Technical Tip: Expected behavior when email server uses HA management IP as source IP

mattchow_FTNT · ‎07-14-2020

Description
This article describes expected behavior when email server uses HA management IP as source IP.

Solution
Below is the document link for 'set ha-direct enable' functionality, and it is only available in CLI.

# config system ha
set ha-direct enable
end

https://docs.fortinet.com/document/fortigate/6.2.4/cli-reference/21620/system-ha
Enabling the 'ha-direct' simply means using 'ha-mgmt' interface for syslog, SNMP, remote authentication (RADIUS), FortiAnalyzer, and FortiSandbox ONLY.

If email server(SMTP traffic) is forced to use HA management interface IP as source IP, the error message will be prompted as below:

# config system email-server

(email-server) # set source-ip 10.10.10.1
10.10.10.1 is not valid source ip.
node_check_object fail! for source-ip 10.10.10.1

value parse error before '10.10.10.1'
Command fail. Return code -8

Reference for HA management interface configuration:

# config system ha
    set group-name "ABC"
    set mode a-p
    set password XXXXXX
    set hbdev "port3" 50
    set ha-mgmt-status enable
    # config ha-mgmt-interfaces
        edit 1
            set interface "port4"
            set gateway 10.10.10.2
        next
end

# config system interface
    edit "port4"
        set ip 10.10.10.1 255.255.255.0
        set allowaccess ping https ssh http telnet fgfm
        set type physical
        set snmp-index 4
    next
end