| Description | This article describes how to implement an independent management IP for an HA Cluster. |
| Scope | FortiGate v6.4, v7.0, v7.2, v7.4, v7.6. |
| Solution |
By default, FortiGate HA syncs all configuration from the Primary to the Secondary unit in FGCP. This includes the management interface config. Therefore, only the primary will be administratively accessible. The secondary is accessible only via the primary device (Technical Tip: Managing individual cluster units with the CLI command 'execute ha manage').
Using the 'high availability management IP address option', it is possible to add an independent management IP address to any cluster unit interface. This interface can be an in-band interface processing data traffic, or a dedicated-to-management out-of-band interface. Below is an example configuration of such an interface.
The command 'set management-ip' is not synced across the devices and is unique to the cluster unit. The snippet above depicts that both the cluster units are accessible independently on this management-ip configured.
Note that the IP that will be used for management-ip configuration should be a free IP in the same network range that is already configured on that interface, and a valid route or an IP that has a valid route in the routing table.
Here is another example of this configuration:
Now, each device is individually accessible even though there is no 'set ip' configuration on the interface itself. This is possible when the IP configured on management-ip has a valid route in the routing table.
The commands below are useful to verify the configurations:
fnsysctl ifconfig port4 --> This would only show the configured IP address on the interface, not the management-ip. diagnose ip address list | grep port4 --> This would show both IP addresses associated with port4.
Conclusion:
Related documents: Technical Tip: HA Reserved Management Interface Technical Tip: Managing individual cluster units with the CLI command 'execute ha manage' |
