FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
saleha
Staff
Staff
Article Id 327378
Description This article describes best practice recommendations for an HA reserve management interface when it is connected via FortiLink.
Scope FortiOS, FortiSwitch.
Solution
  • For the purposes of focusing on specific details, this article only discusses the minor setup that has to be applied to achieve the task compared to regular config where a standalone switch is used.
  • For reference on how to setup an HA reserve management, see Technical Tip: HA Reserved Management Interface.
  • In the case of FortiSwitch being managed by FortiGate, creating a VLAN interface would have to be done under FortiLink.
  • The management VLAN will have to be assigned an IP that overlaps with the interface that will be used in the HA reserve-management config. Otherwise, the FortiGate will not know how to route the management traffic coming from the switch to the correct reserved interface.

 

config sys interface

edit vlan_mgmt

set ip y.y.y.y

………

end

 

  • The HA reserved-management interface has to be assigned an IP. Additionally, the administrative tools have to be enabled for HTTPS.

config sys interface

edit mgmt.

set ip x.x.x.x

set allowaccess https ping ssh <- Assuming these are the required management tools.

………….

end

 

  • The reserved interface under the HA config will require a gateway address. In this case, this will be the IP address assigned to the management VLAN:

config sys ha

set ha-mgmt-status enable

config ha-mgmt-interface

edit 1

set ha-mgmt-interface <mgmt>

set ha-mgmt-interface-gateway <y.y.y.y > <- Management VLAN interface IP address.

end

end

 

  • This should be enough to allow the maintenance or admin computer to access the reserve-management interface.
  • If 'Out of Band' management to the secondary member of the cluster is required, the mgmt interface or the same interface that was reserved for management on the primary will have to be configured the same way on the secondary. However, it will have to be assigned a different IP address from the same subnet the primary member of the cluster was configured with. For reference, see this section of the documentation.