Help
FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
anderson_yee
Staff
Staff

Created on ‎09-05-2022 06:26 AM Edited on ‎08-24-2023 01:47 AM By Moderator

Article Id 222005

Technical Tip: How to configure a local-in policy on a HA reserved management interface

Description

 

This article describes how to configure a local-in policy on a HA reserved management interface.

 

Scope

 

Administrators can configure a local-in policy through the CLI with various services and source and destination addresses to have precise control over the specific traffic heading towards FortiGate interfaces.

Firewall local-in policies are supported for the dedicated HA management interface in a High Availability (HA) environment.

However, the method differs slightly from the methods used by regular firewall interfaces.

Unlike with regular interfaces, an error will appear if a user is trying to apply the HA reserved management interface as interface settings during local-in policy creation.

The solution is to enable 'ha-mgmt-intf-only' settings before applying a HA reserved management interface to a local-in policy configuration.

 

Solution

 

Follow the steps below to configure a local-in policy associated with an HA reserved management interface.

In this environment, port6 has been set as a HA reserved management interface in HA configuration:


anderson_yee_0-1661502990943.png
The following error will appear if an HA reserved management interface (port 6) is applied directly under interface settings while creating a new local-in policy:


anderson_yee_1-1661502990948.png
To resolve this error, it is necessary to enable the 'ha-mgmt-intf-only' setting under the local-in policy before associating the port to our local-in policy.

 

The purpose is to enable dedication of an HA management interface only for local-in policy.

 

conf firewall local-in-policy

edit 1

set ha-mgmt-intf-only en <----- Enable HA management interface only for local-in policy.

set intf port6 <----- Now it is possible apply port6 as interface without any error.

set srcaddr <source_address_name>

set dstaddr <destination_address_name>

set service <service_name>

set action <accept/deny>

set status <enable/disable>

next

end

 

The local-in policy associated with the HA management interface (port6) has been successfully configured, as seen in the screenshot below:


anderson_yee_2-1661502990951.png

 

 

Note:

In the VDOM environment, this can be done on the specific VDOM where the HA management interface is allocated.

 

For example: the HA mgmt-interface in the diagram below is allocated to the root VDOM, so the result is that this policy can only be configured on the root VDOM.

 

This can only be configured in the management VDOM. By default, the root VDOM is the management VDOM.

 

image.png

15025
Submit Article Idea
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.​

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2023 Fortinet, Inc. All Rights Reserved.