Management IP configuration
A FortiGate in transparent mode can be assigned with a single IP address for remote access management and multiple static routes can be configured. This can be used if in-band management wants to be applied.
When out-of-band management is desired (dedicated interface for remote management access), it is recommended to use a separate VDOM in NAT mode.
In-band management details and example
The management IP address is bound to all ports or VLANs belonging to the same VDOM. Remote access services are subject to the same rules as in NAT mode, and must be enabled/disabled on each port.
Example of management IP configuration in transparent mode:
config system settings
set manageip 10.1.1.100/255.255.255.0
end
config router static
edit 1
set gateway 10.1.1.254
next
end
config system interface
edit port1
set allowaccess ping ssh https snmp
end
It is also possible to add a second IP address for management and additional default routes:
config system settings
set opmode transparent
set manageip 192.168.182.136/255.255.254.0 10.1.1.1/255.255.255.0
end
config router static
edit 1
set gateway 192.168.183.254
next
edit 2
set gateway 10.1.1.254
next
end
ping-server (dead gateway detection) is not supported in transparent mode. |
Out-of-band management details and example
When VDOM is enabled and the VDOMs are operating in transparent mode, it is recommended, to avoid L2 loops and allow more routing flexibility, to keep one VDOM (generally the root VDOM) in NAT mode, with one or more VLAN or physical interface as out-of-band management.
The management VDOM must have IP connectivity to the Internet to allow communication with the FDS and retrieve services information (antivirus, IPS, FortiGuard, FortiCare, etc…). All syslog and FortiManager communication also go through the management VDOM. |