Description
This article describes the steps to create a FortiManager HA cluster in different VLANs.
Scope
FortiManager.
Solution
The setup is:
2x FortiManager VMs.
1x FortiGate-VM.
VLAN 644 – 10.44.1.0/24.
VLAN 10 – 10.10.1.0/24.
FMG_VLAN644 port3 has IP 10.44.1.161.
FMG_VLAN10 port3 has IP 10.10.0.72.
FGT VLAN10 port4 has IP 10.10.1.4 ; VLAN644 port2 has IP 10.44.1.4.
Every FortiManager has a route to the other one using the FortiGate local IP as a gateway.
The firewall policy does not include NAT for vlan10 and vlan644 in both directions.
FortiManager HA manual setup (non-VRRP as it will require VIP).
Additional information can be found in: 'Download Debug Log'.
CLI configuration:
FMG_vlan10 # show system ha
config system ha
set clusterid 33
set file-quota 2048
set mode primary
set password ENC MTY3MDQ3NDQ5OTM
config peer
edit 1
set ip 10.44.1.161
set serial-number "FMGVMSTM22003098"
next
end
end
---
config system route
edit 2
set device "port3"
set dst 10.44.1.161 255.255.255.255
set gateway 10.10.1.4
next
end
It is a good practice to share the IPs of both FortiManagers to the FortiGates using the following setting.
config system admin setting
set mgmt-fqdn <FMmasterIP/FQDN> <FMslaveIP/FQDN>
end
For more information and if there is a NAT review the documents below:
Docs: Configuring the management address
From the FortiGate side:
Docs: Configuring central management
Docs: config system central-management
Troubleshooting:
diag sniffer packet any 'host 10.10.0.72 and host 10.44.1.161' 3
get system ha-status
diagnose debug application ha 255
diagnose debug enable
The traffic between both devices can be reviewed from the FortiGate.
Related documents: