FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
iskandar_lie
Staff
Staff
Article Id 224671
Description This article describes how to implement in-band management IP for HA Cluster.
Scope FortiGate v6.4, v7.0, v7.2, v7.4, 7.6.
Solution

Direct management access is provided to each cluster unit by implementing an in-band management interface.
A different IP address and administrative access settings can be configured for this interface for each cluster unit.

 

By default, HA will have only 1 (one) single IP management for a cluster. Therefore, only primary will be administratively accessible. 

The secondary is accessible via the primary device (see related documents).

 

Note.
It is possible to use the following command to add an in-band management IP address to an individual cluster unit interface that is also connected to a network and processing traffic.

The in-band management IP address is an alternative to the reserved HA management interface feature and does not require reserving an interface just for management access. It can be added to existing cluster management IP or any other configured L3 interface.


Caution: 

The IP that will be used for in-band management should be a free IP of the same network range that is already configured on that interface and a valid route OR an IP which have a valid route into the routing table.

 

FGT1 – is the primary and FGT2 – is the secondary.

 

iskandar_lie_0-1663956082180.png

 

iskandar_lie_1-1663956095753.png

 

Now each device is individually accessible.

 

iskandar_lie_2-1663956128597.png

 

iskandar_lie_3-1663956138418.png

 

Note: 

Check the IP addresses are correctly showing up on both devices in the cluster.

fnsysctl ifconfig port4    -> This would only show the configured IP address on the interface, not the management-ip

diagnose ip address list | grep port4  --> This would show both IP addresses associated with port4. 

 

Conclusion:

 

  • This method is an alternative to the reserved-management-interface.
  • This configuration will be not synchronized between the clusters.
  • This implementation has a limitation where accessing from another subnet is impossible. This is due to only active firewalls having an active routing table whilst passive not. 

 

Related documents:

Technical Tip: HA Reserved Management Interface

In-band management

Technical Tip: Managing individual cluster units with the CLI command 'execute ha manage'

Technical Tip: How to implement In-Band Management interface for HA cluster along with normal traffi...