Help
FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
aionescu
Staff
Staff

Created on ‎04-05-2010 04:04 AM Edited on ‎09-24-2025 05:35 AM By Moderator

Article Id 190132

Technical Tip: HA Reserved Management Interface

Description

 

This article describes how to configure the FortiGate HA Reserved Management Interface.

The aim is to provide direct management access to each cluster unit using a different IP address by reserving a management interface as part of the HA configuration.

This simplifies the use of external services such as SNMP to monitor and manage the cluster units.

Note/prerequisite:
It is not possible to use this interface to route traffic as it is an Out-Of-Band management interface for each cluster member, use a different subnet for 'HA Reserved Management Interface (Out-Of-Band) than the cluster access subnet, and if the need is to use the same subnet, consider using In-Band Management as explained in this article: Technical Tip: How to implement In-Band Management.

 

Scope

 

FortiGate.


Solution

 

  1. The HA direct management interface can be configured from the GUI as follows:
    Go to System -> HA, edit Primary FortiGate -> Management Interface Reservation, and enable this option.

 
  • Interface: An interface used for management access. Bear in mind that if the interface (port2 in this case, as shown in the screenshot) is used as the SLBC management interface, then it is not available to be selected as a reserved management interface

 

In a multi-VDOM setup, use the following command:

 

config global
    config load-balance setting
        set slbc-mgmt-intf port2
end


Note:
The interface must not be referenced in any config to be set as a reserved management interface. To check if the interface is referenced, use this KB article: Technical Tip: How to Check Referenced Objects.

  • Gateway: IPv4 address of the gateway in case the unit will be accessed from a different subnet.
  • Destination subnet: In case the unit needs to be accessed from a remote subnet, specify the subnet or use the wildcard subnet 0.0.0.0/0 (default setting). Ensure that the traffic arrives through the same interface; otherwise, it will be dropped, and access will not be possible (port2 in this case).
     
In this example, it is connected from a host 192.168.181.10/24, which is in the same subnet as port2 on the FortiGate cluster with IP 192.168.181.1; no gateway is used.
 
  1. Issue the command 'get system ha status'. Use the HA cluster index of the slave from the previous picture. Beware, as the HA cluster index is different from the HA operating index.
 
 
To connect to the secondary FortiGate, proceed with the following command in the CLI:

 

execute ha manage <HA cluster index of slave> <username> <password>

 
Configure the port intended for HA management.
 
Since the configuration is synchronized, the secondary FortiGate has retained the address from the master FortiGate in the first place.
 
Since the HA management interface does not sync the configuration with the cluster, it is possible to change the IP address.
 
config system interface
    edit port 2 <-- Used in this example as a HA management interface.
        set ip <IP address> <subnet mask> <----- Set IP 192.168.181.2 255.255.255.0 here.
    next
end
 
As a result of the previous configuration, it is possible to connect to the secondary unit directly through the HA management IP address.
 
 
For v5.2 and v5.4.

Configuration using CLI:
 
config system ha
    set ha-mgmt-status [enable|disable]
    set ha-mgmt-interface <interface-name>
    set ha-mgmt-interface-gateway     <----- Skipped when ha-mgmt-interface is in DHCP/PPPOA.
end
 
config system interface
    edit xxx
        set vdom xxx #skipped        <----- If the current interface is ha-mgmt-interface.
    next
end
 
From the GUI:
 
 
Graphical view from the secondary unit:
 
 
A gateway can only be set from the CLI.
 
config system ha
    set ha-mgmt-status enable
    set ha-mgmt-interface port7
    set ha-mgmt-interface-gateway 172.31.224.10
end
 

For v6.4.x and newer versions:

 

Configuration using the CLI:

 

config system ha
    set ha-mgmt-status [enable|disable]
        config ha-mgmt-interface

            edit <x>

                set interface <interface name>

                set gateway <xxx.xxx.xxx.xxx> 

            next

        end

 

As an example, this is how this configuration looks on the CLI:

 

HAAAAAA.PNG

The gateway IP address has to be configured on the secondary unit as well. Without configuring the gateway IP on the secondary unit, the secondary unit cannot be accessible from the GUI.

For version 7.6.3+ FortiOS supports IPv6 for HA reserved management port and usage of IPv6 gateway:

 

config system ha
    set ha-mgmt-status [enable|disable]
        config ha-mgmt-interface
            edit <x>
                set interface <interface name>
                set gateway <xxx.xxx.xxx.xxx>
                set gateway6 xxxx:xxxx:xxxx:xxxx:xxxx:xxxx:xxxx:xxxx
            next
        end
end

 

Related documents:
Technical Tip: Default route via HA reserved management Interface not visible on route table 

Out-of-band Management with reserved management interfaces

Setting up an HA reserved management Interface on the FortiGate 6000 Chassis 

Technical Tip: FortiGate High Availability Resource List

223887
Suggest New Article
Article Feedback
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2025 Fortinet, Inc. All Rights Reserved.