Description

This article describes how to configure FortiGate HA Reserved Management Interface.

The aim is to provide direct management access to each individual cluster unit using a different IP address by reserving a management interface as part of the HA configuration.

This simplifies the use of external services such as SNMP to monitor and manage the cluster units.

Note/prerequisite:
It is not possible to use this interface to route traffic as it is an Out-Of-Band management interface for each cluster member, use a different subnet for 'HA Reserved Management Interface (Out-Of-Band) than the cluster access subnet, and if the need is to use the same subnet, consider using In-Band Management as explained in this article:

Technical Tip: How to implement In-Band Management

Scope

FortiGate.

Solution

1. The HA direct management interface can be configured from the GUI as follows:
   Go to System -> HA, edit Primary FortiGate -> Management Interface Reservation, and enable this option.
   
   

• Interface: An interface used for management access. Bear in mind that if the interface (port2 in this case as shown in the screenshot) is used as SLBC management interface then it is not available to be selected as a reserved management interface:

config global
    config load-balance setting
        set slbc-mgmt-intf port2
end

Note:
The interface must not be referenced in any config in order to set as reserved management interface. To check if the interface is referenced, using this document Technical Tip: How to Check Referenced Objects 

• Gateway: IPv4 address of the gateway in case the unit will be accessed from a different subnet.
• Destination subnet: In case the unit needs to be accessed from a remote subnet, specify the subnet or use the wildcard subnet 0.0.0.0/0 (default setting).

 

To connect to the secondary FortiGate, proceed with the following command in the CLI:

 

execute ha manage <HA cluster index of slave> <username> <password>

 

Now, configure the port intended for HA management.

 

Since the configuration is synchronized, the secondary FortiGate has remained with the address from the master FortiGate in the first place.

 

Since the HA management interface does not sync the configuration with the cluster, it is possible to change the IP address.

 

config system interface
    edit port 2 (used in this example as a HA management interface).
        set ip <IP address> <subnet mask> <----- Set IP 192.168.181.2 255.255.255.0 here.

    next
end

 

As a result of the previous configuration, it is possible to connect to the secondary unit directly through the HA management IP address.

 

 

For FortiOS 5.2 and 5.4.

Configuration using CLI:

 

config system ha
    set ha-mgmt-status [enable|disable]
    set ha-mgmt-interface <interface-name>
    set ha-mgmt-interface-gateway     <- Skipped when ha-mgmt-interface is in DHCP/PPPOA.
end

 

config system interface
    edit xxx
        set vdom xxx #skipped        <- If the current interface is ha-mgmt-interface.
    next
end

 

From the GUI:

 

 

Graphical view from the secondary unit:

 

 

A gateway can only be set from CLI.

 

config system ha
    set ha-mgmt-status enable
    set ha-mgmt-interface port7
    set ha-mgmt-interface-gateway 172.31.224.10
end

 

For v6.4.x and newer versions.

Configuration using CLI:

config system ha
    set ha-mgmt-status [enable|disable]
        config ha-mgmt-interface

            edit <x>

                set interface <interface name>

                set gateway <xxx.xxx.xxx.xxx> 

            next

        end

As an example, this is how this configuration looks on CLI:

The gateway IP address has to be configured on the secondary unit as well. Without configuring the gateway IP on the secondary unit, the secondary unit cannot be accessible from the GUI.

Related document:

Out-of-band Management with reserved management interfaces