Help
FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
aionescu
Staff
Staff

Created on ‎04-05-2010 04:04 AM Edited on ‎06-15-2022 10:56 PM By Anonymous

Technical Tip: HA Reserved Management Interface

Description
This article describes how to configure FortiGate HA Reserved Management Interface.

It provides a direct management access to each individual cluster unit by reserving a management interface as part of the HA configuration.
A different IP address and administrative access settings can be configured for this interface for each cluster unit.

This simplifies the use of external services such as SNMP to monitor and manage the cluster units.

Note.
It is not possible to use this interface to route traffic as it is an Out-Of-Band management interface for each individual cluster member.

Solution


1) The HA direct management interface can be configured from the GUI as follows:
Go to System -> HA, edit Master FortiGate -> Management Interface Reservation and enable this option.


 
- Interface: interface used for management access.
- Gateway: IPv4 address of gateway in case the unit will be accessed from a different subnet.
- Destination subnet: In case the unit needs to be accessed from a remote subnet, specify the subnet or use the wildcard subnet 0.0.0.0/0 (default setting).
 

Note.
The interface needs to be cleared from all configuration and references, 'Ref' need to be 0.

In this example, it is connected from a host 192.168.181.10/24 which is in the same subnet as port2 on the FortiGate cluster with IP 192.168.181.1, no gateway is used.

2) Issue the command '# get system HA status'. Use the HA cluster index of slave from the previous picture. Beware, as HA cluster index is different from HA operating index.

 
 
In order to connect to the slave FortiGate, proceed with the command on CLI:

- Execute'# ha manage <HA cluster index of slave> <user name> <password>'
 
Now, configure the port intended for HA management.
 
Since the configuration is synchronized, the slave FortiGate has remained with the address from the master FortiGate in the first place.
 
Since the HA management interface does not sync the configuration with the cluster, it is possible to change the IP address.
# config system interface
     edit port 2 (used in this example as a HA management interface)
        set ip <IP address> <subnet mask> <----- Set IP 192.168.181.2 255.255.255.0 here.
    next
end
As a result of the previous configuration, it is possible to connect to the slave unit directly through the HA management IP address.
 
 
For FortiOS 5.2 and 5.4.

Configuration using CLI:
#config system ha
    set ha-mgmt-status [enable|disable]
    set ha-mgmt-interface <interface-name>
    set ha-mgmt-interface-gateway     <----- Skipped when ha-mgmt-interface is in DHCP/PPPOA
end
#config system interface
    edit xxx
        set vdom xxx #skipped        <----- If the current interface is ha-mgmt-interface.
    next
end
From GUI.
 
 
Graphical view from the secondary unit:
 
 
A gateway can only be set from CLI.
#config system ha
    set ha-mgmt-status enable
    set ha-mgmt-interface port7
    set ha-mgmt-interface-gateway 172.31.224.10
end

Related Articles

Technical Note: How to Check Referenced Objects

95640
Contributors

Contact Us