Description
This article describes how to configure FortiGate HA Reserved Management Interface.
It provides direct management access to each individual cluster unit by reserving a management interface as part of the HA configuration.
A different IP address and administrative access settings can be configured for this interface for each cluster unit.
This simplifies the use of external services such as SNMP to monitor and manage the cluster units.
Note/prerequisite:
It is not possible to use this interface to route traffic as it is an Out-Of-Band management interface for each individual cluster member, use a different subnet for 'HA Reserved Management Interface (Out-Of-Band) than the cluster access subnet, and if the need is to use the same subnet than consider to use In-Band Managemen as explained in this article:
Technical Tip: How to implement In-Band Management
The Port wanted to use for 'HA Reserved Management Interface' should not be referenced/used in any configuration.
The interface needs to be cleared from all configurations and references, and 'Ref' needs to be 0.
Solution
- The HA direct management interface can be configured from the GUI as follows:
Go to System -> HA, edit Master FortiGate -> Management Interface Reservation, and enable this option.
- Interface: an interface used for management access.
- Gateway: IPv4 address of the gateway in case the unit will be accessed from a different subnet.
- Destination subnet: In case the unit needs to be accessed from a remote subnet, specify the subnet or use the wildcard subnet 0.0.0.0/0 (default setting).
In this example, it is connected from a host 192.168.181.10/24 which is in the same subnet as port2 on the FortiGate cluster with IP 192.168.181.1, no gateway is used.
2. Issue the command 'get system HA status'. Use the HA cluster index of the slave from the previous picture. Beware, as the HA cluster index is different from the HA operating index.
In order to connect to the slave FortiGate, proceed with the following command in the CLI:
'execute ha manage <HA cluster index of slave> <username> <password>'.
Now, configure the port intended for HA management.
Since the configuration is synchronized, the slave FortiGate has remained with the address from the master FortiGate in the first place.
Since the HA management interface does not sync the configuration with the cluster, it is possible to change the IP address.
config system interface
edit port 2 (used in this example as a HA management interface).
set ip <IP address> <subnet mask> <----- Set IP 192.168.181.2 255.255.255.0 here.
next
end
As a result of the previous configuration, it is possible to connect to the slave unit directly through the HA management IP address.
For FortiOS 5.2 and 5.4.
Configuration using CLI:
config system ha
set ha-mgmt-status [enable|disable]
set ha-mgmt-interface <interface-name>
set ha-mgmt-interface-gateway <- Skipped when ha-mgmt-interface is in DHCP/PPPOA.
end
config system interface
edit xxx
set vdom xxx #skipped <- If the current interface is ha-mgmt-interface.
next
end
From GUI.
Graphical view from the secondary unit:
A gateway can only be set from CLI.
config system ha
set ha-mgmt-status enable
set ha-mgmt-interface port7
set ha-mgmt-interface-gateway 172.31.224.10
end
For FortiOS 6.4.x and newer versions.
Configuration using CLI:
config system ha
set ha-mgmt-status [enable|disable]
config ha-mgmt-interface
edit <x>
set interface <interface name>
set gateway <xxx.xxx.xxx.xxx>
next
end
As an example, this is how this configuration looks on CLI:
Related article: