- Forums
- Knowledge Base
- Customer Service
- FortiGate
- FortiClient
- FortiAP
- FortiAnalyzer
- FortiADC
- FortiAuthenticator
- FortiBridge
- FortiCache
- FortiCarrier
- FortiCASB
- FortiConnect
- FortiConverter
- FortiCNP
- FortiDAST
- FortiDDoS
- FortiDB
- FortiDNS
- FortiDeceptor
- FortiDevSec
- FortiDirector
- FortiEDR
- FortiExtender
- FortiGate Cloud
- FortiGuard
- FortiHypervisor
- FortiInsight
- FortiIsolator
- FortiMail
- FortiManager
- FortiMonitor
- FortiNAC
- FortiNAC-F
- FortiNDR (on-premise)
- FortiNDRCloud
- FortiPAM
- FortiPortal
- FortiProxy
- FortiRecon
- FortiRecorder
- FortiSandbox
- FortiSASE
- FortiScan
- FortiSIEM
- FortiSOAR
- FortiSwitch
- FortiTester
- FortiToken
- FortiVoice
- FortiWAN
- FortiWeb
- FortiWebCloud
- Wireless Controller
- RMA Information and Announcements
- FortiCloud Products
- ZTNA
- 4D Documents
- Customer Service
- Community Groups
- Blogs
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
- Fortinet Community
- Forums
- Support Forum
- Management ports in FortiGate cluster
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Mute
- Printer Friendly Page
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Management ports in FortiGate cluster
Hello,
I'm going to setup a cluster of two FG-900D (a-p) and I have one concern regarding how to use the management ports. Since the 900D has two mgmt ports, I intend to use one port as dedicated mgmt port for the appliance and the second port for the cluster's management. Each port shall belong to different LAN.
a. Has anybody tried this configuration before?
b. Would you recommend this configuration or not?
c. How can I do it? If I use the "Reserve Management Port for Cluster Member" option, does this apply to both mgmt ports or only to one port?
d. Anything else to suggest?
Thanks
Andreas
4 REPLIES 4
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
aagrafi wrote:a. Has anybody tried this configuration before?
yeah.
aagrafi wrote:b. Would you recommend this configuration or not?
if you really want that separate cluster management address it is the way to go.
aagrafi wrote:c. How can I do it? If I use the "Reserve Management Port for Cluster Member" option, does this apply to both mgmt ports or only to one port?
that option will only be for the node mgmt addresses (you choose 1 and only 1 interface there), the cluster will be a normal one, so it will also participate in normal routing. also remember to set your node routing via the CLI.
aagrafi wrote:definitely don't overlap the ip ranges (so nodes and cluster in the same subnet), you will get some unexpected routing to look forward to then.d. Anything else to suggest?
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Suppose that Mgmt1 port is reserved for luster member. Can the Mgmt2 port be used for the cluster management? In such case the mgmt2 port does not participate in routing (or do I have to enable routing in this port)? Is this configuration supported?
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
aagrafi wrote:what do you exactly mean with cluster management? like i tried to explain before, there is just one interface (doesn't even have to be mgmt1 or mgmt2) that has a special role. other interfaces can be used to do management on and they all will be "cluster" interfaces, but they are just regular interfaces and will participate in routing. of course with firewall policies you can limit access across them.Can the Mgmt2 port be used for the cluster management?
In such case the mgmt2 port does not participate in routing (or do I have to enable routing in this port)?
if you have a specific situation in mind or planning for please share it so people can suggest how to make the fortigate work in that.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
The FG-900D (and other FGs as well) has two management ports. These ports are not interfaces e.g. they are not routable (unless their role is changed by the admin). This is something that is generally needed in management ports, in order to separate management traffic from data traffic and to make sure that the management ports won't become transit for data traffic.
Now, the functionality I'm looking for is this: the first management port should be for the cluster management, e.g. when I do SSH or HTTPS to it's IP address, it will always connect me to the master.
The second management port will have different IP address for each cluster member. When I HTTPS to the first IP address, it will connect me to the master, when I HTTPS to the other IP address it will connect me to the slave.
I don't want to have management access through a regular interface - I don't want to mesh up the management traffic with firewall policies. I want the management traffic to be out-of band.
Related Posts
- Layer2 Routing Across Two Datacentres 238 Views
- Fortigate GUI not opening 383 Views
- Manage FortiGate from FortiManager 167 Views
- FortiGate FGT200F - Firmware 7.4.4 Slow... 105 Views
- Fortiexender integration on an Fortgate 51E... 116 Views
Labels
-
FortiGate
6,921 -
FortiClient
1,365 -
5.2
801 -
5.4
639 -
FortiManager
597 -
FortiAnalyzer
436 -
6.0
416 -
5.6
362 -
FortiAP
361 -
FortiSwitch
357 -
FortiClient EMS
280 -
FortiMail
269 -
6.2
251 -
FortiAuthenticator v5.5
234 -
5.0
196 -
FortiWeb
168 -
6.4
128 -
FortiNAC
122 -
FortiGuard
111 -
IPsec
96 -
FortiGateCloud
91 -
FortiSIEM
91 -
FortiCloud Products
85 -
SSL-VPN
83 -
FortiToken
75 -
Customer Service
70 -
4.0MR3
64 -
Wireless Controller
63 -
FortiProxy
48 -
FortiADC
45 -
FortiEDR
42 -
SD-WAN
41 -
Fortivoice
41 -
FortiDNS
37 -
FortiExtender
35 -
FortiGate v5.4
35 -
FortiSandbox
33 -
FortiSwitch v6.4
32 -
Firewall policy
31 -
VLAN
27 -
High Availability
27 -
FortiAuthenticator
26 -
FortiConnect
24 -
FortiWAN
23 -
ZTNA
21 -
FortiConverter
21 -
DNS
19 -
FortiPortal
18 -
FortiSwitch v6.2
17 -
SAML
17 -
FortiGate v5.2
17 -
LDAP
17 -
Certificate
17 -
BGP
16 -
VDOM
16 -
FortiMonitor
14 -
Interface
14 -
Logging
14 -
Authentication
13 -
FortiGate v5.0
13 -
FortiLink
13 -
Routing
13 -
FortiDDoS
13 -
FortiCASB
12 -
NAT
11 -
RADIUS
10 -
SSL SSH inspection
10 -
Traffic shaping
10 -
Virtual IP
10 -
SSO
10 -
FortiRecorder
10 -
FortiWeb v5.0
9 -
FortiManager v5.0
9 -
Fortigate Cloud
9 -
4.0MR2
9 -
SSID
8 -
FortiBridge
8 -
WAN optimization
8 -
Application control
8 -
FortiGate v4.0 MR3
8 -
IP address management - IPAM
8 -
RMA Information and Announcements
7 -
FortiSOAR
7 -
FortiAnalyzer v5.0
7 -
SNMP
7 -
Web profile
7 -
Admin
7 -
4.0
7 -
Security profile
6 -
Traffic shaping policy
6 -
Web application firewall profile
6 -
Proxy policy
5 -
Packet capture
5 -
FortiAP profile
5 -
FortiManager v4.0
5 -
Static route
5 -
FortiDirector
4 -
IPS signature
4 -
Antivirus profile
4 -
Automation
4 -
DNS Filter
4 -
FortiTester
4 -
FortiCarrier
4 -
FortiCache
4 -
OSPF
4 -
3.6
4 -
FortiScan
4 -
trunk
4 -
Port policy
4 -
FortiDeceptor
3 -
Fortinet Engage Partner Program
3 -
FortiToken Cloud
3 -
Traffic shaping profile
3 -
FortiPAM
3 -
DoS policy
3 -
Email filter profile
3 -
Web rating
3 -
Intrusion prevention
3 -
FortiDB
3 -
System settings
2 -
FortiInsight
2 -
NAC policy
2 -
Users
2 -
VoIP profile
2 -
FortiAI
2 -
FortiHypervisor
2 -
Fabric connector
2 -
Netflow
2 -
Multicast routing
2 -
Protocol option
2 -
4.0MR1
1 -
TACACS
1 -
Replacement messages
1 -
Subscription Renewal Policy
1 -
Schedule
1 -
FortiCWP
1 -
FortiNDR
1 -
SDN connector
1 -
Application signature
1 -
Authentication rule and scheme
1 -
FortiManager-VM
1 -
Internet Service Database
1 -
Explicit proxy
1 -
Zone
1
Top Kudoed Authors
| User | Count |
|---|---|
| 983 | |
| 820 | |
| 446 | |
| 440 | |
| 131 |
Broad. Integrated. Automated.
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Security Research
Company
News & Articles
Copyright 2024 Fortinet, Inc. All Rights Reserved.