FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
Article Id 248223

This article explains how to configure an HA-reserved management interface on a FortiGate 6000 chassis.

Scope FortiGate model 6000, software version 6.4.2 or above.

An HA reserved management interface provides direct management access (via HTTP, HTTPS, Ping, etc.) to each individual cluster unit on an HA cluster by reserving a management interface as part of the HA configuration.


This allows for the selection of one or more interfaces in the 'mgmt-vdom' VDOM to be HA-reserved management interfaces (mgmt1, mgmt2, and mgmt3).


Once the interfaces are configured to be reserved management interfaces, log in to each FortiGate-6000 in the HA cluster and configure the reserved management interface with individual IP addresses and other settings as required. It is also possible to configure routing for each reserved management interface.


Useful information:

  • The routing configuration is not synchronized and can be configured separately for each FortiGate-6000 in the cluster.
  • Configuration changes to a reserved management interface are not synchronized to other cluster units.
  • Select an interface only if it has not been used in another configuration. The number of references ('Ref') of the interface should be 0.
  • Reserved management interfaces and their IP addresses should not be used for managing a cluster using FortiManager.


Configuration using GUI:

  1. To configure an HA reserved management interface from the GUI:

Go to System -> HA, edit the Chassis with the Primary role, and enable Management Interface Reservation.




The 'Interface' field will be the interface used for management access. This can be mgmt1, mgmt2, or mgmt3.


Now, configure the port intended for HA management. In this example, mgmt2 will be used.


Set the IP address for the mgmt2 interface on the primary unit:




  1. Connect to the secondary unit and set an individual IP address for the mgmt2 interface.

    Log into the secondary unit GUI by using the HTTPS special port.

    To set the gateway setting for the HA reserved management interface on the secondary unit, go to System -> HA, and edit the Chassis with the Secondary role. Under the Management Interface Reservation gateway setting, add the gateway IP addresses:




    Supply the IP address for the mgmt2 interface:




    In the background, FortiGate creates a hidden VDOM named vsys_hamgmt.


    Configuration using CLI:


    To configure an HA reserved management interface in the CLI, follow the steps below:


  2. On the Primary unit:


    Create the following HA reserved management interface configuration:


    config system ha

        set ha-mgmt-status enable

            config ha-mgmt-interfaces

          edit 1

           set interface "mgmt2"

           set gateway x.x.x.x




    Set the IP address for the mgmt2 interface:


    config system interface
        edit mgmt2
            set ip x.x.x.x/24



  3. The HA reserved management interface configuration is synced from the primary to the secondary unit if a gateway change is necessary. On the secondary unit, create the following configuration:


    config system ha
        config ha-mgmt-interfaces
            edit 1
                set gateway y.y.y.y


    Verify the steps succeeded by checking if both units can be accessed with the individual IP addresses:




Related articles:

How to use the special port

How to Check Referenced Objects