Technical Tip: Implement In-Band Management IP for HA Cluster

Direct management access is provided to each cluster unit by implementing an in-band management interface.
A different IP address and administrative access settings can be configured for this interface for each cluster unit.

By default, HA will have only 1 (one) single IP management for a cluster. Therefore, only primary will be administratively accessible. 

The secondary is accessible via the primary device (see related documents).

Note.
It is possible to use the following command to add an in-band management IP address to an individual cluster unit interface that is also connected to a network and processing traffic.

The in-band management IP address is an alternative to the reserved HA management interface feature and does not require reserving an interface just for management access. It can be added to existing cluster management IP or any other configured L3 interface.

Caution: 

The IP that will be used for in-band management should be a free IP of the same network range that is already configured on that interface and a valid route OR an IP which have a valid route into the routing table

FGT1 – is the primary and FGT2 – is the secondary.

Now each device is individually accessible.

Conclusion:

• This method is an alternative to the reserved-management-interface.
• This configuration will be not synchronized between the cluster.
• This implementation has a limitation where accessing from another subnet is impossible. This is due to only active firewalls having an active routing table whilst passive not. 

Related documents:

Technical Tip: HA Reserved Management Interface.

In-band management.

Technical Tip: Managing individual cluster units with the CLI command 'execute ha manage'.

Technical Tip: How to implement In-Band Management interface for HA cluster along with normal traffi...