Staff

Technical Tip: Enable GUI access to secondary unit in FortiGate HA cluster using a reserved management interface

Forum|Forum|2 months ago
March 26, 2026
0 replies
1163 views

Description	This article describes how to configure a reserved management interface on the primary FortiGate in an Active-Passive High Availability (HA) cluster to enable direct GUI access to the secondary unit. This setup allows administrators to manage the secondary device independently using a dedicated management IP address.
Scope	FortiGate Active-Passive HA clusters where direct management access to the secondary unit is required without relying on the primary unit’s HA management CLI.
Solution	After an HA cluster is configured, the secondary unit typically loses direct GUI access because its management IP is no longer active. The management interface reservation feature resolves this by assigning a dedicated management IP to a physical interface on the secondary unit, allowing it to be reached directly regardless of its HA role. To enable GUI access to the secondary unit, configure a management interface reservation on the primary unit. This reserves a physical interface on the secondary unit with a dedicated IP address that remains active and accessible even when the unit is in standby mode. Configure management interface reservation on the primary unit: Log in to the primary FortiGate GUI. Go to System -> HA. Locate the cluster configuration and select Edit. In the Management Interface Reservation section, select + to add a new reservation. Specify the Interface to be used for management on the secondary unit. Define the Gateway and Destination subnet for the management network. The gateway IP address is typically the IP address assigned to the secondary unit's interface. Select OK to save the configuration. If the interface on the secondary unit is already configured with an IP address, the reservation takes effect immediately, and the secondary unit becomes accessible via that IP address. If the interface on the secondary unit does not have an IP address configured, it must be configured either directly on the secondary unit or through the primary unit's CLI. Configure the secondary unit interface via the CLI: Access the secondary unit through the primary unit’s CLI to configure the management interface. On the primary unit, open the CLI console. Identify the index of the secondary unit by running the following command: execute ha manage ? execute ha manage <secondary-unit-id> admin Access the secondary unit using its index. For example, to access the unit with index 0: execute ha manage 0 admin The system prompts for the admin password of the secondary unit. Once logged in, configure the management interface with the desired IP address and administrative access settings. For example, to configure port8: config system interface edit port8 set ip <secondary-management-ip> <subnet-mask> set allowaccess https ssh ping next end Verify the configuration by reviewing the interface settings: show sys interface port8 Verify GUI access to the secondary unit: After completing the configuration, confirm that the secondary unit is accessible via its dedicated management IP address. Open a web browser. Enter the management IP address assigned to the secondary unit using HTTPS. For example: https://10.1.2.186. Verify that the FortiGate GUI login page loads successfully and that the unit is reachable. Successful access confirms that the management interface reservation and any required interface configuration are working as intended. Note: It is recommended to verify the ARP entry on the hidden ha 'vsys_hamgmt' vdom if the ha reserved management interface is not working for an individual unit in the HA cluster. See this article: Technical Tip: HA Reserved Management Interface's hidden VDOM (vsys_hamgmt VDOM). The following article describes a list of resources related to High Availability (HA) on the FortiGate: Technical Tip: FortiGate High Availability Resource List

FortiGate