Skip to main content
j_a_m_e_s
j_a_m_e_s
New Member
January 30, 2021
Question

FGCP Management IP

  • January 30, 2021
  • 2 replies
  • 11553 views

Dear All,

 

When running FGCP is there any way to maintain a separate MGT IP on the active and passive FGTs? 

 

I can see that the data-plane interfaces on the units need layer two reachability because in the event of a failover the IP and MAC will float to the standby unit (and GARP will take place). It seems a bit awkward to have the same MGT IP float between the boxes because you wouldn't get any direct SSH/SNMP/HTTPS reachability of the standby for monitoring purposes.

 

Additionally, if one used dynamic routing on the FGT, wouldn't you need to peer with the virtual IP on the upstream switch? Again, this seems a bit awkward compared with FGSP.

 

Many thanks again for any insight.

 

James.

 

    2 replies

    lobstercreed
    lobstercreed
    New Member
    February 1, 2021

    I believe this is what you're looking for?

     

    https://kb.fortinet.com/kb/documentLink.do?externalID=FD32214

    j_a_m_e_s
    j_a_m_e_sAuthor
    New Member
    February 1, 2021

    Thank you! I deleted all references to my existing "mgmt1" interface then applied the commands you referenced. Now I can SSH individually to each. This is progress, but may I ask some follow-on questions?

     

    config system ha
     set ha-mgmt-status enable
     config ha-mgmt-interfaces
      edit 1
       set interface "mgmt1"
       set dst 10.0.0.254
      next
    end
    end

    DeviceA:

    config system interface
      edit mgmt1

       set ip 10.0.0.1 255.255.255.0

       set allowaccess ping ssh fgfm https snmp

       set type physical

       set dedicated-to-management
      next
    end

    DeviceB:

    config system interface
      edit mgmt1

       set ip 10.0.0.2 255.255.255.0

       set allowaccess ping ssh fgfm https snmp

       set type physical

       set dedicated-to-management
      next
    end

     

    1. Will this work with FMG and FAZ?

    2. Will on-box agents like NTP and SNMP-Traps know to use this MGT path?

    3. I used to keep mgmt1 in the a vdom named root and set a local-in policy. Is this no longer possible? I notice that I can no longer do a "set vdom root" under the mgmt1 interface? Is there anyway to secure the management?

     

    Kind regards

     

    James.

     

    lobstercreed
    lobstercreed
    New Member
    February 2, 2021

    Interesting questions, and I'm afraid I don't know all the answers.  Perhaps one of the other more experienced admins will weigh in, but I can say this:

    [ol]
  • It works, yes.  Both systems recognize this as an HA cluster, and to be honest I haven't really investigated which interface the source traffic comes from.  I think it's the dedicated management but I'm not really sure.
  • I know that SNMP uses the dedicated management port as that's part of the point (mentioned explicitly in the link), and I think NTP does but again haven't necessarily double-checked the sniffs.
  • I've never used VDOMs that way and am not sure the exact ramifications of this but I don't know why local-in policies wouldn't still apply the same way they do to any other interface.[/ol]
    • WD40
    WD40
    New Member
    February 9, 2021

    Yes it's possible to achieve that, you can use the "set management-ip" command to set a different ip on each cluster node.

    https://docs.fortinet.com/document/fortigate/6.0.0/handbook/349060/in-band-management

     

     

    j_a_m_e_s
    j_a_m_e_sAuthor
    New Member
    February 12, 2021

    Another important discovery is that FMG doesn't work with the ha-reserved-management IP. It will add the device correctly, but once you install a policy the installation gets stuck at 35% and the FGFM connection will drop. 

     

    There is a KB mentioning this, but not suggesting a solution:

    https://kb.fortinet.com/kb/viewContent.do?externalId=FD37209&sliceId=1

     

    It seems that another interface can be used for the FMG. If anyone has tried this could you let me know please?

    HaTiMuX
    HaTiMuX
    New Member
    February 15, 2021

    Hi James,

     

    Yes I had a similar issue where the policy install didn't succeed when using the dedicated management interface with FortiManager.

     

    As mentionned by the KB article, it is recommanded to use another interface to communicate with Fortimanager so that you don't loose access to the cluster in case of a failover. The dedicated management interface is intended for SNMP monitoring and direct access to the secondary device.

    Terms & ConditionsAccessibility statement