FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
jangelis
Staff
Staff
Article Id 193539
Description
This article explains how to use out-of-band management on standalone unit without using VDOMs.

Unit should use dedicated management interface for management and should connect to the Internet through this management interface for all management traffic.

The unit is a standalone unit (not in HA) and the usage of multiple VDOMs (split-task VDOM) is not intended.


Solution
The solution is to use different VRFs (Virtual Routing and Forwarding) for management and for the traffic.

Each FortiGate unit can use several VRFs. By default, all interfaces and routes are in VRF 0.
This also applies to the management traffic.


When it is required to route the management traffic through the different gateway, then normal traffic with different VRFs can be used.

This must be configured in CLI.

Management interface should stay in VRF 0 and all other interfaces that are used for traffic should be configured to the other VRF (for example 1).
#config system interface
edit wan1
set vrf 1
next
edit port1
set vrf 1
next
end
Then two default routes can be configured:
#config router static
    edit 1
        set gateway 10.10.10.254
        set device "mgmt"
    next
    edit 2
        set gateway 92.0.2.1
        set device "wan1"
    next
end
The output of the routing table:
FGT # get router info routing-table all
 
Routing table for VRF=0
Codes: K - kernel, C - connected, S - static, R - RIP, B - BGP
       O - OSPF, IA - OSPF inter area
       N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
       E1 - OSPF external type 1, E2 - OSPF external type 2
       i - IS-IS, L1 - IS-IS level-1, L2 - IS-IS level-2, ia - IS-IS inter area
       * - candidate default
 
S*      0.0.0.0/0 [10/0] via 10.10.10.254, mgmt
C       10.10.10.0/24 is directly connected, mgmt
 
 
Routing table for VRF=1
S*      0.0.0.0/0 [10/0] via 92.0.2.1, wan1
C       92.0.2.0/24 is directly connected, wan1
C       192.168.1.0/24 is directly connected, port1

Related Articles

Technical Note: OSPF Support for multiple virtual routing and forwarding VRFs

Contributors