Skip to main content
mike74
mike74
New Member
November 9, 2017
Solved

Problems with Virtual Clustering, SNMP and reserved management Interfaces

  • November 9, 2017
  • 2 replies
  • 9264 views

Hello All,

 

Maybe a stupid question but Im working on a design Problem with HA, VDOM's and SNMP under FortiOS 5.4.6.

According to the examples in the "FortiOS Handbook - Virtual Domains" I tried to set up a multi vdom scenario with the root vdom facing to the internet and two departmental vdoms. The root vdom are also holds the management vdom.

 

The two fortigates are forming an active-active cluster and all vdoms are on the same virtual cluster. Each of the two nodes have a reserved management interface with an IP (Node A - 192.168.0.1/24, Node B -192.168.0.2/24) but the Management Traffic, especially SNMP, should go via a clustered interface (192.168.0.10/24).

 

The Node reserved management Interfaces are by design in the Global VDOM and the clustered management interface are in the root vdom. Because all of the three are on the same IP Subnet (The Management Subnet) I simply cant assign the clustered Interface the choosen IP Address. Tried to enable allow-subnet-overlap but no luck, the option seems not exist in the Global Domain in the system settings section.

 

How can I manage the dedicated Clusternodes and the Virtual Cluster from one Managementstation without having different IP Subnets?

 

Moving the Management Domain to another VDOM seems to be not a valid Option because I'm loosing the possibility to use radius for user authentication then.

 

Thanks ind Advance, Michael

Best answer by Toshi_Esumi

And, I don't understand why "I'm loosing the possibility to use radius for user authentication" if you move your management vdom. It just need to have a route/path to get to your RADIUS servers. That's what we do with all of our clusters with multi-vdom setup.

2 replies

emnoc
emnoc
New Member
November 9, 2017

1st

 

No such vdom  global  exist  in a fortigate. In fact you CAN NOT EVEN  create a vdom name Global/global in a fortigate

 

2nd if you want to  use dedicate-management  interfaces  define the interfaces as dedicate and set the ha-gateway  details in the fortigate

 

e.g v5.6.x

 

 

config  sys ha

      set mode a-p

      set group-name myclusterblah

      set ha-mgmt-status enable

        config ha-mgmt-interface

               edit  1

                     set interface mgmt ( insert the name of the interface to us )

                     set  gateway  x.x.x.x

                     set dst 0.0.0.0 0.0.0.0

       end

 

 

earlier version where similar,  but  in 5.6 is a sublevel cfg

 

 

 

    config sys ha

          set ha-mgmt-status enable

          set ha-mgmt-interface mgmt

          set ha-mgmt-interface-gateway x.x.x.x

    end

 

Toshi_Esumi
SuperUser
Toshi_EsumiAnswer
SuperUser
November 9, 2017

And, I don't understand why "I'm loosing the possibility to use radius for user authentication" if you move your management vdom. It just need to have a route/path to get to your RADIUS servers. That's what we do with all of our clusters with multi-vdom setup.

mike74
mike74Author
New Member
November 10, 2017

Hi Toshi,

This refers to pg. 27 in the Virtual Domain in FortiOS 5.4.4. Handbook - "You cannot change the management VDOM if any administrators are using RADIUS authentication". From my perspective my users are administrators who log in on the device.

Terms & ConditionsAccessibility statement