Description
This article describes how to configure FortiGate HA Reserved Management Interface.
It provides a direct management access to each individual cluster unit by reserving a management interface as part of the HA configuration.
A different IP address and administrative access settings can be configured for this interface for each cluster unit.
This simplifies the use of external services such as SNMP to monitor and manage the cluster units.
Note.
It is not possible to use this interface to route traffic as it is an Out-Of-Band management interface for each individual cluster member.
Solution
1) The HA direct management interface can be configured from the GUI as follows:
Go to System -> HA, edit Master FortiGate -> Management Interface Reservation and enable this option.
- Interface: interface used for management access.
- Gateway: IPv4 address of gateway in case the unit will be accessed from a different subnet.
- Destination subnet: In case the unit needs to be accessed from a remote subnet, specify the subnet or use the wildcard subnet 0.0.0.0/0 (default setting).
- Gateway: IPv4 address of gateway in case the unit will be accessed from a different subnet.
- Destination subnet: In case the unit needs to be accessed from a remote subnet, specify the subnet or use the wildcard subnet 0.0.0.0/0 (default setting).
Note.
The interface needs to be cleared from all configuration and references, 'Ref' need to be 0.
In this example, it is connected from a host 192.168.181.10/24 which is in the same subnet as port2 on the FortiGate cluster with IP 192.168.181.1, no gateway is used.
2) Issue the command '# get system HA status'. Use the HA cluster index of slave from the previous picture. Beware, as HA cluster index is different from HA operating index.
In order to connect to the slave FortiGate, proceed with the command on CLI:
- Execute'# ha manage <HA cluster index of slave> <user name> <password>'
- Execute'# ha manage <HA cluster index of slave> <user name> <password>'
Now, configure the port intended for HA management.
Since the configuration is synchronized, the slave FortiGate has remained with the address from the master FortiGate in the first place.
Since the HA management interface does not sync the configuration with the cluster, it is possible to change the IP address.
# config system interfaceAs a result of the previous configuration, it is possible to connect to the slave unit directly through the HA management IP address.
edit port 2 (used in this example as a HA management interface)
set ip <IP address> <subnet mask> <----- Set IP 192.168.181.2 255.255.255.0 here.
next
end
For FortiOS 5.2 and 5.4.
Configuration using CLI:
Configuration using CLI:
#config system ha
set ha-mgmt-status [enable|disable]
set ha-mgmt-interface <interface-name>
set ha-mgmt-interface-gateway <----- Skipped when ha-mgmt-interface is in DHCP/PPPOA
end
#config system interfaceFrom GUI.
edit xxx
set vdom xxx #skipped <----- If the current interface is ha-mgmt-interface.
next
end
Graphical view from the secondary unit:
A gateway can only be set from CLI.
#config system ha
set ha-mgmt-status enable
set ha-mgmt-interface port7
set ha-mgmt-interface-gateway 172.31.224.10
end
Related Articles
