FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
ppardeshi
Staff
Staff
Article Id 214783

Description

 

This article describes HA Reserved Management Interface's VDOM information.

 

Scope

 

FortiGate.

 

Solution

 

HA Reserved Management Interface provides direct access (via HTTP, HTTPS, Ping, etc.) to each individual cluster unit by reserving a management interface in the HA configuration.

Thus a different IP address and administrative access settings can be configured for this interface independently.

 

KB article to configure the same:

https://community.fortinet.com/t5/FortiGate/Technical-Tip-HA-Reserved-Management-Interface/ta-p/1901...

 

In the background, FortiGate creates a hidden VDOM named vsys_hamgmt.

The IP addresses configured in the vsys_hamgmt VDOM do not synchronize in HA and that is how it could be used separate IP addresses for Primary and Secondary units for their management purposes. 

 

ppardeshi_0-1655336092257.png

 

As per the topology above, if pings are initiated to the Management Workstations (10.10.10.1) from FortiGate1 and FortiGate2 and source it out from the HA-Management port (port3), pings will fail, as shown below.

 

On Primary FortiGate (FortiGate1):

 

FortiGate1 # execute ping-options interface port3

FortiGate1 # execute ping 10.10.10.1
PING 10.10.10.1 (10.10.10.1): 56 data bytes
sendto failed
sendto failed
sendto failed
sendto failed
sendto failed
--- 10.10.10.1 ping statistics ---
5 packets transmitted, 0 packets received, 100% packet loss

 

On Secondary FortiGate (FortiGate2):

 

FortiGate2 # execute ping 10.10.10.1
PING 10.10.10.1 (10.10.10.1): 56 data bytes

--- 10.10.10.1 ping statistics ---
5 packets transmitted, 0 packets received, 100% packet loss

 

Routing Table on FortiGate1:

 

FortiGate1 # get router info routing-table details
Codes: K - kernel, C - connected, S - static, R - RIP, B - BGP
O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2
i - IS-IS, L1 - IS-IS level-1, L2 - IS-IS level-2, ia - IS-IS inter area
* - candidate default

Routing table for VRF=0
S* 0.0.0.0/0 [5/0] via 192.168.0.1, port1
C 192.168.0.0/24 is directly connected, port1

 

ARP table on FortiGate1 (shows no entry for port3):

 

FortiGate1 # get system arp
Address Age(min) Hardware Addr Interface
192.168.0.1 0 a4:13:4e:4b:4c:e0 port1
192.168.0.139 0 70:b5:e8:3d:2c:8a port1
169.254.0.2 - 50:00:00:02:00:01 port2

 

But Management PC is able to ping/access both FortiGate1 and FortiGate2 individually.

 

C:\Users\test>ping 10.10.10.2

Pinging 10.10.10.2 with 32 bytes of data:
Reply from 10.10.10.2: bytes=32 time=5ms TTL=255
Reply from 10.10.10.2: bytes=32 time=3ms TTL=255
Reply from 10.10.10.2: bytes=32 time=2ms TTL=255

Ping statistics for 10.10.10.2:
Packets: Sent = 3, Received = 3, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
Minimum = 2ms, Maximum = 5ms, Average = 3ms


C:\Users\test>ping 10.10.10.3

Pinging 10.10.10.3 with 32 bytes of data:
Reply from 10.10.10.3: bytes=32 time=2ms TTL=255
Reply from 10.10.10.3: bytes=32 time=1ms TTL=255
Reply from 10.10.10.3: bytes=32 time=1ms TTL=255

Ping statistics for 10.10.10.3:
Packets: Sent = 3, Received = 3, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
Minimum = 1ms, Maximum = 2ms, Average = 1ms

 

The solution to this would be as follows:

 

For pinging/accessing the Management workstation from the FortiGates individually, there is a need to enter into the vsys_hamgmt VDOM context and then initiate the pings.

 

To switch to vsys_hamgmt VDOM:

 

FortiGate1 # execute enter
<name> vdom name
root
vsys_hamgmt


FortiGate1 # execute enter vsys_hamgmt
current vdom=vsys_hamgmt:3

 

If multiple VDOM is configured, go to management VDOM first then enter vsys_hamgmt:

FortiGate1 # config vdom

FortiGate1 # edit root   <----- For this example root VDOM is the management VDOM.
FortiGate1 (root)# execute enter vsys_hamgmt

current vdom=vsys_hamgmt:3


Successful pings from FortiGate1 after switching to vsys_hamgmt VDOM:

 

FortiGate1 # execute ping 10.10.10.1
PING 10.10.10.1 (10.10.10.1): 56 data bytes
64 bytes from 10.10.10.1: icmp_seq=0 ttl=128 time=1.9 ms
64 bytes from 10.10.10.1: icmp_seq=1 ttl=128 time=2.2 ms
64 bytes from 10.10.10.1: icmp_seq=2 ttl=128 time=1.3 ms
64 bytes from 10.10.10.1: icmp_seq=3 ttl=128 time=2.6 ms
64 bytes from 10.10.10.1: icmp_seq=4 ttl=128 time=1.6 ms

--- 10.10.10.1 ping statistics ---
5 packets transmitted, 5 packets received, 0% packet loss
round-trip min/avg/max = 1.3/1.9/2.6 ms

 

The routing table on FortiGate 1 in vsys_hamgmt VDOM:

 

FortiGate1 # get router info routing-table details
Codes: K - kernel, C - connected, S - static, R - RIP, B - BGP
O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2
i - IS-IS, L1 - IS-IS level-1, L2 - IS-IS level-2, ia - IS-IS inter area
* - candidate default

Routing table for VRF=0
C 10.10.10.0/24 is directly connected, port3

 

ARP table on FortiGate1 in vsys_hamgmt VDOM:

 

FortiGate1 # get system arp
Address Age(min) Hardware Addr Interface
10.10.10.1 0 50:00:00:05:00:00 port3

 

To exit from vsys_hamgmt VDOM:

 

FortiGate1 # execute enter root
current vdom=root:0