Help
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
fl0at0xff
New Contributor II

Created on ‎10-20-2016 04:46 AM

Problem with HA and management IP concept

Hello. I'm trying to configure HA with 2 Fortigate 600D. I have some problem or misunderstanding regarding the MGMT interface. The HA itself is working correctly.

 

In the HA configuration, I have checked the "Reserve Management Port for Cluster Member" , selected MGMT1 and I have configured static IP address on this port on each fortigate (192.168.1.10 and 192.168.1.20). When I try to configure the MGMT2 with the IP address 192.168.1.1, I can't because this IP address is in the same subnet than MGMT1... I trying to follow the indications on this guide: http://docs.fortinet.com/...5/fortigate-ha-54.pdf. Scheme on page 175 uses IP addresses on the same subnet...  My goal is to be able to reach the Master device from any VLAN (it is ok now, I must just enable HTTPS, SSH access on each desired the vlan interface) AND I want to be able to access to each unit with their reserved management IP (MGMT1) from ANOTHER VLAN. thanks

5445
0 Kudos
4 REPLIES 4
emnoc
Esteemed Contributor III

Created on ‎10-20-2016 05:04 AM

I don't think you can do that. Plus how would MGMT#2 interface know what gateway?

 

 

Take a look at the  cli ha cmd output for

 

 

set ha-mgmt status interface interface-gateway

 

e.g

(cli cmd)

 

show  full system ha

 

 

 

PCNSE 

NSE 

StrongSwan  

PCNSE NSE StrongSwan
2333
0 Kudos
fl0at0xff
New Contributor II
In response to emnoc

Created on ‎10-20-2016 05:06 AM

Ok but what is the best practice when you setup HA for the management ? Do you don't think that it is important to be able to access to each fortigate individually too ? Of course, most of the time you want to access only to master unit...

2333
0 Kudos
emnoc
Esteemed Contributor III
In response to fl0at0xff

Created on ‎10-20-2016 07:40 AM

Yes individually does helps if you don't want to "execute ha man <id> " to the 2nd unit . If you have a OOB network and want to do direct access and monitoring against the  2nd unit this is a great ideal also.

 

 

PCNSE 

NSE 

StrongSwan  

PCNSE NSE StrongSwan
2333
0 Kudos
fl0at0xff
New Contributor II
In response to emnoc

Created on ‎10-20-2016 08:46 AM

Yes ok thank. But I permit to ask because my client has a Management VLAN (192.168.100.0/24) and it access all devices using this subnet. My first idea was to use 3 ip addresses in this range, for exemple the following:

 

[ul]
  • 192.168.100.10 (used to individually manage the primary Fortigate)
  • 192.168.100.20 (used to individually manage the secondary Fortigate)
  • 192.168.100.100 (used to manage the cluster = always towards the master unit)[/ul]

    My question is : It is possible ?

     

    Thank you

    • 2333
    0 Kudos
    Announcements
    Check out our Community Chatter Blog! Click here to get involved
    Labels
    Top Kudoed Authors
    View all
    Broad. Integrated. Automated.

    The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

    Social Media
    Security Research
    Company
    News & Articles
    Contact Us

    Copyright 2025 Fortinet, Inc. All Rights Reserved.