Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
ujnetsec
New Contributor

How to configure HA Reserved Management Interface on MGMT2 3000D

Hi Guys,

I am running a 3000D Cluster, and i want to user MGMT2 as my reserved management interface to manage the two devices separately but i am not winning, can someone please shed some light for me....when should one or how should one use the MGMT2 interface?

 

 i have done VDOM Partitioning on the Cluster, so there is one VDOM running primarily on the Secondary Device, for me to do changes on that secondary device i need to access it separately.

 

5 REPLIES 5
Alexis_G
Contributor II

you do not have management on VDOM you have management on the box

 

to manage secondary FGT from cli , you execute from primary :

execute ha manage    

// press enter to see thw available members then issue the command again with the numeric of the FGT you wish to manage.

 

 

Anyway management interfaces are dedicated for this use

 

Althouht you can try to configure management:

//on MGMT2

config system interface

edit mgmt2

set management-ip <ip  subnet>

end

 

--------------------------------------------

If all else fails, use the force !

-------------------------------------------- If all else fails, use the force !
ujnetsec

I know i have management to the box, i can access the secondary box via CLI, but i want to access it via GUI using the MGMT2 as my "ha reserved management interface", i have done the config "//on MGMT2 config system interface edit mgmt2 set management-ip <ip  subnet> end"

 

the IP i am using on the MGMT2 Interface is in the same subnet as MGMT1 but for some reason i cannot access the second device via GUI, i need GUI access so that i can make changes on the VDOM that is primary to the second device.

Alexis_G

Routing is ok ?

 

check this:

http://help.fortinet.com/fos50hlp/54/Content/FortiOS/fortigate-high-availability-52/virtual_clusteri...

 

--------------------------------------------

If all else fails, use the force !

-------------------------------------------- If all else fails, use the force !
ujnetsec

Routing is OK because i am using the existing network which i am using for MGMT1

ede_pfau
Esteemed Contributor III

hi,

1- you manage ALL of the FGT stuff on the cluster's address, via GUI or CLI. There is no need to know where the cluster management puts a certain VDOM, onto the primary or secondary unit. In fact, configuring the secondary would force the FGT cluster to synchronize 'in reverse', from slave to master.

Luckily, that works.

But, it's not best practice.

2- GUI access to a secondary FGT is a fair reason to configure a 'dedicated management' port. On some FGTs, this works as advertised. On several others, the GUI wouldn't let me specify a second IP address from an already used range. GUI access is nice if you want to reboot the secondary but not the primary, or watch it's CPU or memory load. Or change it's HA parameters (which I would always prefer to do in the CLI - quite a few parameters here are CLI-only).

3- the label 'MGMT' on a port does not enable special features magically; configuration does. It might be that MGMT1 already is set to 'dedicated to management'; I doubt (but never tried) that a FGT can have more than one of these.


Ede

"Kernel panic: Aiee, killing interrupt handler!"
Ede"Kernel panic: Aiee, killing interrupt handler!"
Labels
Top Kudoed Authors