Hello,
I'm going to setup a cluster of two FG-900D (a-p) and I have one concern regarding how to use the management ports. Since the 900D has two mgmt ports, I intend to use one port as dedicated mgmt port for the appliance and the second port for the cluster's management. Each port shall belong to different LAN.
a. Has anybody tried this configuration before?
b. Would you recommend this configuration or not?
c. How can I do it? If I use the "Reserve Management Port for Cluster Member" option, does this apply to both mgmt ports or only to one port?
d. Anything else to suggest?
Thanks
Andreas
Nominating a forum post submits a request to create a new Knowledge Article based on the forum post topic. Please ensure your nomination includes a solution within the reply.
aagrafi wrote:a. Has anybody tried this configuration before?
yeah.
aagrafi wrote:b. Would you recommend this configuration or not?
if you really want that separate cluster management address it is the way to go.
aagrafi wrote:c. How can I do it? If I use the "Reserve Management Port for Cluster Member" option, does this apply to both mgmt ports or only to one port?
that option will only be for the node mgmt addresses (you choose 1 and only 1 interface there), the cluster will be a normal one, so it will also participate in normal routing. also remember to set your node routing via the CLI.
aagrafi wrote:definitely don't overlap the ip ranges (so nodes and cluster in the same subnet), you will get some unexpected routing to look forward to then.d. Anything else to suggest?
Suppose that Mgmt1 port is reserved for luster member. Can the Mgmt2 port be used for the cluster management? In such case the mgmt2 port does not participate in routing (or do I have to enable routing in this port)? Is this configuration supported?
aagrafi wrote:what do you exactly mean with cluster management? like i tried to explain before, there is just one interface (doesn't even have to be mgmt1 or mgmt2) that has a special role. other interfaces can be used to do management on and they all will be "cluster" interfaces, but they are just regular interfaces and will participate in routing. of course with firewall policies you can limit access across them.Can the Mgmt2 port be used for the cluster management?
In such case the mgmt2 port does not participate in routing (or do I have to enable routing in this port)?
if you have a specific situation in mind or planning for please share it so people can suggest how to make the fortigate work in that.
The FG-900D (and other FGs as well) has two management ports. These ports are not interfaces e.g. they are not routable (unless their role is changed by the admin). This is something that is generally needed in management ports, in order to separate management traffic from data traffic and to make sure that the management ports won't become transit for data traffic.
Now, the functionality I'm looking for is this: the first management port should be for the cluster management, e.g. when I do SSH or HTTPS to it's IP address, it will always connect me to the master.
The second management port will have different IP address for each cluster member. When I HTTPS to the first IP address, it will connect me to the master, when I HTTPS to the other IP address it will connect me to the slave.
I don't want to have management access through a regular interface - I don't want to mesh up the management traffic with firewall policies. I want the management traffic to be out-of band.
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1705 | |
1093 | |
752 | |
446 | |
230 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.