Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
amorales
New Contributor

Configuring new Fortigates

Hello, 

 

I am currently configuring two Fortigates 501E in HA and I have a couple of questions. I need to have two independent VDOMs, each with individual Internet access. The HA mode is Active-Passive but I am using virtual cluster, so each firewall is the Active FW in one VDOM. I have created a management interface Vlan and add it in ther Management Interface Reservation so it is in the vsys_hamgmt VDOM. Each Fortigate has a different IP in the Management interface for management purposes. So, my questions:

 

1- Where is the management interface placed? I mean, is it inside a specific VDOM? I cannot find it.

 

2- I wanted to set the root VDOM as Management VDOM (default), and then give both Fortigates access to both Internet links though a management router, so if one Internet link goes down, the management VDOM will continue having access to Internet (remember that each Internet link is placed in one VDOM ---VDOM1-Link1 and VDOM2-Link2---, and these links are NOT shared between all VDOMs. For the moment, I have had to set one of the new VDOMs as the new Management VDOM because I don't know how to place the Management Interfaces in the root VDOM (I don't know if it is possible). In my current configuration, if the VDOM1 internet link goes down, the management VDOM wouldn't have access to Internet and I would be forced to change the VDOM2 and set it as the new management VDOM. Do you know if there is a more elegant solution to avoid this? I was thinking to create a new Vlan Internface and place it in the root VDOM and give it access to both Internet links throught a management router, but I don't know how to give each firewall a different IP for this new interface in the root VDOM.

 

3- As a side question, I know that I cannot delete the root VDOM and I have created two new VDOMs (VDOM1 and VDOM2) for the requested vrf separation the customer needs. Will the root VDOM drains resources for the entire FW if I am not using it?

 

Thank you very much.

 

Best Regards.

2 REPLIES 2
emnoc
Esteemed Contributor III

Q1: You typically cable it to a switch that has access to your lan

 

Q2: No the bottom line, if you need availability invest in dual ISP links and this way will have internet access if one link goes down.

 

Q3: No, if your not using it it will not harm nothing, you really did not need to create 2 more vdom, the name "root" is just a name by all means. In fact I would use that vdom for all update, management access, logging etc......just because you have it.

 

Ken Felix

PCNSE 

NSE 

StrongSwan  

PCNSE NSE StrongSwan
James_G
Contributor III

What fortios are you using, split task vdoms were improved at 6.2, poss worth a look
Labels
Top Kudoed Authors