Splitting up a Cluster in Azure (VMs) and preserve HA-mgmt-Port settings?

scheuri · ‎01-19-2023

Hello all

We have a fortigate vm cluster in Azure which we like to split up into two standalone vm's.

Reason: Some restrictions in cluster config that can be solved using standalone vms.

I have managment connection via port4 and a dedicated IP (in the same subnet and a gateway in said subnet) to each of the vms in order to manage them.
Those information are in "config system ha".

When switching the HA configuration from "active/passive" to "standalone" I (obviously) lose the configuration of the HA Managementand Interface in "config system ha" and also the IP address in "config interface port 4" and therefore I lose the possibility to manage the vm over port4

While I know how to add the IP again to port 4 I am not sure how to add that specific gateway to that port4-subnet which was added by "config system ha - config ha-mgmt-interfaces - set gateway".

Does anyone know to do that so I can preserve port4 as my (now standalone) VM management port?

Much appreciated

abarushka · ‎01-24-2023

Hello,

In case of HA external and management interfaces have Internet connection. You may consider to configure 2 default routes via external and management (management interface with higher priority value for ingress traffic)

https://community.fortinet.com/t5/FortiGate/Technical-Note-Routing-behavior-depending-on-distance-an...

FortiGate

View solution in original post

abarushka · ‎01-19-2023

Hello,

Could you please specify which configuration you are referring to?

In Azure there is console connection available:

https://community.fortinet.com/t5/FortiGate/Technical-Tip-How-to-access-the-FortiGate-VM-console-in-...

FortiGate

abarushka · ‎01-19-2023

Hello,

It is possible to tune which objects are synchronized. Please find the details by following the link below:

https://community.fortinet.com/t5/FortiGate/Technical-Tip-HA-FortiGate-configurations-that-will-sync...

FortiGate

scheuri · ‎01-22-2023

Hello abarushka

My apologies:
I was refereing to the "out of band Management" IP addresses which are (partially) configured in "system ha".

Those are not mentioned in the documentation when you are having a single box (those are only mentioned in the fortigate documentation when using cluster). So I guess it is not possible to have "out of band management" when using a single box in Azure with its own port and default gateway on that port ("management interface reserveration" in "system ha").

(https://docs.fortinet.com/document/fortigate-public-cloud/6.4.0/azure-administration-guide/983245 - the second and third picture with "management" port)

abarushka · ‎01-24-2023

Hello,

In case of HA external and management interfaces have Internet connection. You may consider to configure 2 default routes via external and management (management interface with higher priority value for ingress traffic)

https://community.fortinet.com/t5/FortiGate/Technical-Note-Routing-behavior-depending-on-distance-an...

FortiGate

scheuri · ‎01-24-2023

Thank you for the information - that should indeed work. Much appreciated.

Splitting up a Cluster in Azure (VMs) and preserve HA-mgmt-Port settings?

Nominate a Forum Post for Knowledge Article Creation

You are leaving our website