|
An HA reserved management interface provides direct management access (via HTTP, HTTPS, Ping, etc.) to each individual cluster unit on an HA cluster by reserving a management interface as part of the HA configuration.
This allows for the selection of one or more interfaces in the 'mgmt-vdom' VDOM to be HA-reserved management interfaces (mgmt1, mgmt2, and mgmt3).
Once the interfaces are configured to be reserved management interfaces, log in to each FortiGate-6000 in the HA cluster and configure the reserved management interface with individual IP addresses and other settings as required. It is also possible to configure routing for each reserved management interface.
Useful information:
- The routing configuration is not synchronized and can be configured separately for each FortiGate-6000 in the cluster.
- Configuration changes to a reserved management interface are not synchronized to other cluster units.
- Select an interface only if it has not been used in another configuration. The number of references ('Ref') of the interface should be 0.
- Reserved management interfaces and their IP addresses should not be used for managing a cluster using FortiManager.
Configuration using GUI:
- To configure an HA reserved management interface from the GUI:
Go to System -> HA, edit the Chassis with the Primary role, and enable Management Interface Reservation.
The 'Interface' field will be the interface used for management access. This can be mgmt1, mgmt2, or mgmt3.
Now, configure the port intended for HA management. In this example, mgmt2 will be used.
Set the IP address for the mgmt2 interface on the primary unit:
-
Connect to the secondary unit and set an individual IP address for the mgmt2 interface.
Log into the secondary unit GUI by using the HTTPS special port.
To set the gateway setting for the HA reserved management interface on the secondary unit, go to System -> HA, and edit the Chassis with the Secondary role. Under the Management Interface Reservation gateway setting, add the gateway IP addresses:
Supply the IP address for the mgmt2 interface:
In the background, FortiGate creates a hidden VDOM named vsys_hamgmt.
Configuration using CLI:
To configure an HA reserved management interface in the CLI, follow the steps below:
-
On the Primary unit:
Create the following HA reserved management interface configuration:
config system ha
set ha-mgmt-status enable
config ha-mgmt-interfaces
edit 1
set interface "mgmt2"
set gateway x.x.x.x
next
end
Set the IP address for the mgmt2 interface:
config system interface
edit mgmt2
set ip x.x.x.x/24
end
-
The HA reserved management interface configuration is synced from the primary to the secondary unit if a gateway change is necessary. On the secondary unit, create the following configuration:
config system ha
config ha-mgmt-interfaces
edit 1
set gateway y.y.y.y
next
Verify the steps succeeded by checking if both units can be accessed with the individual IP addresses:
Related articles:
How to use the special port
How to Check Referenced Objects
|
