Hello All,
Maybe a stupid question but Im working on a design Problem with HA, VDOM's and SNMP under FortiOS 5.4.6.
According to the examples in the "FortiOS Handbook - Virtual Domains" I tried to set up a multi vdom scenario with the root vdom facing to the internet and two departmental vdoms. The root vdom are also holds the management vdom.
The two fortigates are forming an active-active cluster and all vdoms are on the same virtual cluster. Each of the two nodes have a reserved management interface with an IP (Node A - 192.168.0.1/24, Node B -192.168.0.2/24) but the Management Traffic, especially SNMP, should go via a clustered interface (192.168.0.10/24).
The Node reserved management Interfaces are by design in the Global VDOM and the clustered management interface are in the root vdom. Because all of the three are on the same IP Subnet (The Management Subnet) I simply cant assign the clustered Interface the choosen IP Address. Tried to enable allow-subnet-overlap but no luck, the option seems not exist in the Global Domain in the system settings section.
How can I manage the dedicated Clusternodes and the Virtual Cluster from one Managementstation without having different IP Subnets?
Moving the Management Domain to another VDOM seems to be not a valid Option because I'm loosing the possibility to use radius for user authentication then.
Thanks ind Advance, Michael
Solved! Go to Solution.
Nominating a forum post submits a request to create a new Knowledge Article based on the forum post topic. Please ensure your nomination includes a solution within the reply.
And, I don't understand why "I'm loosing the possibility to use radius for user authentication" if you move your management vdom. It just need to have a route/path to get to your RADIUS servers. That's what we do with all of our clusters with multi-vdom setup.
1st
No such vdom global exist in a fortigate. In fact you CAN NOT EVEN create a vdom name Global/global in a fortigate
2nd if you want to use dedicate-management interfaces define the interfaces as dedicate and set the ha-gateway details in the fortigate
e.g v5.6.x
config sys ha
set mode a-p
set group-name myclusterblah
set ha-mgmt-status enable
config ha-mgmt-interface
edit 1
set interface mgmt ( insert the name of the interface to us )
set gateway x.x.x.x
set dst 0.0.0.0 0.0.0.0
end
earlier version where similar, but in 5.6 is a sublevel cfg
config sys ha
set ha-mgmt-status enable
set ha-mgmt-interface mgmt
set ha-mgmt-interface-gateway x.x.x.x
end
PCNSE
NSE
StrongSwan
And, I don't understand why "I'm loosing the possibility to use radius for user authentication" if you move your management vdom. It just need to have a route/path to get to your RADIUS servers. That's what we do with all of our clusters with multi-vdom setup.
Hi Toshi,
This refers to pg. 27 in the Virtual Domain in FortiOS 5.4.4. Handbook - "You cannot change the management VDOM if any administrators are using RADIUS authentication". From my perspective my users are administrators who log in on the device.
Hi All,
Thanks for the fast responses but the Core of the problem is that I'm simple cannot assign the clustered Management Interface an IP-Address in the same Subnet where the reserved management interfaces are in. Im getting "Conflicts with 'mgmt1' subnet" which refers to the reserved management interfaces.
The "allow-subnet-overlap" setting seems not to be possible in the "Global Context" and should also not be necessary.
Im referring to the example on pg. 180 in the "High Availability for FortiOS 5.4.1" Handbook which is pretty much the configuration I like to achieve. The only difference is that the example is not using vdoms.
Maybe im giving too much missleading information in my first post.
Thanks vor your patience and Help,
Michael
Hello Mike,
I faced the same issue on a A-P Cluster running 5.4.6.
Via CLI you should be able to configure the cluster interface, on my cluster this worked although the webui showed an error.
Did you consider to use "set ha-direct enable" under "config system ha"?
Best regards
Hello,
Using CLI , it should work. There is a current investigation to know why the GUI complain while it works with CLI
Thanks
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1712 | |
1093 | |
752 | |
447 | |
231 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.