Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
fl0at0xff
New Contributor II

Problem with HA and management IP concept

Hello. I'm trying to configure HA with 2 Fortigate 600D. I have some problem or misunderstanding regarding the MGMT interface. The HA itself is working correctly.

 

In the HA configuration, I have checked the "Reserve Management Port for Cluster Member" , selected MGMT1 and I have configured static IP address on this port on each fortigate (192.168.1.10 and 192.168.1.20). When I try to configure the MGMT2 with the IP address 192.168.1.1, I can't because this IP address is in the same subnet than MGMT1... I trying to follow the indications on this guide: http://docs.fortinet.com/...5/fortigate-ha-54.pdf. Scheme on page 175 uses IP addresses on the same subnet...  My goal is to be able to reach the Master device from any VLAN (it is ok now, I must just enable HTTPS, SSH access on each desired the vlan interface) AND I want to be able to access to each unit with their reserved management IP (MGMT1) from ANOTHER VLAN. thanks

4 REPLIES 4
emnoc
Esteemed Contributor III

I don't think you can do that. Plus how would MGMT#2 interface know what gateway?

 

 

Take a look at the  cli ha cmd output for

 

 

set ha-mgmt status interface interface-gateway

 

e.g

(cli cmd)

 

show  full system ha

 

 

 

PCNSE 

NSE 

StrongSwan  

PCNSE NSE StrongSwan
fl0at0xff
New Contributor II

Ok but what is the best practice when you setup HA for the management ? Do you don't think that it is important to be able to access to each fortigate individually too ? Of course, most of the time you want to access only to master unit...

emnoc
Esteemed Contributor III

Yes individually does helps if you don't want to "execute ha man <id> " to the 2nd unit . If you have a OOB network and want to do direct access and monitoring against the  2nd unit this is a great ideal also.

 

 

PCNSE 

NSE 

StrongSwan  

PCNSE NSE StrongSwan
fl0at0xff
New Contributor II

Yes ok thank. But I permit to ask because my client has a Management VLAN (192.168.100.0/24) and it access all devices using this subnet. My first idea was to use 3 ip addresses in this range, for exemple the following:

 

[ul]
  • 192.168.100.10 (used to individually manage the primary Fortigate)
  • 192.168.100.20 (used to individually manage the secondary Fortigate)
  • 192.168.100.100 (used to manage the cluster = always towards the master unit)[/ul]

    My question is : It is possible ?

     

    Thank you

  • Announcements

    Select Forum Responses to become Knowledge Articles!

    Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.

    Labels
    Top Kudoed Authors