I have a query regarding the configuration of FortiManager in VRRP/Manual mode high availability across different geographic locations via MPLS link, using different IP addresses for each unit. Specifically, Unit1 at DC will have the IP address 10.1.1.1/30, while Unit2 will have 10.1.2.1/30.
I am referring to the article (https://community.fortinet.com/t5/FortiManager/Technical-Tip-FortiManager-HA-setup-and-troubleshooti...) for configuration guidance.
From the document you shared:
A Layer-2 connection between Primary- FortiManager and Secondary- FortiManager is mandatory to communicate through Cluster Virtual IP via VRRP.
Virtual IP should be the same in both Primary and Secondary devices. (VRRP mode)
Hi @vishal1 ,
Please check the following article:
https://community.fortinet.com/t5/FortiManager/Technical-Tip-FortiManager-HA-cluster-in-different-VL...
Best,
It showing manual HA. Would configuring Manual HA would do auto auto failover if primary goes down or it need manual intervention ?
When using manual failover settings, you must manually configure one of the secondary units to become the primary unit when the primary unit fails. The new primary unit will keep its IP address. FortiManager's IP address registered on FortiGate will be automatically changed when the new primary unit is selected.
Hi,
If you decide to use the VRRP mode you will need to have the same subnet one of their interfaces. Eventually setup a VLAN between them and that will solve the issue.
Best,
Can you give a example please.
Hi,
There is an article already:
https://community.fortinet.com/t5/FortiAnalyzer/Technical-Tip-Creating-a-VLAN-interface-on-FortiMana...
But it depends on your internal network how is setup. As, you may need to setup it on the other devices that are on the path.
Also for the manual mode(the article is updated):
It is a good practice to share the IPs of both FortiManagers to the FortiGates using the following setting.
config system admin setting
set mgmt-fqdn <FMmasterIP/FQDN> <FMslaveIP/FQDN>
end
For more information and if there is a NAT review the article below:
Docs: Configuring the management address
From FortiGate side:
Docs: Configuring central management
Docs: config system central-management
Best,
I have a couple of queries regarding the FortiManager configuration and the setup of Manual HA, which I hope you could help me clarify:
Would my FortiManager configuration remain in sync if I configure Manual HA between devices? Specifically, after the primary device fails, will I only need to designate the secondary device as primary without the necessity to redeploy or push the configuration from FortiManager to the FortiGate devices?
FortiManager will be in a different geographical location, is it feasible to establish Manual HA and facilitate communication via an MPLS link?
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1737 | |
1108 | |
752 | |
447 | |
240 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.