Help
FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
HatiUjja
Staff
Staff

Created on ‎08-28-2024 04:51 AM

Article Id 337040

Technical Tip: Traffic behavior when there are 2 management interfaces with HA-direct enabled

Description

This article describes traffic behavior when there are two management interfaces with HA-direct enabled.
Scope FortiGate HA.
Solution

In the following example, FortiGate has 2 interfaces that are used as management interfaces. To understand which interface will be the source of management traffic, follow the example below:

 

config system ha

set group-id 101

set group-name "Fortinet"

set mode a-p

set hbdev "port3" 0

set ha-mgmt-status enable

config ha-mgmt-interfaces

edit 2

set interface "port7"

set gateway 10.227.11.138

next

edit 3

set interface "port4"

set gateway 10.86.11.138

next

end

set override disable

set ha-direct enable

end

 

  • Check the kernel route in vsys_hamgmt vdom for SNMP, Syslog, or authentication server.
  • To enter the HA management VDOM, run the following command:

 

config vdom

edit root   <- For this example, the root VDOM is the management VDOM.
execute enter vsys_hamgmt
current vdom=vsys_hamgmt:3

 

get router info kernel

tab=254 vf=1 scope=0 type=1 proto=18 prio=0 0.0.0.0/0.0.0.0/0->0.0.0.0/0 pref=0.0.0.0 gwy=10.86.11.138 dev=6(port4)

tab=254 vf=1 scope=0 type=1 proto=18 prio=0 0.0.0.0/0.0.0.0/0->0.0.0.0/0 pref=0.0.0.0 gwy=10.227.11.138 dev=9(port7)

 

  • As can be seen from the above, the HA management VDOM has default routes from both the interface's port4 and port7.
  • Generate an SNMP trap to understand the outgoing interface by taking the packet sniffer.  The output will be as follows:

 

diagnose sniffer packet any 'port 162' 4

Using Original Sniffing Mode

interfaces=[any]

filters=[port 162]

45.129907 port4 out 10.86.10.201.162 -> 1.1.1.1.162: udp 223

63.064990 port4 out 10.86.10.201.162 -> 1.1.1.1.162: udp 223

80.155768 port4 out 10.86.10.201.162 -> 1.1.1.1.162: udp 223

3.461319 port4 out 10.86.10.201.24603 -> 2.2.2.2.514: udp 323
4.456554 port4 out 10.86.10.201.24603 -> 2.2.2.2.514: udp 470
7.458865 port4 out 10.86.10.201.24603 -> 2.2.2.2.514: udp 323

 

As can be seen from the above output, the traffic is forwarded out of port4 even when this interface is the second interface in the HA configuration.

 

Conclusion: FortiGate makes decisions based on the lowest interface index value. Management traffic will be sourced out from the interface that has the lowest interface index value.

 

For an HA management VDOM, refer to Technical Tip: HA Reserved Management Interface's hidden VDOM (vsys_hamgmt VDOM).
630
Suggest New Article
Article Feedback
Contributors
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2025 Fortinet, Inc. All Rights Reserved.