Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:


Table of Contents

FortiGate-6000 Handbook

HA reserved management interfaces

You can edit an HA cluster and configure one or more of the interfaces in the mgmt-vdom VDOM (mgmt1, mgmt2, and mgmt3) to be HA reserved management interfaces. You can then log into each FortiGate-6000 in the cluster and configure its reserved management interfaces with IP addresses and other custom interface settings as required. You can also configure routing for each reserved management interface. The result is that each FortiGate-6000 in the cluster has its own management interface or interfaces and each of these interfaces has its own IP address that is not synchronized to the other FortiGate-6000 in the cluster.

To configure an HA reserved management interface from the GUI, go to System > HA and enable Management Interface Reservation. Select one or more interfaces to be HA reserved management interfaces. Optionally configure routing for each reserved management interface. This routing configuration is not synchronized and can be configured separately for each FortiGate-6000 in the cluster.

To configure an HA reserved management interface from the CLI:

config system ha

set mode a-p

set ha-mgmt-status enable

set ha-direct enable

config ha-mgmt-interfaces

edit 0

set interface <interface>

set dst <destination-ip>

set gateway <gateway-ip>

set gateway6 <gateway-ipv6-ip>

end

end

Enabling ha-direct from the CLI is required if you plan to use the HA reserved management interface for SNMP, remote logging, or communicating with FortiSandbox. Enabling ha-direct is also required for some types of remote authentication, but is not required for RADIUS remote authentication.

<interface> can be mgmt1, mgmt2, or mgmt3. You can only select an interface if it has not been used in another configuration.

For more information, see Out-of-band management.

HA reserved management interfaces

You can edit an HA cluster and configure one or more of the interfaces in the mgmt-vdom VDOM (mgmt1, mgmt2, and mgmt3) to be HA reserved management interfaces. You can then log into each FortiGate-6000 in the cluster and configure its reserved management interfaces with IP addresses and other custom interface settings as required. You can also configure routing for each reserved management interface. The result is that each FortiGate-6000 in the cluster has its own management interface or interfaces and each of these interfaces has its own IP address that is not synchronized to the other FortiGate-6000 in the cluster.

To configure an HA reserved management interface from the GUI, go to System > HA and enable Management Interface Reservation. Select one or more interfaces to be HA reserved management interfaces. Optionally configure routing for each reserved management interface. This routing configuration is not synchronized and can be configured separately for each FortiGate-6000 in the cluster.

To configure an HA reserved management interface from the CLI:

config system ha

set mode a-p

set ha-mgmt-status enable

set ha-direct enable

config ha-mgmt-interfaces

edit 0

set interface <interface>

set dst <destination-ip>

set gateway <gateway-ip>

set gateway6 <gateway-ipv6-ip>

end

end

Enabling ha-direct from the CLI is required if you plan to use the HA reserved management interface for SNMP, remote logging, or communicating with FortiSandbox. Enabling ha-direct is also required for some types of remote authentication, but is not required for RADIUS remote authentication.

<interface> can be mgmt1, mgmt2, or mgmt3. You can only select an interface if it has not been used in another configuration.

For more information, see Out-of-band management.