FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
rmetzger
Staff
Staff

Description

When connecting to a Slave unit of an HA cluster with the command execute ha manage <ID>, the CLI context will be in the HA vdom called vsys_ha by default, and inform the administrator that the unit is the Master. It will also limit the configuration display.

In the following example, FGT400-8 is the Master and FGT400-3 is the Slave:

FGT400-8 # get system ha status

Master:200 FGT400-8            FGT4002801021111  1
Slave :128   FGT400-3           FGT4002803032222  0

FGT400-8 # execute ha  manage 0
FGT400-3 $
FGT400-3 $ get system status

Version: Fortigate-400 3.00,build0744,090630
[..]
Current virtual domain: vsys_ha
[..]
Current HA mode: a-p, master

See from above that the current VDOM is vsys_ha and the unit is Master

When trying to look into any configuration (except a show full-configuration) the display returns empty lists:

FGT400-3 $ show firewall policy

config firewall policy
end


Solution

The administrator must first go into an operational VDOM with the command "execute enter <vdom_name>" as shown below. If the FortiGate unit is not running in VDOM mode, the default VDOM is "root".

FGT400-3 $ execute enter root

current vdom=root:0

FGT400-3 $ get system status

Version: Fortigate-400 3.00,build0744,090630
[..]

Current virtual domain: root

[..]


Current HA mode: a-p, backup

FGT400-3 $ show firewall policy

config firewall policy
    edit 1
        set srcintf "port1"
        set dstintf "port2"
            set srcaddr "all"
            set dstaddr "all"
        set schedule "always"
            set service "ANY"
    next

 

Related Articles

Troubleshooting Note : FortiGate HA synchronization messages and cluster verification steps

Contributors