Hi Guys,
I am running a 3000D Cluster, and i want to user MGMT2 as my reserved management interface to manage the two devices separately but i am not winning, can someone please shed some light for me....when should one or how should one use the MGMT2 interface?
i have done VDOM Partitioning on the Cluster, so there is one VDOM running primarily on the Secondary Device, for me to do changes on that secondary device i need to access it separately.
you do not have management on VDOM you have management on the box
to manage secondary FGT from cli , you execute from primary :
execute ha manage
// press enter to see thw available members then issue the command again with the numeric of the FGT you wish to manage.
Anyway management interfaces are dedicated for this use
Althouht you can try to configure management:
//on MGMT2
config system interface
edit mgmt2
set management-ip <ip subnet>
end
--------------------------------------------
If all else fails, use the force !
I know i have management to the box, i can access the secondary box via CLI, but i want to access it via GUI using the MGMT2 as my "ha reserved management interface", i have done the config "//on MGMT2 config system interface edit mgmt2 set management-ip <ip subnet> end"
the IP i am using on the MGMT2 Interface is in the same subnet as MGMT1 but for some reason i cannot access the second device via GUI, i need GUI access so that i can make changes on the VDOM that is primary to the second device.
Routing is ok ?
check this:
--------------------------------------------
If all else fails, use the force !
Routing is OK because i am using the existing network which i am using for MGMT1
hi,
1- you manage ALL of the FGT stuff on the cluster's address, via GUI or CLI. There is no need to know where the cluster management puts a certain VDOM, onto the primary or secondary unit. In fact, configuring the secondary would force the FGT cluster to synchronize 'in reverse', from slave to master.
Luckily, that works.
But, it's not best practice.
2- GUI access to a secondary FGT is a fair reason to configure a 'dedicated management' port. On some FGTs, this works as advertised. On several others, the GUI wouldn't let me specify a second IP address from an already used range. GUI access is nice if you want to reboot the secondary but not the primary, or watch it's CPU or memory load. Or change it's HA parameters (which I would always prefer to do in the CLI - quite a few parameters here are CLI-only).
3- the label 'MGMT' on a port does not enable special features magically; configuration does. It might be that MGMT1 already is set to 'dedicated to management'; I doubt (but never tried) that a FGT can have more than one of these.
User | Count |
---|---|
2674 | |
1410 | |
810 | |
702 | |
455 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2025 Fortinet, Inc. All Rights Reserved.