Fortinet Community

Jad · ‎11-09-2021

Hi Guys,

I am working on a cluster in A/P and want to separate the management by using OOB HA reserved management interfaces.

This is done perfectly and working, but when reading fortinet's documentation, it's mentioned that this dedicated interface uses a separated routing table and it's not synchronized whithin the cluster, which is great for my usecase, but here is the question :

Why it works only when I put these interfaces in the VRF=0 (global VRF) and not working when I put them in another VRF ?

It doesn't work neither I set the same VRF ID nor a different one for each interface of each ha unit.

The goal is to have two (one by ha unit) "ha reserved management interface" with two different IPs (one for each unit) while using these interfaces in a different VRF from the global one.

For example:

VRF 0 = All Production interfaces

VRF 1 = "HA Reserved management" interfaces.

I think it's very interesting to understand how it works, because it's not well documented.

Thanks for your help.

Regards

athirat · ‎11-17-2021

Hello,

Once HA reserved management interfaces are added on FGT , they are automatically mapped to a hidden vdom called vsys_hamgmt. The routing and ARP details on HA dedicated management interface are solely available in this vdom.

You can check the routing table and ARP details of this vdom by following below :

config global

exe enter vsys_hamgmt --> to enter the vdom

get router info routing-table all ---> will show the routing table of this vdom alone

get sys arp --> arp entries on dedicated management interface

To go back to normal vdom, use the below command :
exe enter root

Hope this helps.

Fortinet Community

HA reserved management interfaces in a different VRF