Technical Tip: Differences of In-band and Out-of-band management for FortiGate cluster
| Description | This article describes the differences between the two solutions to manage every cluster member individually. |
| Scope | FortiGate. |
| Solution | When access to all cluster members is needed, two options can be used. The first one is the in-band management described here: in-band-management.
This feature gives the ability to configure an IP on the interface that is not synchronized among the cluster members. The advantage of using this option is that the interface can be used for other traffic (pass-through) as well, and not just for the HA management traffic.
The management IP should belong in the same network subnet as the interface IP as well.
Configuration example:
config system interface edit port1 set management-ip 172.27.10.5 255.255.255.0 <----- Not synced between the cluster members. set ip 172.27.10.7 255.255.255.0 <----- Synced between the cluster members. set allowaccess https ssh snmp http next end
FortiGate-B (Secondary):
config system interface edit port1 set management-ip 172.27.10.6 255.255.255.0 <----- Not synced between the cluster members. set ip 172.27.10.7 255.255.255.0 <----- Synced between the cluster members. set allowaccess https ssh snmp http next end
Configuring a management-ip on an interface does not alter local-out traffic behavior. All locally generated traffic continues to use the IP address configured under the set ip field as its source, not the IP defined under set management-ip.
Another option is to use Out-of-band management, described here: Out-of-band management with reserved management interfaces.
When using this option, an interface is dedicated to cluster management. This means that it cannot be used for any sort of pass-through traffic. What is actually happening is that the interface(s) used as dedicated to HA management are 'isolated' and none of their configuration is synced to the other cluster members. This interface can also be used for the local-out traffic with the ha-direct option.
Configuration example:
FortiGate-A (Master) and FortiGate-B (Slave):
config system ha set ha-mgmt-status enable config ha-mgmt-interfaces edit 1 set interface port1 set gateway 172.27.10.253 next end end FortiGate-A (Primary):
edit port1 set ip 172.27.10.5 255.255.255.0 <----- Not synced between the cluster members. set allowaccess https ping ssh next end exit
config system interface edit port1 set ip 172.27.10.6 255.255.255.0 <----- Not synced between the cluster members. set allowaccess https ping ssh next end exit Based on the requirements of every environment, the most appropriate solution should be used. |