

The management VDOM must have IP connectivity to the Internet to allow communication with the FDS and retrieve services information (antivirus, IPS, FortiGuard, FortiCare, etc…). All syslog and FortiManager communication also go through the management VDOM.

Management IP configuration

A FortiGate in transparent mode can be assigned with a single IP address for remote access management and multiple static routes can be configured. This can be used if in-band management wants to be applied.

When out-of-band management is desired (dedicated interface for remote management access), it is recommended to use a separate VDOM in NAT mode.

In-band management details and example

The management IP address is bound to all ports or VLANs belonging to the same VDOM. Remote access services are subject to the same rules as in NAT mode, and must be enabled/disabled on each port.

Example of management IP configuration in transparent mode:

config system settings

set manageip 10.1.1.100/255.255.255.0

end

config router static

edit 1

set gateway 10.1.1.254

next

end

config system interface

edit port1

set allowaccess ping ssh https snmp

end

It is also possible to add a second IP address for management and additional default routes:

config system settings

set opmode transparent

set manageip 192.168.182.136/255.255.254.0 10.1.1.1/255.255.255.0

end

config router static

edit 1

set gateway 192.168.183.254

next

edit 2

set gateway 10.1.1.254

next

end

ping-server (dead gateway detection) is not supported in transparent mode.

Out-of-band management details and example

When VDOM is enabled and the VDOMs are operating in transparent mode, it is recommended, to avoid L2 loops and allow more routing flexibility, to keep one VDOM (generally the root VDOM) in NAT mode, with one or more VLAN or physical interface as out-of-band management.

The management VDOM must have IP connectivity to the Internet to allow communication with the FDS and retrieve services information (antivirus, IPS, FortiGuard, FortiCare, etc…). All syslog and FortiManager communication also go through the management VDOM.