FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
This article describes the behavior when ha-direct is enabled and configured FortiManager as a FortiGuard server.
Scope
FortiGate.
Solution
The ha-direct or dedicated management interface cannot be used for connecting to FortiGuard even if FortiManager is used as a FortiGuard server. Traffic to FortiManager as the FortiGuard server is still considered to connecting to the FortiGuard server, so ha-direct has no effect.
FGVM-ha-direct # show full-configuration system central-management config system central-management set mode normal set type fortimanager set schedule-config-restore enable set schedule-script-restore enable set allow-push-configuration enable set allow-push-firmware enable set allow-remote-firmware-upgrade enable set allow-monitor enable set fmg "10.47.1.188" set fmg-source-ip 0.0.0.0 set fmg-source-ip6 :: set local-cert '' unset ca-cert set vdom "root" config server-list edit 1 set server-type update rating set addr-type ipv4 set server-address 10.47.1.188 next end set fmg-update-port 8890 set include-default-servers disable set enc-algorithm high set interface-select-method auto end
FGVM-ha-direct # show system ha config system ha set group-name "FortiGateHA" set mode a-p set password ENC ************* set hbdev "port10" 5 set ha-mgmt-status enable config ha-mgmt-interfaces edit 1 set interface "port4" set gateway 10.47.1.254 next end set override disable set ha-direct enable end
FGVM-ha-direct # diagnose sniffer packet any "port 8890" 4 0 l Using Original Sniffing Mode interfaces=[any] filters=[port 8890] 2023-08-08 14:30:15.106686 port1 out 10.47.2.21.14238 -> 10.47.1.188.8890: syn 1489822320 <-- The outgoing interface is not the ha-direct interface.
There is a known issue ID 738332 in 6.4.7, 6.4.8, and 7.0.1 that FortiGate will use the ha-direct interface for connecting to the FortiGuard. This issue has been resolved in 6.4.9 and 7.0.2.
