FortiGate Out-of-Band Management

In some situations, you want to manage your firewall only from a dedicated management network and not through any of the data interfaces. For example, when you’re running an internal data center with no Internet access at all but your firewalls must still be able to get updates from the Internet. In those situations, you need a real out-of-band (OoB) management interface from which all management traffic (DNS, NTP, Syslog, Updates, RADIUS, …) is sourced and to which the admins can connect to via SSH/HTTPS. Another example is a distinct separation of data and management traffic. For example, some customers want any kind of management traffic to traverse through some other routing/firewall devices than their production traffic.

Unfortunately, the Fortinet FortiGate firewalls don’t have a reasonable management port. Their so-called “MGMT” port is only able to limit the access of incoming traffic but is not able to source outgoing traffic by default. Furthermore, in an HA environment you need multiple ports to access the firewalls independently. What a mess. (Little exception: You can use the  set ha-direct enable option in the HA setup which sources *some* but not all protocols from the Mgmt interface. But only when you’re using a HA scenario. Reference.)

A functional workaround is to add another VDOM solely for management. From this VDOM, all management traffic is sourced. To have access to all firewalls in a high availability environment, a second (!) interface within this management VDOM is necessary. Here we go:

An out-of-band management is a completely separated management plane with its own interface and default route FROM which all management traffic is sourced solely and TO which all admin accesses are destined. A data interface that is part of the normal routing process and only limits incoming connections from “management stations” is NOT an out-of-band management.

Note that there are other firewalls that implement that kind of OoB management such as the firewalls from Palo Alto Networks with their real dedicated management plane with its own interface and default route. This is a really good example of a clearly separated management and data plane. Don’t know why Fortinet isn’t able to do it the same way.

From my point of view it’s really stupid to call a port “MGMT” and to even have multiple “Dedicated Management Port” and “Management Interface Reservation” options when those possibilities are not well designed at all.

Workaround

The following workaround is for having a separated management VDOM that completely isolates all management traffic from the data interfaces. A picture is worth a thousand words:


That is:

  • Enable virtual domains and create another VDOM for your management. I called it “mgmt-vdom-x” just to have it distinguishable.
  • Select this VDOM as your management VDOM, e.g., by clicking the “Switch Management” button in the GUI at Global -> System -> VDOM.
  • Move the MGMT port to this management-VDOM and select “Dedicated Management Port” (just for fun, you don’t need it here). Configure static default routes for both Internet protocols. From now on, all outgoing connections from the FortiGate are sourced from this interface. Good so far.
  • If you want to access both firewalls in an HA environment independently you cannot use this MGMT port for incoming connections (SSH/HTTPS/…). What a shit. Hence:
  • Move a second port to this management-VDOM and within the HA section select it as “Management Interface Reservation” with appropriate route statements. I used “port2” for this.
  • Configure different IP addresses (within the same prefix/subnet) on that second port on all involved firewalls.

To sum it up:

  1. The MGMT port is now used by the firewall for outgoing connections.
  2. The second port with different IP addresses on all firewalls is used by the admins to connect to those firewalls via SSH/HTTPS/SNMP.

Guide

To get an idea I have a couple of screenshots and listings for you. As always, it is crappy to configure FortiGate firewalls because the GUI does not show everything (such as IPv6 related configs) while the CLI is completely crowded with unused commands. I am using a FG-100D with FortiOS v5.6.4 build1575 (GA). My prefix/subnet for the management VDOM is 2003:de:2016:331::/64 and 192.168.31.0/24. The internal default router (not on the FortiGate but in the upstreaming data center) has the ::1 and .1 IP addresses.

And here are those code snippets from the CLI. Note that port2 has the set vdom "root" command shown, which seems to be the way FortiGate handles the port that is used for “Management Interface Reservation” in the HA section.

That’s it. Working but ugly. Hopefully, Fortinet will move to real out-of-band management such as Palo Alto Networks one day…

Featured image “US-Prozess zu Abgas-Skandal: VW-Manager legt Geständnis ab” by Marco Verch is licensed under CC BY 2.0.

11 thoughts on “FortiGate Out-of-Band Management

  1. Use the vdom root for management and use other vdom for traffic (data plane)

  2. That’s a very interesting article. Fortigate is really pain when it comes to dedicated management. Also there is not much precise and/or understandable documentation. The best I could find was someone trying to explain what he found out in Fortinet forums: https://forum.fortinet.com/tm.aspx?m=157203

  3. I’ve accomplished this in a data center by putting an extra firewall in the rack into which all FortiGate and FortiSwitch mgt ports are connected. VPN to that “side door” firewall and you’ve got direct access to all devices for out of band management.

  4. Hello Johannes,

    Thank you for the great article.
    In the description you are pointing out the following: ‘Move the second port (port2) to this management-VDOM (mgmt-vdom-x)’. But in the Config the port2 is assigned to vdom root. I think correctly can stay the port2 in root vdom or it should be really moved to mgmt-vdom-x?

    edit “port2”
    set vdom “root”

    Thanks :)

    1. Hey paulzir. Yes, that looks weird. I don’t have this setup working right now anymore, so I can’t look it up. However, just before the CLI section above, I wrote the following sentence: “Note that port2 has the set vdom “root” command shown, which seems to be the way FortiGate handles the port that is used for “Management Interface Reservation” in the HA section.” –> Hence I believe that I was aware of this misleading configuration command.

      Have you tried that configuration? Which with vdom config is it working?

    2. What it is happening is that when you set a port as “dedicated-to-management” in HA configuration. This port is assigned to a hidden VDOM named “vsys_hamgmt”…
      You can enter this VDOM with command: #execute enter vsys_hamgmt

  5. Hi Johannes

    I’m confused by your statements above that say:
    “Their so-called “MGMT” port is …etc,etc…….but is not able to source outgoing traffic by default”
    but then you say
    “The MGMT port is now used by the firewall for outgoing connections.”

    Also, has the situation you have described now been fixed? This article appears to suggest the dedicated MGMT interface can be used for inbound/outbound monitoring and connectivity to the Internet:
    https://community.fortinet.com/t5/FortiGate/Technical-Tip-Using-dedicated-management-interface-for/ta-p/228972

  6. Hi,

    Greate explanation. i have two questions:

    1. Can we use the MGMT Port as a HA-reserved management ?

    2. If there is not VDOMS, can we use the MGMT Port for all the traffic and for the https and ssh access ?

    1. Hey ashraf,

      1) AFAIK this is NOT possible. I think this is exactly the point why I had to use two different ports on this proposed design here. (But maybe I’m wrong? Have you tried it by yourself in the meantime?) I’m talking to a Fortinet SE right now. He’s not sure either. Please give it a try. ;D

      2) Yes. The MGMT port is independent of VDOMs. If you set the “dedicated management port”, you can’t use this port for data traffic anymore though (recommended). Does this answer your question? (I’m not quite sure whether I got it right.)

Leave a Reply

Your email address will not be published. Required fields are marked *