FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
Bonghyun_Shin_FTNT
Article Id 197229

Description


The HA Standalone Management Vdom provides a direct management access to cluster units by reserving a vdom specialized for management.

The port assignment to MGMT VDOM would be synchronized, however all config within the VDOM would not be sync'd.
User can login to any of the ports on each device and setup the IPs individually for the management VDOM.
This feature allows the slave units to send directly to syslog or SNMP server, etc.

 

It is recommended to use this interface for management purposes only. Creating VLAN interfaces on top of this interface, in other VDOMs, might cause unpredictable behavior, especially in VM environments.

As a similar feature, FortiGate has the HA Reserved Management Interface feature.
But HA Reserved Management Interface has some limitation for the remote syslog server.

When remote logging is configured, all cluster units send log messages to remote FortiAnalyzer units or other remote servers as configured. HA uses routing and inter-VDOM links to route subordinate unit log traffic through the primary unit to the network.

When HA Standalone Management Vdom is configured, it is available to verify which devices are sending the logs in syslog server.

Solution
Test_topology.JPG

What we need to enable this feature

1. Vdom feature should be enabled.
2. Needs to create a vdom for management and this vdom should be the management-vdom.

How to configure in CLI

config system global
    set vdom-admin enable
end

config vdom
    edit MGMT                     # new vdom created for management
end

config global
config system global
    set management-vdom "MGMT"            # root vdom is not available for standalone-mgmt-vdom
end

config system ha
    set mode a-p
    set hbdev "port1" 50
    set standalone-mgmt-vdom enable           # new configuration for this feature.
end
end

config vdom
edit MGMT

config system interface
edit mgmt1
set vdom MGMT
set ip 192.168.1.99 255.255.255.0
end

config router static
    edit 1
        set device "mgmt1"
        set gateway 192.168.1.1
    next
end

In slave unit,

config system ha
    set mode a-p
    set hbdev "port1" 50
    set standalone-mgmt-vdom enable
    set priority 200
end

Reboot the slave unit for configuration sync.

When the configuration sync is finished, configure the MGMT vdom and interface.

config system interface
    edit "mgmt1"
        set vdom "MGMT"
        set ip 192.168.1.100 255.255.255.0
end
config router static
    edit 1
        set device "mgmt1"
        set gateway 192.168.1.1
    next
end

config log syslogd setting
    set status enable
    set server "192.168.1.103"
end


From the syslog server, we can verify which IP is sending the logs by IP address.

Feb 17 16:06:44 192.168.1.99 date=2014-02-16 time=23:09:10 devname=FG3K9B3E13700260 devid=FG3K9B3E13700260 logid=0001000014 type=traffic subtype=local level=notice vd=MGMT srcip=192.168.1.103 srcport=137 srcintf="mgmt1" dstip=192.168.1.255 dstport=137 dstintf="MGMT" sessionid=865 status=deny policyid=0 dstcountry="Reserved" srccountry="Reserved" trandisp=noop service=137/udp proto=17 app=137/udp duration=0 sentbyte=0 rcvdbyte=0

Feb 17 16:06:44 192.168.1.100 date=2014-02-16 time=23:09:10 devname=FG3K9B3E10700346 devid=FG3K9B3E10700346 logid=0001000014 type=traffic subtype=local level=notice vd=MGMT srcip=192.168.1.103 srcport=137 srcintf="mgmt1" dstip=192.168.1.255 dstport=137 dstintf="MGMT" sessionid=704 status=deny policyid=0 dstcountry="Reserved" srccountry="Reserved" trandisp=noop service=137/udp proto=17 app=137/udp duration=0 sentbyte=0 rcvdbyte=0

Related Articles

Technical Tip: HA Reserved Management Interface