Skip to main content
saleha
Staff & Editor
saleha
Staff & Editor
July 23, 2024

Technical Tip: HA reserve management interface with managed FortiSwtich

  • July 23, 2024
  • 0 replies
  • 1304 views
Description This article describes best practice recommendations for an HA reserve management interface when it is connected via FortiLink.
Scope FortiOS, FortiSwitch.
Solution
  • For the purpose of focusing on specific details, this article discusses only the minor setup that has to be applied to achieve the task compared to regular config where a standalone switch is used.
  • For reference on how to setup an HA reserved management interface, see Technical Tip: HA Reserved Management Interface.
  • In the case of FortiSwitch being managed by FortiGate, creating a VLAN interface would have to be done under FortiLink.
  • The management VLAN will have to be assigned an IP that overlaps with the interface that will be used in the HA reserve-management config. Otherwise, the FortiGate will not know how to route the management traffic coming from the switch to the correct reserved interface.

 

config system interface

edit vlan_mgmt

set ip y.y.y.y

………

end

 

  • The HA reserved-management interface has to be assigned an IP. Additionally, the administrative protocols have to include HTTPS.

config system interface

edit mgmt.

set ip x.x.x.x

set allowaccess https ping ssh <- Assuming these are the required admin protocols.

………….

end

 

  • The reserved interface under the HA config will require a gateway address. In this case, this will be the IP address assigned to the management VLAN:

config system ha

set ha-mgmt-status enable

config ha-mgmt-interface

edit 1

set ha-mgmt-interface <mgmt>

set ha-mgmt-interface-gateway <y.y.y.y > <- Management VLAN interface IP address.

end

end

 

  • This should be enough to allow the maintenance or admin computer to access the reserved-management interface.
  • If 'Out of Band' management to the secondary member of the cluster is required, the mgmt interface or the same interface that was reserved for management on the primary will have to be configured the same way on the secondary. However, it will have to be assigned a different IP address from the same subnet the primary member of the cluster was configured with. For reference, see this section of the documentation.

 

Related article:

Technical Tip: FortiGate High Availability Resource List
Terms & ConditionsAccessibility statement