Technical Tip: HA Reserved Management Interface

Description

This article describes how to configure FortiGate HA Reserved Management Interface.

The aim is to provide direct management access to each individual cluster unit using a different IP address by reserving a management interface as part of the HA configuration.

This simplifies the use of external services such as SNMP to monitor and manage the cluster units.

Note/prerequisite:
It is not possible to use this interface to route traffic as it is an Out-Of-Band management interface for each individual cluster member, use a different subnet for 'HA Reserved Management Interface (Out-Of-Band) than the cluster access subnet, and if the need is to use the same subnet, consider using In-Band Management as explained in this article:

Technical Tip: How to implement In-Band Management

Solution

1. The HA direct management interface can be configured from the GUI as follows:
   Go to System -> HA, edit Master FortiGate -> Management Interface Reservation, and enable this option.
   
   

• Interface: An interface used for management access. Bear in mind that if the interface (port2 in this case as shown in the screenshot) is used as slbc management interface then it is not available to be selected as a reserved management interface:

config global
    config load-balance setting
        set slbc-mgmt-intf port2
end

• Gateway: IPv4 address of the gateway in case the unit will be accessed from a different subnet.
• Destination subnet: In case the unit needs to be accessed from a remote subnet, specify the subnet or use the wildcard subnet 0.0.0.0/0 (default setting).

 

To connect to the slave FortiGate, proceed with the following command in the CLI:

 

execute ha manage <HA cluster index of slave> <username> <password>

 

Now, configure the port intended for HA management.

 

Since the configuration is synchronized, the slave FortiGate has remained with the address from the master FortiGate in the first place.

 

Since the HA management interface does not sync the configuration with the cluster, it is possible to change the IP address.

 

config system interface
    edit port 2 (used in this example as a HA management interface).
        set ip <IP address> <subnet mask> <----- Set IP 192.168.181.2 255.255.255.0 here.

    next
end

 

As a result of the previous configuration, it is possible to connect to the slave unit directly through the HA management IP address.

 

 

For FortiOS 5.2 and 5.4.

Configuration using CLI:

 

config system ha
    set ha-mgmt-status [enable|disable]
    set ha-mgmt-interface <interface-name>
    set ha-mgmt-interface-gateway     <- Skipped when ha-mgmt-interface is in DHCP/PPPOA.
end

 

config system interface
    edit xxx
        set vdom xxx #skipped        <- If the current interface is ha-mgmt-interface.
    next
end

 

From the GUI:

 

 

Graphical view from the secondary unit:

 

 

A gateway can only be set from CLI.

 

config system ha
    set ha-mgmt-status enable
    set ha-mgmt-interface port7
    set ha-mgmt-interface-gateway 172.31.224.10
end

 

For FortiOS 6.4.x and newer versions.

Configuration using CLI:

config system ha
    set ha-mgmt-status [enable|disable]
        config ha-mgmt-interface

            edit <x>

                set interface <interface name>

                set gateway <xxx.xxx.xxx.xxx> 

            next

        end

As an example, this is how this configuration looks on CLI:

The gateway IP address has to be configured on the secondary unit as well. Without configuring the gateway IP on the secondary unit, the secondary unit cannot be accessible from the GUI.

Related documents:

• Technical Note: How to Check Referenced Objects
• Out-of-band Management with reserved management interfaces