This article explains how to configure an HA-reserved management interface on a FortiGate 6000 chassis.

An HA reserved management interface provides direct management access (via HTTP, HTTPS, Ping, etc.) to each individual cluster unit on an HA cluster by reserving a management interface as part of the HA configuration.

This allows for the selection of one or more interfaces in the 'mgmt-vdom' VDOM to be HA-reserved management interfaces (mgmt1, mgmt2, and mgmt3).

Once the interfaces are configured to be reserved management interfaces, log in to each FortiGate-6000 in the HA cluster and configure the reserved management interface with individual IP addresses and other settings as required. It is also possible to configure routing for each reserved management interface.

Useful information:

• The routing configuration is not synchronized and can be configured separately for each FortiGate-6000 in the cluster.
• Configuration changes to a reserved management interface are not synchronized to other cluster units.
• Select an interface only if it has not been used in another configuration. The number of references ('Ref') of the interface should be 0.
• Reserved management interfaces and their IP addresses should not be used for managing a cluster using FortiManager.

Configuration using GUI:

To configure an HA reserved management interface from the GUI: Go to System -> HA, edit the Chassis with the Primary role, and enable Management Interface Reservation.

The 'Interface' field will be the interface used for management access. This can be mgmt1, mgmt2, or mgmt3.

Now, configure the port intended for HA management. In this example, mgmt2 will be used.

Make sure that the interface is not used as an SLBC management interface because it is not selectable as a reserved management interface:

config global

    config load-balance setting

        set slbc-mgmt-intf mgmt2 <-- Use another interface here.

end

Set the IP address for the mgmt2 interface on the primary unit:

Connect to the secondary unit and set an individual IP address for the mgmt2 interface.

Log into the secondary unit GUI by using the HTTPS special port.

To set the gateway setting for the HA reserved management interface on the secondary unit, go to System -> HA, and edit the Chassis with the Secondary role. Under the Management Interface Reservation gateway setting, add the gateway IP addresses:

Supply the IP address for the mgmt2 interface:

In the background, FortiGate creates a hidden VDOM named vsys_hamgmt.

Configuration using CLI:

To configure an HA reserved management interface in the CLI, follow the steps below:

1. On the Primary unit:Create the following HA reserved management interface configuration:

    

    config system ha

       set ha-mgmt-status enable

           config ha-mgmt-interfaces

         edit 1

          set interface "mgmt2"

          set gateway x.x.x.x

         next

        end

    

    

Set the IP address for the mgmt2 interface:

config system interface
    edit mgmt2
        set ip x.x.x.x/24
end

The HA reserved management interface configuration is synced from the primary to the secondary unit if a gateway change is necessary. On the secondary unit, create the following configuration:

config system ha
    config ha-mgmt-interfaces
        edit 1
            set gateway y.y.y.y
        next

Verify the steps succeeded by checking if both units can be accessed with the individual IP addresses:

Additional information:

When an interface is configured as HA reserved interface, no VDOM is displayed in the Network > Interface page.

Without HA reserved interface:

Network -> Interfaces:
Without HA reserved interface :

Here, only mgmt1 is configured.

As there is no ha-reserved-interface  used, the IP of mgmt1 is shared with the second unit of the cluster. If a failover happens, this IP will be used by the new primary unit of the cluster.

After the configuration of the mgmt2 interface as HA reserved interface, the VDOM is not displayed anymore on the network > Interfaces page :

To check the routing table dedicated to vsys_hamgmt:

From CLI:

Enter in a VDOM : (mgmt-vdom for example)

Then enter the command (no autocompletion available):

execute enter  vsys_hamgmt

Then the routing table can be displayed through the command "get router info routing-table all"

Example:

Fortigate-6000 #
Fortigate-6000 # config vdom
Fortigate-6000 (vdom) # edit mgmt-vdom
current vf=mgmt-vdom:2

Fortigate-6000 (mgmt-vdom) # execute enter  vsys_hamgmt
current vdom=vsys_hamgmt:5
Fortigate-6000 (mgmt-vdom) # get router info routing-table  all

(…)

MBD SN: F6KF51XXXXXXXXXX
Codes: K - kernel, C - connected, S - static, R - RIP, B – BGP
       O - OSPF, IA - OSPF inter area
       N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
       E1 - OSPF external type 1, E2 - OSPF external type 2
       i - IS-IS, L1 - IS-IS level-1, L2 - IS-IS level-2, ia - IS-IS inter area
       * - candidate default

Routing table for VRF=0
C       169.254.0.64/26 is directly connected, hamgvdlink1
C       192.168.1.0/24 is directly connected, mgmt2

Related articles:

How to use the special port

How to Check Referenced Objects