- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
HA Reserved Mgmt Interface for FortiGuards, Syslog, SNMP, etc
New Firewalls HA Setup with Reserved Management Interface
- I have a FortiGate400F internal firewall(not directly connected to internet) with HA A/P mode and three VDOMs.(root, vdomA and vdomB)
- I use my OOB mgmt interface as reserved mgmt in order to monitor both the primary and secondary firewall
FW1 mgmt IP : 192.168.1.1/24 (port 'mgmt)
FW2 mgmt IP : 192.168.1.2/24 (port 'mgmt)
- I also want OOB mgmt interface to use for other services such as SNMP, Syslog.
- Therefore, I have config 'ha-direct enable' so that the Syslog and SNMP traffic is passing through via that OOB mgmt interface.
- However, after reserved interface config, FortiGate is unable to reach to FortiGuards services due to no routing via reserved mgmt interface.
- i want the mgmt interface handle all the things (mgmt, FortiGuards, License, SNMP, Syslog, RADIUS, etc)
How can I archive this setup or what will be the best approach to meet my requirements.
thank you.
- Labels:
-
FortiGate
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hello,
Could you please clarify whether routing is configured for HA management?
Routing table (management) can be verified by running the commands below:
execute enter vsys_hamgmt
get router info routing-table all
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi @abarushka
Routing is not configured for HA mgmt as we cannot add routing via HA reserved mgmt interface.
Before I config my mgmt interface as
HA reserved mgmt, i have default route configured via mgmt inf to route traffic for all services like snmp, syslog, FortiGuard, license and system dns, etc .
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hello,
Is there any particular reason why HA management interface routing is not configured? You can find a sample configuration below:
config system ha
config ha-mgmt-interfaces
edit 1
set interface <interface>
set dst <destination IP>
set gateway <IPv4 gateway>
next
end
end
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Oh sorry.
I thought a route under Network.
I did. I have a routing configured under HA mgmt
Dst 0.0.0.0/24
GW. 192.168.1.254
With this setup and ha-direct enable, syslog and snmp are working well.
But FortiGuard, FortiCloud, License and its DNS traffic are not working.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hello,
HA-direct won't be applicable for all self-originated traffic. HA-direct will be applicable for syslog, FortiAnalyzer, FortiManager, SNMP, and NetFlow traffic:
Self-originated traffic (i.e. FortiGuard) can be control in an another way. For example:
config log fortiguard setting
set interface-select-method {auto | sdwan | specify}
set interface <interface>
end
However, HA management interface cannot be configured for self-originated traffic (i.e. FortiGuard), since HA management interface is in hidden VDOM.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi
Since HA management interface cannot be configured for self-originated traffic (i.e. FortiGuad),
What interface should I use for FortiGuard? I dont want to use traffic interfaces of vdomA and vdomB.
- should i create another interface in root vdom only for FortiGuard?
- should i not use HA reserved feature to route all originated traffic via OOB mgmt?
What would be the best practices.
Thank you.
