Technical Tip: Sniffing traffic on a dedicated HA management interface

Description

This article describes how to run a packet capture/sniffer on a dedicated HA management interface for the FortiGate.

Scope

FortiGate, High Availability (HA).

Solution

When configured, reserved HA management interfaces allow administrators to connect directly to each FortiGate HA cluster member. Notably, the reserved HA management interface does not belong to any admin-created VDOMs (such as Global or root) and instead is assigned to a hidden VDOM named 'vsys_hamgmt'. Refer to the following KB article for more information: Technical Tip: HA Reserved Management Interface's hidden VDOM (vsys_hamgmt VDOM).

With that being said, it is still possible to run packet captures/sniffers on these reserved HA management interfaces from any non-Global VDOM, though it requires the administrator account to be assigned to the super_admin profile or another profile that has the Global scope (i.e. this cannot be done by a VDOM administrator account).

In the following example, port2 has been configured as a reserved HA management interface:

config system ha

set group-id 30
set group-name 'test123'
set mode a-p
set hbdev 'port33' 100 'port11' 50
set ha-mgmt-status enable
config ha-mgmt-interfaces

edit 1

set interface 'port2'
set gateway 10.5.63.254

next

end
set override disable
set monitor 'port5 'port6'

end

config system interface

edit 'port2'

set ip 10.5.51.190 255.255.0.0
set allowaccess ping https ssh http telnet fgfm

next

end

The following screenshot shows the Virtual Domain (VDOM) mapping of the interfaces. Note how port2 shows an empty VDOM entry:

Related article:

Troubleshooting Tip: Using the FortiOS built-in packet sniffer for capturing packets