The ha-direct or dedicated management interface cannot be used for connecting to FortiGuard even if FortiManager is used as a FortiGuard server. Traffic to FortiManager as the FortiGuard server is still considered to connecting to the FortiGuard server, so ha-direct has no effect.
FGVM-ha-direct # show full-configuration system central-management
config system central-management
set mode normal
set type fortimanager
set schedule-config-restore enable
set schedule-script-restore enable
set allow-push-configuration enable
set allow-push-firmware enable
set allow-remote-firmware-upgrade enable
set allow-monitor enable
set fmg "10.47.1.188"
set fmg-source-ip 0.0.0.0
set fmg-source-ip6 ::
set local-cert ''
unset ca-cert
set vdom "root"
config server-list
edit 1
set server-type update rating
set addr-type ipv4
set server-address 10.47.1.188
next
end
set fmg-update-port 8890
set include-default-servers disable
set enc-algorithm high
set interface-select-method auto
end
FGVM-ha-direct # show system ha
config system ha
set group-name "FortiGateHA"
set mode a-p
set password ENC *************
set hbdev "port10" 5
set ha-mgmt-status enable
config ha-mgmt-interfaces
edit 1
set interface "port4"
set gateway 10.47.1.254
next
end
set override disable
set ha-direct enable
end
FGVM-ha-direct # diagnose sniffer packet any "port 8890" 4 0 l
Using Original Sniffing Mode
interfaces=[any]
filters=[port 8890]
2023-08-08 14:30:15.106686 port1 out 10.47.2.21.14238 -> 10.47.1.188.8890: syn 1489822320 <-- The outgoing interface is not the ha-direct interface.
There is a known issue ID 738332 in 6.4.7, 6.4.8, and 7.0.1 that FortiGate will use the ha-direct interface for connecting to the FortiGuard. This issue has been resolved in 6.4.9 and 7.0.2.
Related documents:
FortiOS 6.4.9 Resolved issues.
FortiOS 7.0.2 Resolved issues.
|
