Dear Ferry,

I'm  bit confused because of the description in the HA Guide. The Guide mentions something that I cannot clearly decipher and thought that it should be possible to have access to both appliances:


fortiadc-v5.1.x-ha-deployment-guide.pdf :

3.1 Deploy HA-AP mode 1) Enable the management-interface It is recommended that the management-interface should be enabled when the HA-AP mode is deployed. Because once you complete the HA-AP mode, only the master can handle the traffic; it means that you're not able to access slave device directly. It is not convenient in most cases. Management-interface, on the other hand, binds the virtual interface to the physical interface. It can always work on all the modes including "standalone." Please perform the following steps on all the HA nodes.


Now, this sounds like it should be possible or ?



------------------------------
Thx
------------------------------

Hello Patrick,

Confirm from AP setup that it is possible to access both A/P cluster-members per WebUI.

Configure A/P cluster without dedicated mgt-interface (set mgmt-status disable) and specify uniq IP-addresses on non-cluster interfaces (set dedicate-to-mgmt enable).

Regards,
Ferry

------------------------------
Ferry
------------------------------
-------------------------------------------
Original Message:
Sent: 02-18-2019 06:00
From: Patrick Weichmann
Subject: FortiADC: Active/Passive HA, dedicated management interface?

Dear Ferry,

I'm  bit confused because of the description in the HA Guide. The Guide mentions something that I cannot clearly decipher and thought that it should be possible to have access to both appliances:


fortiadc-v5.1.x-ha-deployment-guide.pdf :

3.1 Deploy HA-AP mode 1) Enable the management-interface It is recommended that the management-interface should be enabled when the HA-AP mode is deployed. Because once you complete the HA-AP mode, only the master can handle the traffic; it means that you're not able to access slave device directly. It is not convenient in most cases. Management-interface, on the other hand, binds the virtual interface to the physical interface. It can always work on all the modes including "standalone." Please perform the following steps on all the HA nodes.


Now, this sounds like it should be possible or ?



------------------------------
Thx
------------------------------

Original Message:
Sent: 02-18-2019 04:13
From: Ferry Kemps
Subject: FortiADC: Active/Passive HA, dedicated management interface?

Hello Patrick,

See FortiADC handbook:

"In an Active-Passive cluster, only the management IP address for the primary node is active. In an active-passive cluster, you can log into a node only when it has primary node status and its IP address is active. To access the user interface of an appliance in status (the active-passive slave), you must use a console port connection. "

Thanks,
Ferry

------------------------------
Manager Consulting Systems Engineer, Enhanced Technologies INTL
Fortinet
Netherlands

Original Message:
Sent: 02-15-2019 17:55
From: Patrick Weichmann
Subject: FortiADC: Active/Passive HA, dedicated management interface?

Is it possible to define a per member node dedicated management interface?

And how?

I have not been able to do that like in FortiGate.

------------------------------
Thx
------------------------------

Dear Ferry,

Just to clarify. ADC does not have a management interface that will switch between Active (in case of a failover) to the other new Active? The management address stays on the node?

Also in the HA Guide it specifies that one should configure it on the ha config but does not mention to use "set dedicate-to-mgmt enable"?



2) Since the manage-interface is a virtual-interface inside the system, so it has the similar routing mechanism as other interface. So there should be no overlapping subnet in the system. Therefore, usually we clear the original IP address of the physical interface.

FAD2 # config system interface FAD2 (interface) # edit port1 FAD2 (port1) # unset ip FAD2 (port1) # end This can result in losing the connectivity, so the first step is requiring the console. (3) Configure the management-interface FAD2 # config system ha FAD2 (ha) # set mgmt-status enable FAD2 (ha) # set mgmt-interface port1 FAD2 (ha) # set mgmt-ip 10.106.188.42/23 FAD2 (ha) # set mgmt-ip-allowaccess http https ping snmp ssh telnet FAD2 (ha) # end

------------------------------
Thx
------------------------------

Hello Patrick,

By default, there is one management interface connected to the active cluster member as part of the HA config. Management of passive cluster member needs to be done through the console.

As you requested to have both active and passive WebUI's reachable you can do so by what I specified.

Thanks,
Ferry

------------------------------
Ferry
------------------------------

I do not understand it yet.


usually you want to have a management IP for the A/P Cluster, let's say IP .1

then this IP you want to monitor and use for all sorts of activities, such as snmp, ssh, GUI, REST API ....

this .1 is moved from box to box when failovers occur and all activities are always done through .1 are executed on the current active node.


Now for monitoring and alerting it is best to have an additional IP for each node, so that you always have direct access to that node for some management functionality.

so each node has an IP that is not moving but always on the same instance, e.g. .2 node 1 and .3 node 2

those IPs reside usually in the same network:
e.g.

Cluster IP. 10.0.0.1/24 - interface mgmt or port1 on node 1 and 2
Node 1 IP 10.0.0.2/24 - interface port x, on node 1
Node 2 IP 10.0.0.3/24 - interface port x, on node 2

Now with Fortigate you can do this quite easily. On each Box (2 interfaces) 1 Interface for the Cluster IP and a 2nd interface for the node IP.



How about this on FortiADC?

2 interfaces as well?

Can one use mgmt and port x?

Or is it recommended to not use mgmt for the cluster IP? Or not at all?

Or is it recommended to use only port x, y for the above requirement?


There are a couple of options I see on ADC but do not understand their function:

- mgmt interface - dedicated to management
- port x - dedicated to managment
- ha interface - mgmt-status enable



------------------------------
Thx
------------------------------