FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
Article Id 267851
Description This article describes the behavior when ha-direct is enabled and configured FortiManager as a FortiGuard server.
Scope FortiGate.
Solution The ha-direct or dedicated management interface cannot be used for connecting to FortiGuard even if FortiManager is used as a FortiGuard server. Traffic to FortiManager as the FortiGuard server is still considered to connecting to the FortiGuard server, so ha-direct has no effect.

FGVM-ha-direct # show full-configuration system central-management
    config system central-management
        set mode normal
        set type fortimanager
        set schedule-config-restore enable
        set schedule-script-restore enable
        set allow-push-configuration enable
        set allow-push-firmware enable
        set allow-remote-firmware-upgrade enable
        set allow-monitor enable
        set fmg ""
        set fmg-source-ip
        set fmg-source-ip6 ::
        set local-cert ''
        unset ca-cert
        set vdom "root"
            config server-list
                edit 1
                    set server-type update rating
                    set addr-type ipv4
                    set server-address
        set fmg-update-port 8890
        set include-default-servers disable
        set enc-algorithm high
        set interface-select-method auto


FGVM-ha-direct # show system ha
    config system ha
        set group-name "FortiGateHA"
        set mode a-p
        set password ENC *************
        set hbdev "port10" 5
        set ha-mgmt-status enable
            config ha-mgmt-interfaces
                edit 1
                    set interface "port4"
                    set gateway
        set override disable
        set ha-direct enable


FGVM-ha-direct # diagnose sniffer packet any "port 8890" 4 0 l
Using Original Sniffing Mode
filters=[port 8890]
2023-08-08 14:30:15.106686 port1 out -> syn 1489822320 <-- The outgoing interface is not the ha-direct interface.

There is a known issue ID 738332 in 6.4.7, 6.4.8, and 7.0.1 that FortiGate will use the ha-direct interface for connecting to the FortiGuard. This issue has been resolved in 6.4.9 and 7.0.2.


Related documents:
FortiOS 6.4.9 Resolved issues.

FortiOS 7.0.2 Resolved issues.