Description
The HA Standalone Management Vdom provides a direct management access to cluster units by reserving a vdom specialized for management.
The port assignment to MGMT VDOM would be synchronized, however all config within the VDOM would not be sync'd.
User can login to any of the ports on each device and setup the IPs individually for the management VDOM.
This feature allows the Secondary units to send directly to syslog or SNMP server, etc.
It is recommended to use this interface for management purposes only. Creating VLAN interfaces on top of this interface, in other VDOMs, might cause unpredictable behavior, especially in VM environments.
As a similar feature, FortiGate has the HA Reserved Management Interface feature.
But HA Reserved Management Interface has some limitation for the remote syslog server.
When remote logging is configured, all cluster units send log messages to remote FortiAnalyzer units or other remote servers as configured. HA uses routing and inter-VDOM links to route subordinate unit log traffic through the primary unit to the network.
When HA Standalone Management Vdom is configured, it is available to verify which devices are sending the logs in syslog server.
Scope
FortiGate.
Solution
How to enable this feature:
- The VDOM feature should be enabled.
- Need to create a vdom for management and this VDOM should be the management-vdom.
How to configure in CLI.
For v5.6 and v6:
config system global
set vdom-admin enable
end
From v6.2.x:
config sys global
set vdom-mode multi-vdom
end
config vdom
edit MGMT <----- New VDOM created for management.
end
config global
config system global
set management-vdom "MGMT" <----- Root VDOM is not available for standalone-mgmt-vdom.
end
config system ha
set mode a-p
set hbdev "port1" 50
set standalone-mgmt-vdom enable <----- New configuration for this feature.
end
end
config vdom
edit MGMT
config system interface
edit mgmt1
set vdom MGMT
set ip 192.168.1.99 255.255.255.0
end
config router static
edit 1
set device "mgmt1"
set gateway 192.168.1.1
next
end
In the Secondary unit.
config system ha
set mode a-p
set hbdev "port1" 50
set standalone-mgmt-vdom enable
set priority 200
end
Reboot the Secondary unit for configuration sync.
When the configuration sync is finished, configure the MGMT VDOM and interface.
config system interface
edit "mgmt1"
set vdom "MGMT"
set ip 192.168.1.100 255.255.255.0
end
config router static
edit 1
set device "mgmt1"
set gateway 192.168.1.1
next
end
config log syslogd setting
set status enable
set server "192.168.1.103"
end
From the syslog server, we can verify which IP is sending the logs by IP address.
Feb 17 16:06:44 192.168.1.99 date=2014-02-16 time=23:09:10 devname=FG3K9B3E13-----0 devid=FG3K9B3E13-----0 logid=0001000014 type=traffic subtype=local level=notice vd=MGMT srcip=192.168.1.103 srcport=137 srcintf="mgmt1" dstip=192.168.1.255 dstport=137 dstintf="MGMT" sessionid=865 status=deny policyid=0 dstcountry="Reserved" srccountry="Reserved" trandisp=noop service=137/udp proto=17 app=137/udp duration=0 sentbyte=0 rcvdbyte=0
Feb 17 16:06:44 192.168.1.100 date=2014-02-16 time=23:09:10 devname=FG3K9B3E10-----6 devid=FG3K9B3E10700346 logid=0001000014 type=traffic subtype=local level=notice vd=MGMT srcip=192.168.1.103 srcport=137 srcintf="mgmt1" dstip=192.168.1.255 dstport=137 dstintf="MGMT" sessionid=704 status=deny policyid=0 dstcountry="Reserved" srccountry="Reserved" trandisp=noop service=137/udp proto=17 app=137/udp duration=0 sentbyte=0 rcvdbyte=0
Related documents:
