Description

This article describes how to configure FortiGate GUI access for both primary & secondary firewalls on the management interface.

Scope

FortiGate.

Solution

The IP address of the management interface on both the cluster firewalls must be in the same subnet. Go to System -> HA, edit Primary FortiGate -> Management Interface Reservation, and enable this option. Add the Mgmt Port on the interface. If the Mgmt interface is not visible, check if there is any reference to the interface. Remove it, and Mgmt Port will be visible on the list, and add it.

Configuration using the CLI:

config system ha
     set ha-mgmt-status enable
         config ha-mgmt-interface
             edit 1
               set interface <interface name>
               set gateway <X.X.X.X>
            next
      end

Configure the gateway IP address to be the same on both primary and secondary in the HA setting.

• Gateway: IPv4 address of the gateway will be on the same subnet.
• As described in Technical Tip: HA Reserved Management Interface, if the interfaces meant to be in the HA reserved management are on the same subnet, there is no need to configure the gateway:
• Destination subnet: The unit needs to be accessed from a remote subnet; specify the subnet or use the wildcard subnet 0.0.0.0/0 (default setting).
• Once it is configured, the FortiGate will take failover and now assign a different IP address on the management interface for the secondary on the same subnet.
• Once configured, both firewalls will be accessible through the management IP address.