Technical Tip: FQDN address object not matched in local-in-policy when ha-mgmt-intf-only is enabled
| Description | This article describes the behavior of FQDN address objects in local-in policies when ha-mgmt-intf-only is enabled for a dedicated HA management interface on FortiGate.
When a FortiGate interface is configured as a dedicated HA management interface and a local-in policy includes set ha-mgmt-intf-only enable, FQDN-type firewall address objects are not matched as source addresses.
Even if the FQDN resolves correctly to the expected IP address, the local-in policy does not match and access to the HA management interface is denied.
The same FQDN object functions correctly in local-in policies applied to non-HA management interfaces. |
| Scope | FortiGate HA cluster. |
| Solution | The following configuration example illustrates the behavior:
config system ha config firewall address
config firewall local-in-policy
When a dedicated HA management interface is configured, FortiGate processes its traffic in a separate internal context (vsys_hamgmt). This management path is isolated from the normal VDOM data plane and standard traffic forwarding policy engine.
Local-in policies with set ha-mgmt-intf-only enable are evaluated within this HA management context. FQDN address objects rely on DNS resolution within the regular VDOM data plane. In the HA management context, FQDN-based source matching is not performed. As a result, the local-in policy does not match and access is denied.
This behavior is by design.
To restrict access to a dedicated HA management interface, use static IP subnet address objects instead of FQDN-type address objects. |