Home > Networking > Configuring Fortinet Firewall Outbound Management: Cisco Mgmt VRF Equivalent

Configuring Fortinet Firewall Outbound Management: Cisco Mgmt VRF Equivalent

By /

If you’re familiar with Cisco’s Management VRF, where management traffic is isolated into a separate routing domain, you might wonder how to achieve a similar setup on a Fortinet FortiGate firewall. Fortinet doesn’t have a direct “Management VRF” equivalent, but it offers flexible options like VDOMs, interface configurations, and routing policies to achieve outbound management separation. Here’s how to configure it, with NTP handled by a non-management interface and license updates, SNMP, backups, and syslog routed through a management interface—plus whether you need a VDOM.

– Non-Management (NTP):** Sourced from a data interface (e.g., port1).
– Management (License Updates, SNMP, Backup, Syslog):** Sourced from a dedicated management interface (e.g., mgmt or port2).
– Minimize complexity:** Avoid VDOMs if possible, but use them if required.

1. **FortiGate Management Interface:** The dedicated “mgmt” port (or any interface you designate) can handle inbound admin access (SSH/HTTPS) and some outbound traffic, but it’s limited by default for standalone units. In HA setups, it can be enhanced with `set ha-direct enable`.
2. **VDOMs:** Virtual Domains split the FortiGate into logical firewalls, each with its own routing table—similar to VRFs. They’re optional for this setup unless you need strict isolation.
3. **Source IP Options:** FortiOS allows you to specify source IPs for services like NTP, SNMP, and syslog, giving you control over outbound traffic without always needing VDOMs.
4. **Routing:** Static routes or policy-based routing (PBR) can direct traffic out specific interfaces.

If your environment doesn’t demand strict separation (like a Cisco VRF), you can configure this on a standalone FortiGate without VDOMs:

– Management Interface (e.g., mgmt or port2):** Assign an IP (e.g., `192.168.100.2/24`) and connect it to your management network.
– Non-Management Interface (e.g., port1):** Assign an IP (e.g., `10.10.10.1/24`) and connect it to your data network.

Use the non-management interface (port1) as the source.

bash
config system ntp
set ntpsync enable
set server “pool.ntp.org”
set source-ip 10.10.10.1
end

Add a static route for NTP traffic:

bash

config router static
    edit 1
        set dst 0.0.0.0 0.0.0.0
        set gateway 10.10.10.254  # Upstream gateway for port1
        set device "port1"
    next
end

3. Configure Management Services (License Updates, SNMP, Syslog, Backup)

  • License Updates (FortiGuard): By default, FortiGuard uses the interface with a route to Fortinet’s servers. Force it to use the mgmt interface:

bash

config system fortiguard
    set source-ip 192.168.100.2
end
  • SNMP: Specify the management interface IP:

bash

config system snmp sysinfo
    set status enable
end
config system interface
    edit "mgmt"
        set allowaccess snmp
    next
end
  • Syslog: Set the source IP to the mgmt interface:

bash

config log syslogd setting
    set status enable
    set server "192.168.100.10"  # Syslog server IP
    set source-ip 192.168.100.2
end
  • Backup (e.g., to FortiManager or FTP): Specify the source IP:

bash

config system backup
    set source-ip 192.168.100.2
end
  • Add a static route for management traffic:

bash

config router static
    edit 2
        set dst 0.0.0.0 0.0.0.0
        set gateway 192.168.100.254  # Upstream gateway for mgmt
        set device "mgmt"
        set priority 10  # Higher priority than port1 route
    next
end

4. Policy Routing (Optional)

If routing alone doesn’t enforce separation, use PBR to force NTP out port1 and management services out mgmt:

bash

config router policy
    edit 1
        set input-device "port1"
        set src 10.10.10.1
        set dst 0.0.0.0 0.0.0.0
        set protocol 123  # UDP for NTP
        set output-device "port1"
    next
    edit 2
        set input-device "mgmt"
        set src 192.168.100.2
        set dst 0.0.0.0 0.0.0.0
        set output-device "mgmt"
    next
end

Setup With VDOMs (For Strict Isolation)

If you need Cisco VRF-like separation (e.g., for compliance or multi-tenancy), use VDOMs:

1. Enable VDOMs

bash

config system global
    set vdom-admin enable
end

2. Create VDOMs

  • mgmt-vdom: For license updates, SNMP, syslog, and backups.
  • data-vdom: For NTP and data traffic.

bash

config vdom
    edit mgmt-vdom
        config system settings
            set opmode nat
        next
    edit data-vdom
        config system settings
            set opmode nat
        next
    next
end

3. Assign Interfaces

Move mgmt to mgmt-vdom and port1 to data-vdom:

bash

config system interface
    edit "mgmt"
        set vdom "mgmt-vdom"
        set ip 192.168.100.2 255.255.255.0
        set allowaccess ping https ssh snmp
    next
    edit "port1"
        set vdom "data-vdom"
        set ip 10.10.10.1 255.255.255.0
    next
end

4. Configure Services

  • NTP in data-vdom:

bash

config vdom
    edit data-vdom
        config system ntp
            set ntpsync enable
            set server "pool.ntp.org"
            set source-ip 10.10.10.1
        end
        config router static
            edit 1
                set gateway 10.10.10.254
                set device "port1"
            next
        end
    next
end
  • Management Services in mgmt-vdom:

bash

config vdom
    edit mgmt-vdom
        config system fortiguard
            set source-ip 192.168.100.2
        end
        config log syslogd setting
            set status enable
            set server "192.168.100.10"
            set source-ip 192.168.100.2
        end
        config system snmp sysinfo
            set status enable
        end
        config router static
            edit 1
                set gateway 192.168.100.254
                set device "mgmt"
            next
        end
    next
end

5. Designate Management VDOM

Set mgmt-vdom as the management VDOM for system-wide services:

bash

config system global
    set management-vdom "mgmt-vdom"
end

Do You Need a VDOM?

  • No: If your setup is simple and you can rely on source IP settings and routing, skip VDOMs. It’s less overhead and easier to manage.
  • Yes: If you need strict isolation (like Cisco VRF), multiple tenants, or separate routing tables, use VDOMs. It’s more complex but mimics VRF functionality.

Verification

  • Test NTP: execute traceroute pool.ntp.org from data-vdom or port1.
  • Test Syslog: Check logs on your syslog server.
  • Test SNMP: Query the mgmt IP with an SNMP tool.
  • Test FortiGuard: execute update-now and verify license updates work.

Notes

  • FortiGate’s “mgmt” port isn’t a true out-of-band interface by default in standalone mode. For HA setups, enabling set ha-direct enable can source more services from it.
  • Firmware matters—commands like source-ip for FortiGuard were added in later FortiOS versions (e.g., 6.2+). Check your version (I assume 7.0+ here).

This setup gives you a Cisco-like management separation without overcomplicating things. Adjust IPs and interfaces to your environment, and let me know if you need tweaks!

Related posts:

  1. How I Fixed the “XML Declaration Allowed Only at the Start of the Document” Error in Yoast SEO Sitemap
  2. Cloudflare Flexible SSL vs. Full SSL: Fixing WordPress 301 Redirect Loops
  3. Investigating PAN-273949: A Potential Resolution for SSL Decryption Deny Log Anomalies
  4. Deep into Dead peer detection and NAT-T of ipsec VPN

Powered by YARPP.

Leave a Comment