Fortinet black logo

Session-Aware Load Balancing Cluster Guide

Home FortiController 5.2.10 Session-Aware Load Balancing Cluster Guide

Managing the workers (including SNMP, FortiManager)

5.2.10
5.2.11
5.2.10
Copy Link
Copy Doc ID 31a89d05-200d-11e9-b6f6-f8bc1258b856:170607
Download PDF

Managing the workers (including SNMP, FortiManager)

After the workers have been added to a SLBC you can use the SLBC External Management IP to manage the primary worker. This includes access to the primary worker GUI or CLI, SNMP queries to the primary worker, and using FortiManager to manage the primary worker. As well SNMP traps and log messages are sent from the primary worker with the External Management IP as their source address. And finally connections to FortiGuard for updates, web filtering lookups and so on, all originate from the External Management IP.

Connecting to the external management IP address using a web browser or using other methods like SSH or telnet connects you to the primary worker (also called the master or the ELBC master). For example, if the External Management IP address is 10.10.10.1 you can browse to https://10.10.10.1 to connect to the primary worker GUI. You can connect to the primary worker CLI using ssh admin@10.10.10.1, or telnet 10.10.10.1 and so on as long as allow access settings permit.

Configuration changes made to the primary worker are synchronized to all of the workers in the cluster.

The primary worker SNMP configuration is the same as a any FortiGate SNMP configuration. SNMP queries to the primary worker report on the status of the primary worker only. However, some of the SNMP events (traps) sent by the primary worker can report HA events which can indicate when workers enter and leave the cluster etc.

You can use FortiManager to manage the primary worker and FortiManager does support the primary worker SLBC configuration. Of course, configuration changes made through FortiManager to the primary worker are synchronized to the other workers.

You can also managed individual workers, including the primary worker, using the SLBC External Management IP and a special port number. See Managing the workers (including SNMP, FortiManager).

You can also manage any individual worker (including the primary worker) by connecting directly to their mgmt1 or mgmt2 interfaces. You can configure these management interfaces when you first configure the worker before adding it to the cluster. The mgmt1 and mgmt2 interface settings are not synchronized so each worker will maintain its own mgmt1 and mgmt2 configuration. You can using the console to configure the mgmt1 and mgmt2 interfaces after the workers are operating in a cluster.

To get SNMP results from all of the workers in the cluster you can send SNMP queries to each one using their individual mgmt1 or mgmt2 IP addresses or using the External Management IP address and special port number.

The primary worker SNMP configuration is synchronized to all workers. SNMP traps sent by the primary worker come from the external management IP address. Individual workers can send traps from their mgmt1 and mgmt2 interfaces.

If you use the External Management IP address for SNMP queries the FortiController performs network address translation on the SNMP packets. So when the worker sees SNMP query packets their source address is set to the internal management IP. The internal management IP is 10.101.10.1 for the FortiController in slot 1 and 10.101.10.16 for the FortiController in slot 2. So you must configure SNMP communities to allow SNMP packets from these source addresses (or from any source address). For example:

config system snmp community

edit 1

config hosts

edit 1

set ip 10.101.10.1

next

edit 2

set ip 10.101.10.16

end

end

You can manage individual workers using FortiManager, but this is not recommended.

Previous
Next

Managing the workers (including SNMP, FortiManager)

After the workers have been added to a SLBC you can use the SLBC External Management IP to manage the primary worker. This includes access to the primary worker GUI or CLI, SNMP queries to the primary worker, and using FortiManager to manage the primary worker. As well SNMP traps and log messages are sent from the primary worker with the External Management IP as their source address. And finally connections to FortiGuard for updates, web filtering lookups and so on, all originate from the External Management IP.

Connecting to the external management IP address using a web browser or using other methods like SSH or telnet connects you to the primary worker (also called the master or the ELBC master). For example, if the External Management IP address is 10.10.10.1 you can browse to https://10.10.10.1 to connect to the primary worker GUI. You can connect to the primary worker CLI using ssh admin@10.10.10.1, or telnet 10.10.10.1 and so on as long as allow access settings permit.

Configuration changes made to the primary worker are synchronized to all of the workers in the cluster.

The primary worker SNMP configuration is the same as a any FortiGate SNMP configuration. SNMP queries to the primary worker report on the status of the primary worker only. However, some of the SNMP events (traps) sent by the primary worker can report HA events which can indicate when workers enter and leave the cluster etc.

You can use FortiManager to manage the primary worker and FortiManager does support the primary worker SLBC configuration. Of course, configuration changes made through FortiManager to the primary worker are synchronized to the other workers.

You can also managed individual workers, including the primary worker, using the SLBC External Management IP and a special port number. See Managing the workers (including SNMP, FortiManager).

You can also manage any individual worker (including the primary worker) by connecting directly to their mgmt1 or mgmt2 interfaces. You can configure these management interfaces when you first configure the worker before adding it to the cluster. The mgmt1 and mgmt2 interface settings are not synchronized so each worker will maintain its own mgmt1 and mgmt2 configuration. You can using the console to configure the mgmt1 and mgmt2 interfaces after the workers are operating in a cluster.

To get SNMP results from all of the workers in the cluster you can send SNMP queries to each one using their individual mgmt1 or mgmt2 IP addresses or using the External Management IP address and special port number.

The primary worker SNMP configuration is synchronized to all workers. SNMP traps sent by the primary worker come from the external management IP address. Individual workers can send traps from their mgmt1 and mgmt2 interfaces.

If you use the External Management IP address for SNMP queries the FortiController performs network address translation on the SNMP packets. So when the worker sees SNMP query packets their source address is set to the internal management IP. The internal management IP is 10.101.10.1 for the FortiController in slot 1 and 10.101.10.16 for the FortiController in slot 2. So you must configure SNMP communities to allow SNMP packets from these source addresses (or from any source address). For example:

config system snmp community

edit 1

config hosts

edit 1

set ip 10.101.10.1

next

edit 2

set ip 10.101.10.16

end

end

You can manage individual workers using FortiManager, but this is not recommended.

Previous
Next