Help
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
BensonLEI
Contributor

Created on ‎02-16-2021 12:31 AM

(For your reference ) OOB mgmt interface for HA cluster management interface

 

 

Starting with FortiOS 5.6, there is a new way to access every machine directly. This method is In-Band ( or OOB ) and does not require a reserved interface.

 

 

For example: Two Fortigate 600E devices ( I am using v6.6.4) and forming a HA-pair; an IP address for their OOB mgmt interface individually, and an IP address for the HA-cluster;  as the following requirement (no mgmt VDOM, and the following configuration through root VDOM) :     1. 10.101.1.40 ( for the cluster IP = always towards the master unit)     2. 10.101.1.39 ( for the OOB "mgmt" interface of the primary Fortigate)     3. 10.101.1.41 ( for the OOB "mgmt" interface of the secondary Fortigate) 4. The above IP addresses should not be overlapped

 

 

============================================================

The configuration is so simple and direct:

     1. set up the HA-pair hardware

     2. configure the physical mgmt interface without no IP

     3. set up a virtual HA_interface under this physical mgmt interface as the following:

 

That is all configuration, simple enough.

==============================================================

 

 

 

My configuration

============================================

 

Forti600E_03 # sh sys int mgmt config system interface edit "mgmt" set vdom "root" set allowaccess snmp fgfm ftm set type physical set lldp-reception disable set lldp-transmission disable set role lan set snmp-index 2 next end

 

Forti600E_03 # sh sys int HA_mgmt_Port config system interface edit "HA_mgmt_Port" set vdom "root" set management-ip 10.101.1.39 255.255.255.0 set ip 10.101.1.40 255.255.255.0 set allowaccess ping https ssh snmp set role lan set snmp-index 26 set interface "mgmt" set vlanid 11 next end

 

 

 

 

 

10.101.1.40  = HA-pair IP

10.101.1.39  = individual Fortigate IP

 

=======

 

virtual mac add for the HA-pair IP =  10.101.1.40 ( from outside )

virtual mac add for the physical interface = 10.101.1.39 ( from outside, the active fortigate device )

mac addr for the physical interface = 10.101.1.41 ( from outside, the standby fortigate device )

 

 

 ------------ARP list----------------------

FG1111D_B # get sys arp | grep 10.101 ... 10.101.1.39 5 00:09:0f:09:11:01 v11 10.101.1.40 0 00:09:0f:09:11:01 v11

 

 

 

 

 

Hope this is useful to you

 

Cheers

 

 

 

 

 

1625
0 Kudos
0 REPLIES 0
Announcements
Check out our Community Chatter Blog! Click here to get involved
Labels
Top Kudoed Authors
View all
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2025 Fortinet, Inc. All Rights Reserved.