Transparent mode management
In transparent mode, you can assign a single IP address to the FortiProxy for remote management access and configure multiple static routes for in-band management. When out-of-band management is required, it is recommended to configure a dedicated management interface.
The management interface supports only the following protocols for outgoing traffic: SNMP, NTP, LOG, Radius, FTP, TFTP, Telnet. To allow the management interface to handle outgoing traffic with an unsupported protocol, you must configure multiple VDOMs and dedicate the root VDOM to management traffic, which means assigning the management interface to the root VDOM while keeping all other interfaces for in-band traffic to user VDOMs. |
In-band management
The management IP address is bound to all ports or VLANs that belong to the same bridge group. Remote access services are subject to the same rules as in NAT mode, and must be enabled on each interface.
To configure the management IP address:
config system settings set opmode transparent set manageip 10.1.1.100/255.255.255.0 end config router static edit 1 set gateway 10.1.1.254 next end config system interface edit port1 set allowaccess ping ssh https snmp next end
To add a second IP address for management and additional default routes:
config system settings set manageip 192.168.182.136/255.255.254.0 10.1.1.1/255.255.255.0 end config router static edit 1 set gateway 192.168.183.254 next edit 2 set gateway 10.1.1.254 next end
Out-of-band management
When an interface is dedicated to management purposes only, it is removed from default switch group and becomes an isolated routing port. When the FortiProxy is running in transparent mode, it is recommended that one physical interface be kept as an out-of-band management interface to avoid layer 2 loops and allow for more routing flexibility.
The management interface must have IP connectivity to the management and monitoring network subnets.
To dedicate an interface to management:
-
Dedicate the interface to management:
config system interface edit port2 set dedicated-to management set ip 192.168.1.10 255.255.255.0 set allowaccess ping ssh https snmp next end
-
Configure static routed to the management and monitoring subnets:
config router static edit 1 set gateway 192.168.183.254 next edit 2 set dst 172.18.1.0 255.255.255.0 set gateway 192.168.1.10 next set device "port2" set comment "To_MGMT_Monitoring_subnets" next end