Fortinet Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
bigkeoni64
New Contributor

GUI into HA2

Hello - is it possible to GUI into the secondary of an HA cluster even though there are no MGMT interfaces configured - only WAN.

 

I know I can log into the HA2 via CLI, but it does not appear I can GUI into HA2. I assume if I had an MGMT interface configured I would be able too?

 

Thank you.

2 Solutions
Toshi_Esumi
Esteemed Contributor II

Direct answer would be below. You didn't mention about the model of FGT but almost any ports, if not all, can be made as an MGMT port then set different IP on primary and secondary, just have the same GW IP in the same subnet.

https://docs.fortinet.com/document/fortigate/6.4.5/administration-guide/313152/out-of-band-managemen...

 

But why do you need to see GUI at the secondary? Not many situations I can think of. Interface status is in HA page at the primary's GUI, most of all HA related commands need to be executed by CLI, the rest should be identical between them.

One possible situation is when the secondary is out of sync (intentionally or unintentionally) and you want to upload a config copied&modified from primary's to force sync or speedup sync process. But other than that, I can't think of anything else GUI on secondary is needed.

 

Toshi

View solution in original post

aahmadzada

Having access to the secondary cluster member can be useful for monitoring purposes and troubleshooting.

Having dedicated mgmt for each cluster member will give you the opportunity to monitor each and every cluster member separately.

In a short, if your environment does allow you to step mgmt interface for each and every cluster member, go for it.

 

Ahmad

View solution in original post

7 REPLIES 7
Toshi_Esumi
Esteemed Contributor II

Direct answer would be below. You didn't mention about the model of FGT but almost any ports, if not all, can be made as an MGMT port then set different IP on primary and secondary, just have the same GW IP in the same subnet.

https://docs.fortinet.com/document/fortigate/6.4.5/administration-guide/313152/out-of-band-managemen...

 

But why do you need to see GUI at the secondary? Not many situations I can think of. Interface status is in HA page at the primary's GUI, most of all HA related commands need to be executed by CLI, the rest should be identical between them.

One possible situation is when the secondary is out of sync (intentionally or unintentionally) and you want to upload a config copied&modified from primary's to force sync or speedup sync process. But other than that, I can't think of anything else GUI on secondary is needed.

 

Toshi

aahmadzada

Having access to the secondary cluster member can be useful for monitoring purposes and troubleshooting.

Having dedicated mgmt for each cluster member will give you the opportunity to monitor each and every cluster member separately.

In a short, if your environment does allow you to step mgmt interface for each and every cluster member, go for it.

 

Ahmad

Toshi_Esumi
Esteemed Contributor II

To just monitor the secondary units, probably CLI/API would be much better than GUI to me.

 

Toshi

bigkeoni64
New Contributor

Actually, I think having access to GUI during the setup is very useful to do side-by-side comparison during the initial configuration. 

 

In my case with these 101F devices I have, HA2 is out-of-sync. Turns out that the ISDB is different on the HA2 and some minor differences. 

 

I will have to open up a case with support on how to fix this.

 

I appreciate everyone's perspective as these are new for me since I came from a Palo Alto environment.

Toshi_Esumi
Esteemed Contributor II

Unlike PAN, with FortiGate you don't have to upgrade individual unit or syncing. What you need to set up initially is:

1. configure HA on both units as well as hostname, dedicated management interface. You can do it via CLI easily. Make sure the primary's uptime is much longer (more than 5 min difference) than the secondary.

2. configure everything else on the primary unit only.

3. Then hook up networks including HA connections so that the secondary syncs up with the primary. It might take quite long time.

 

If you want to see the progress of syncing, you need to have a (remote) console access to the secodary as well as CLI to the primary. Then you can check checksum and other HA related commands through the connections.

 

Toshi

bigkeoni64

Thanks Toshi !!

 

Do you know if Fortinet has a condensed version of how to deploy any Fortigate in a sort of MOP/SOP  version?

Toshi_Esumi
Esteemed Contributor II

That's probably a question to FTNT staff people. I never used a such documentation and have learned how to by myself for last 17 years for mostly in CLI.