FortiWeb
A FortiWeb can be configured to join a Security Fabric through the root or downstream FortiGate.
scheehan_FTNT
Article Id 193598

Description
This article explains and provides configuration example pertaining on HA management interface setup.
Typical example of HA Active-Passive setup with HA reserved management interface setup.



 
 
For more information about how to configure HA reserved management interface setup:
https://docs.fortinet.com/document/fortiweb/6.4.1/administration-guide/404272/configuring-high-avail...
 
Only one default route is allowed on FortiWeb, it causes confusion to add another default route attempts to routes HA management traffic via expected path.
 
Note:
By design, only one default route (the static route with destination as 0.0.0.0/0) is allowed on FortiWeb.

For example, if a default route is configured in System -> Network -> Route, then it is not allowed to configure another default route in HA route settings.

Thus, connectivity to HA management interface often breaks due to route configuration. More information about how HA static route and policy route behave. Please refer to below guide.
https://docs.fortinet.com/document/fortiweb/6.4.1/administration-guide/964016/configuring-ha-setting...


Solution
Based on typical HA active-passive setup topology, with below 2 use-cases solution should meet case requirement to route HA management traffic via expected path.
Refer to below 2 possible solutions:

Scenario 1

Client (Admin Users) network come from unknown network:
Unknown network means client connection may come from 10.10.10.x, and the internet.

From CLI


 
From GUI


 
Traffic matches source IP (management interface IP address) will be send via outgoing interface PORT1 towards specified gateway regardless of client source IP address.
Despite destination states any destination (0.0.0.0/0), due to the restriction of source IP, it will not conflict with other routes.
 
Replace source address, outgoing interface, and gateway address according to your environment setup.
 
Verification Steps

Conduct sniffer trace to determine connectivity destine to HA management interface respond accordingly.
Sniffer capture indicates HA management traffic return accordingly to HA policy route.
# diagnose network sniffer any 'host 172.10.10.1' 4
filters=[host 172.10.10.1]

interface=[port1]
9.374762 10.10.10.7.51131 -> 172.10.10.1.443: syn 1836135939

interface=[port1]
9.374775 172.10.10.1.443 -> 10.10.10.7.51131: syn 171024616 ack 1836135940

interface=[port1]
9.376389 10.10.10.7.51131 -> 172.10.10.1.443: ack 171024617
Scenario 2

Client (Admin Users) network come from known network:
Known network means client connection will only come from 10.10.10.x; Either option will work depends on environment setup.
 
If traffic needs to match source IP, use option A.

Option A

From CLI
 
 

 
 
From GUI
 
 
 
 
If traffic does not need to match source IP, use option B.

Option B

From CLI
 
 
From GUI
 
 
 
 
Traffic matches source IP (management interface IP address) and destination IP will be send via outgoing interface Port1towards specified gateway.
Due to the restriction of source IP, it will only work with traffic matches both criteria, and will not conflict with other routes.
 
Alternatively, in case no source IP match requires, option B should be good.
Replace source address, destination address, outgoing interface, and gateway address according to your environment setup.

Verification Steps.

Conduct sniffer trace to determine connectivity destine to HA management interface respond accordingly.
Sniffer capture indicates HA management traffic return accordingly to HA policy or HA static route.
# diag network sniffer any 'host 172.10.10.2' 4
filters=[host 172.10.10.2]

interface=[port1]
3.373251 10.10.10.7.51211 -> 172.10.10.2.443: syn 560192458

interface=[port1]
3.373261 172.10.10.2.443 -> 10.10.10.7.51211: syn 2110820095 ack 560192459

interface=[port1]
3.374993 10.10.10.7.51211 -> 172.10.10.2.443: ack 2110820096

Information on how to run sniffer capture.
https://docs.fortinet.com/document/fortiweb/6.3.15/cli-reference/195396/network-sniffer
 





Contributors