We have a HA active-passive cluster of two FortiGate 600D, I turned on the standalone mode on the Master due to some problems(https://community.fortinet.com/t5/Fortinet-Forum/accidentally-rewrote-the-interface/td-p/201847), and I returned access to it, but the Slave is still unavailable to manage. How do I convert it too into standalone mode?
With respect,
Daniil Dubosarskij
cit.rkomi.ru
Nominating a forum post submits a request to create a new Knowledge Article based on the forum post topic. Please ensure your nomination includes a solution within the reply.
Hey Daniil,
if you have CLI access to the secondary, you can use these commands:
#config global
#config sys ha
#set mode standalone
#end
Please note that the secondary should have the same config as the primary, meaning the units could interfere with each other if both are connected on the same network/infrastructure.
You could look into factoryresetting the secondary instead:
Hope this helps!
That's the problem, I don't have access to a Slave from the beginning of turning on the cluster. They successfully started and worked, but then I lost access by overwriting the management port to one of the ports for cluster synchronization. Now I have turned on the standalone mode on it and regained access to the web interface. Can I somehow change the mode on the second device without reset? Or should I connect back to the cluster?
With respect,
Daniil Dubosarskij
cit.rkomi.ru
Hi Daniil,
If the second device was changed to "standalone" you need to access it first (connecting to one of its ports, or console). You may try to shut down the working FortiGate, and try to access this second one through your internal network if the access was allowed before.
If that was not changed, you can still have the main unit (you have access to) reconfigured for HA (with the same HA settings as before, to make sure it matches the other unit +higher priority and override enabled). Once the cluster is up, it will push the config to the second unit (removing the port you changed).
If you establish the cluster again, you can also access the secondary through the primary with this CLI command:
#config global
#execute ha manage <id>
#execute ha manage ? <--- will dump available IDs
This gives you an ssh session to the other HA through the one you're actually connected on.
It's difficult and risky to handle HA without having console access to each device, or at least "dedicated-to" mgmt interface configured.
Toshi
I turned on the standalone mod on the second device, but now two fortigates have one management address and the web interface constantly switches between them, the password was also copied from Master to Slave. For some reason, when I go to the console to configure the interface, it does not allow me to put a static mod and address, "vdom root" is written there, and so it should be, but I want to change the address to get separate access
With respect,
Daniil Dubosarskij
cit.rkomi.ru
Without local access this will be difficult if not impossible to achieve.
You are experiencing a split-brain scenario where both units 'fight' for forwarding traffic.
For a separated cluster (same wan and lan IPs), you can't have 2 different IPs for management. Your best chance is to first get the cluster back online, by setting up the HA parameters as described above. This way you will stabilize the network and can further make changes.
Once the HA cluster is stable you will be able to enable dedicated management interfaces, and then change the IPs for these management interfaces.
Created on 01-11-2022 03:06 AM Edited on 01-11-2022 03:06 AM
I have local access to both devices
With respect,
Daniil Dubosarskij
cit.rkomi.ru
Very good. So what is the problem or your goal now?
"standalone mode" for both devices is impossible in the same network/setup. One must be turned off, or you must change all the WAN and LAN IPs of ALL the interfaces so there is no IP conflict on the network:
config global
config system interface
edit ...
set ip x.x.x.x/x (or 'unset ip' if you don't want to use that interface)
next
edit ... (repeat for all lan and wan interfaces)
end
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1634 | |
1063 | |
751 | |
443 | |
210 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.