- Forums
- Knowledge Base
- Customer Service
- FortiGate
- FortiClient
- FortiAP
- FortiAnalyzer
- FortiADC
- FortiAuthenticator
- FortiBridge
- FortiCache
- FortiCarrier
- FortiCASB
- FortiConnect
- FortiConverter
- FortiCNP
- FortiDAST
- FortiDDoS
- FortiDB
- FortiDNS
- FortiDeceptor
- FortiDevSec
- FortiDirector
- FortiEDR
- FortiExtender
- FortiGate Cloud
- FortiGuard
- FortiHypervisor
- FortiInsight
- FortiIsolator
- FortiMail
- FortiManager
- FortiMonitor
- FortiNAC
- FortiNAC-F
- FortiNDR (on-premise)
- FortiNDRCloud
- FortiPAM
- FortiPortal
- FortiProxy
- FortiRecon
- FortiRecorder
- FortiSandbox
- FortiSASE
- FortiScan
- FortiSIEM
- FortiSOAR
- FortiSwitch
- FortiTester
- FortiToken
- FortiVoice
- FortiWAN
- FortiWeb
- Wireless Controller
- RMA Information and Announcements
- FortiCloud Products
- ZTNA
- 4D Documents
- Customer Service
- Community Groups
- Blogs
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
- Fortinet Community
- Forums
- Support Forum
- Problems with Virtual Clustering, SNMP and reserve...
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Mute
- Printer Friendly Page
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Problems with Virtual Clustering, SNMP and reserved management Interfaces
Hello All,
Maybe a stupid question but Im working on a design Problem with HA, VDOM's and SNMP under FortiOS 5.4.6.
According to the examples in the "FortiOS Handbook - Virtual Domains" I tried to set up a multi vdom scenario with the root vdom facing to the internet and two departmental vdoms. The root vdom are also holds the management vdom.
The two fortigates are forming an active-active cluster and all vdoms are on the same virtual cluster. Each of the two nodes have a reserved management interface with an IP (Node A - 192.168.0.1/24, Node B -192.168.0.2/24) but the Management Traffic, especially SNMP, should go via a clustered interface (192.168.0.10/24).
The Node reserved management Interfaces are by design in the Global VDOM and the clustered management interface are in the root vdom. Because all of the three are on the same IP Subnet (The Management Subnet) I simply cant assign the clustered Interface the choosen IP Address. Tried to enable allow-subnet-overlap but no luck, the option seems not exist in the Global Domain in the system settings section.
How can I manage the dedicated Clusternodes and the Virtual Cluster from one Managementstation without having different IP Subnets?
Moving the Management Domain to another VDOM seems to be not a valid Option because I'm loosing the possibility to use radius for user authentication then.
Thanks ind Advance, Michael
Solved! Go to Solution.
Labels:
- Labels:
-
5.4
1 Solution
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
And, I don't understand why "I'm loosing the possibility to use radius for user authentication" if you move your management vdom. It just need to have a route/path to get to your RADIUS servers. That's what we do with all of our clusters with multi-vdom setup.
6 REPLIES 6
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
1st
No such vdom global exist in a fortigate. In fact you CAN NOT EVEN create a vdom name Global/global in a fortigate
2nd if you want to use dedicate-management interfaces define the interfaces as dedicate and set the ha-gateway details in the fortigate
e.g v5.6.x
config sys ha
set mode a-p
set group-name myclusterblah
set ha-mgmt-status enable
config ha-mgmt-interface
edit 1
set interface mgmt ( insert the name of the interface to us )
set gateway x.x.x.x
set dst 0.0.0.0 0.0.0.0
end
earlier version where similar, but in 5.6 is a sublevel cfg
config sys ha
set ha-mgmt-status enable
set ha-mgmt-interface mgmt
set ha-mgmt-interface-gateway x.x.x.x
end
PCNSE
NSE
StrongSwan
PCNSE
NSE
StrongSwan
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
And, I don't understand why "I'm loosing the possibility to use radius for user authentication" if you move your management vdom. It just need to have a route/path to get to your RADIUS servers. That's what we do with all of our clusters with multi-vdom setup.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi Toshi,
This refers to pg. 27 in the Virtual Domain in FortiOS 5.4.4. Handbook - "You cannot change the management VDOM if any administrators are using RADIUS authentication". From my perspective my users are administrators who log in on the device.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi All,
Thanks for the fast responses but the Core of the problem is that I'm simple cannot assign the clustered Management Interface an IP-Address in the same Subnet where the reserved management interfaces are in. Im getting "Conflicts with 'mgmt1' subnet" which refers to the reserved management interfaces.
The "allow-subnet-overlap" setting seems not to be possible in the "Global Context" and should also not be necessary.
Im referring to the example on pg. 180 in the "High Availability for FortiOS 5.4.1" Handbook which is pretty much the configuration I like to achieve. The only difference is that the example is not using vdoms.
Maybe im giving too much missleading information in my first post.
Thanks vor your patience and Help,
Michael
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hello Mike,
I faced the same issue on a A-P Cluster running 5.4.6.
Via CLI you should be able to configure the cluster interface, on my cluster this worked although the webui showed an error.
Did you consider to use "set ha-direct enable" under "config system ha"?
Best regards
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hello,
Using CLI , it should work. There is a current investigation to know why the GUI complain while it works with CLI
Thanks
Related Posts
- Firewall does not send syslog 562 Views
- Strange issue with Fortigate 200E web... 229 Views
- Separate interface for management in Fortimail 195 Views
- SNMP Monitoring both Firewalls seperate in... 274 Views
- Fortiswitch Issue 182 Views
Labels
-
FortiGate
6,439 -
FortiClient
1,283 -
5.2
801 -
5.4
639 -
FortiManager
563 -
6.0
416 -
FortiAnalyzer
410 -
5.6
362 -
FortiSwitch
330 -
FortiAP
325 -
FortiClient EMS
259 -
6.2
251 -
FortiMail
239 -
FortiAuthenticator v5.5
234 -
5.0
196 -
FortiWeb
148 -
6.4
128 -
FortiNAC
103 -
FortiGuard
102 -
FortiGateCloud
86 -
FortiSIEM
85 -
FortiCloud Products
82 -
FortiToken
69 -
Customer Service
69 -
IPsec
64 -
4.0MR3
64 -
Wireless Controller
57 -
SSL-VPN
53 -
FortiProxy
44 -
FortiADC
42 -
Fortivoice
41 -
FortiEDR
38 -
FortiGate v5.4
34 -
FortiDNS
34 -
FortiExtender
31 -
FortiSandbox
30 -
FortiSwitch v6.4
28 -
FortiConnect
23 -
SD-WAN
23 -
FortiWAN
22 -
FortiConverter
21 -
High Availability
20 -
Firewall policy
20 -
VLAN
17 -
FortiPortal
17 -
FortiSwitch v6.2
16 -
FortiGate v5.2
16 -
ZTNA
15 -
FortiMonitor
14 -
Certificate
14 -
FortiDDoS
13 -
Routing
12 -
FortiCASB
12 -
SAML
11 -
DNS
11 -
Interface
11 -
BGP
10 -
FortiGate v5.0
10 -
FortiRecorder
10 -
VDOM
10 -
FortiWeb v5.0
9 -
LDAP
9 -
FortiManager v5.0
9 -
4.0MR2
9 -
Logging
9 -
Traffic shaping
8 -
Virtual IP
8 -
RADIUS
7 -
RMA Information and Announcements
7 -
FortiSOAR
7 -
fortilink
7 -
FortiAnalyzer v5.0
7 -
Admin
7 -
FortiGate v4.0 MR3
7 -
4.0
7 -
Fortigate Cloud
6 -
NAT
6 -
IP address management - IPAM
6 -
SSID
5 -
Security profile
5 -
Traffic shaping policy
5 -
Authentication
5 -
FortiBridge
5 -
SNMP
5 -
SSO
5 -
Application control
5 -
FortiAuthenticator
5 -
Static route
5 -
FortiManager v4.0
5 -
FortiDirector
4 -
SSL SSH inspection
4 -
WAN optimization
4 -
Web application firewall profile
4 -
DNS Filter
4 -
FortiCarrier
4 -
FortiCache
4 -
OSPF
4 -
3.6
4 -
FortiScan
4 -
Proxy policy
4 -
packet capture
3 -
FortiToken Cloud
3 -
Automation
3 -
DoS policy
3 -
FortiTester
3 -
Port policy
3 -
FortiDB
3 -
IPS signature
3 -
FortiDeceptor
2 -
FortiInsight
2 -
Antivirus profile
2 -
VoIP profile
2 -
Traffic shaping profile
2 -
Web profile
2 -
FortiAP profile
2 -
Intrusion prevention
2 -
FortiAI
2 -
FortiHypervisor
2 -
Netflow
2 -
trunk
2 -
NAC policy
1 -
SDN connector
1 -
4.0MR1
1 -
Users
1 -
Subscription Renewal Policy
1 -
FortiCWP
1 -
FortiNDR
1 -
Web rating
1 -
Application signature
1 -
Authentication rule and scheme
1 -
Multicast routing
1 -
Zone
1 -
FortiManager-VM
1 -
Fabric connector
1 -
Internet Service Database
1 -
Fortinet Engage Partner Program
1 -
System settings
1 -
Explicit proxy
1 -
TACACS
1
Broad. Integrated. Automated.
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Security Research
Company
News & Articles
Copyright 2024 Fortinet, Inc. All Rights Reserved.