Fortinet white logo
Fortinet white logo

Administration Guide

Transparent mode management

Transparent mode management

In transparent mode, you can assign a single IP address to the FortiProxy for remote management access and configure multiple static routes for in-band management. When out-of-band management is required, it is recommended to configure a dedicated management interface.

The management interface supports only the following protocols for outgoing traffic: SNMP, NTP, LOG, Radius, FTP, TFTP, Telnet. To allow the management interface to handle outgoing traffic with an unsupported protocol, you must configure multiple VDOMs and dedicate the root VDOM to management traffic, which means assigning the management interface to the root VDOM while keeping all other interfaces for in-band traffic to user VDOMs.

In-band management

The management IP address is bound to all ports or VLANs that belong to the same bridge group. Remote access services are subject to the same rules as in NAT mode, and must be enabled on each interface.

To configure the management IP address:
config system settings
    set opmode transparent
    set manageip 10.1.1.100/255.255.255.0
end
config router static
    edit 1
        set gateway 10.1.1.254
    next
end
config system interface
    edit port1
        set allowaccess ping ssh https snmp
    next
end
To add a second IP address for management and additional default routes:
config system settings
    set manageip 192.168.182.136/255.255.254.0 10.1.1.1/255.255.255.0
end
config router static
    edit 1
        set gateway 192.168.183.254
    next
    edit 2
        set gateway 10.1.1.254
    next
end

Out-of-band management

When an interface is dedicated to management purposes only, it is removed from default switch group and becomes an isolated routing port. When the FortiProxy is running in transparent mode, it is recommended that one physical interface be kept as an out-of-band management interface to avoid layer 2 loops and allow for more routing flexibility.

The management interface must have IP connectivity to the management and monitoring network subnets.

To dedicate an interface to management:
  1. Dedicate the interface to management:

    config system interface
        edit port2
            set dedicated-to management
            set ip 192.168.1.10 255.255.255.0
            set allowaccess ping ssh https snmp
        next
    end
  2. Configure static routed to the management and monitoring subnets:

    config router static
        edit 1
            set gateway 192.168.183.254
        next
        edit 2
            set dst 172.18.1.0 255.255.255.0
            set gateway 192.168.1.10 next
            set device "port2"
            set comment "To_MGMT_Monitoring_subnets"
        next
    end

Transparent mode management

Transparent mode management

In transparent mode, you can assign a single IP address to the FortiProxy for remote management access and configure multiple static routes for in-band management. When out-of-band management is required, it is recommended to configure a dedicated management interface.

The management interface supports only the following protocols for outgoing traffic: SNMP, NTP, LOG, Radius, FTP, TFTP, Telnet. To allow the management interface to handle outgoing traffic with an unsupported protocol, you must configure multiple VDOMs and dedicate the root VDOM to management traffic, which means assigning the management interface to the root VDOM while keeping all other interfaces for in-band traffic to user VDOMs.

In-band management

The management IP address is bound to all ports or VLANs that belong to the same bridge group. Remote access services are subject to the same rules as in NAT mode, and must be enabled on each interface.

To configure the management IP address:
config system settings
    set opmode transparent
    set manageip 10.1.1.100/255.255.255.0
end
config router static
    edit 1
        set gateway 10.1.1.254
    next
end
config system interface
    edit port1
        set allowaccess ping ssh https snmp
    next
end
To add a second IP address for management and additional default routes:
config system settings
    set manageip 192.168.182.136/255.255.254.0 10.1.1.1/255.255.255.0
end
config router static
    edit 1
        set gateway 192.168.183.254
    next
    edit 2
        set gateway 10.1.1.254
    next
end

Out-of-band management

When an interface is dedicated to management purposes only, it is removed from default switch group and becomes an isolated routing port. When the FortiProxy is running in transparent mode, it is recommended that one physical interface be kept as an out-of-band management interface to avoid layer 2 loops and allow for more routing flexibility.

The management interface must have IP connectivity to the management and monitoring network subnets.

To dedicate an interface to management:
  1. Dedicate the interface to management:

    config system interface
        edit port2
            set dedicated-to management
            set ip 192.168.1.10 255.255.255.0
            set allowaccess ping ssh https snmp
        next
    end
  2. Configure static routed to the management and monitoring subnets:

    config router static
        edit 1
            set gateway 192.168.183.254
        next
        edit 2
            set dst 172.18.1.0 255.255.255.0
            set gateway 192.168.1.10 next
            set device "port2"
            set comment "To_MGMT_Monitoring_subnets"
        next
    end