Fortinet black logo

Version:

Version:

Version:

Version:

Version:


Table of Contents

FortiGate-7000E Handbook

HA reserved management interfaces

You can edit an HA cluster and add one or more VLAN interfaces to the FortiGate-7000E management interface LAG and configure these VLAN interfaces to be HA reserved management interfaces. You can then log into each FortiGate-7000E in the cluster and configure its reserved management interfaces with IP addresses and other custom interface settings as required. You can also configure routing for each reserved management interface. The result is that each FortiGate-7000E in the cluster has its own management interface or interfaces and each of these interfaces has its own IP address that is not synchronized to the other FortiGate-7000E in the cluster.

After adding one or more VLAN interfaces to the FortiGate-7000E management interface LAG, to configure an HA reserved management interface from the GUI, go to System > HA and enable Management Interface Reservation. Select one or more interfaces to be HA reserved management interfaces. Optionally configure routing for each reserved management interface. This routing configuration is not synchronized and can be configured separately for each FortiGate-7000E in the cluster.

To configure an HA reserved management interface from the CLI:

config system ha

set mode a-p

set ha-mgmt-status enable

set ha-direct enable

config ha-mgmt-interfaces

edit 0

set interface <interface>

set dst <destination-ip>

set gateway <gateway-ip>

set gateway6 <gateway-ipv6-ip>

end

end

Enabling ha-direct from the CLI is required if you plan to use the HA reserved management interface for SNMP, remote logging, or communicating with FortiSandbox. Enabling ha-direct is also required for some types of remote authentication, but is not required for RADIUS remote authentication.

<interface> can be any VLAN interface that you have added to the FortiGate-7000E management interface (mgmt).

For more information, see Out-of-band management.

HA reserved management interfaces

You can edit an HA cluster and add one or more VLAN interfaces to the FortiGate-7000E management interface LAG and configure these VLAN interfaces to be HA reserved management interfaces. You can then log into each FortiGate-7000E in the cluster and configure its reserved management interfaces with IP addresses and other custom interface settings as required. You can also configure routing for each reserved management interface. The result is that each FortiGate-7000E in the cluster has its own management interface or interfaces and each of these interfaces has its own IP address that is not synchronized to the other FortiGate-7000E in the cluster.

After adding one or more VLAN interfaces to the FortiGate-7000E management interface LAG, to configure an HA reserved management interface from the GUI, go to System > HA and enable Management Interface Reservation. Select one or more interfaces to be HA reserved management interfaces. Optionally configure routing for each reserved management interface. This routing configuration is not synchronized and can be configured separately for each FortiGate-7000E in the cluster.

To configure an HA reserved management interface from the CLI:

config system ha

set mode a-p

set ha-mgmt-status enable

set ha-direct enable

config ha-mgmt-interfaces

edit 0

set interface <interface>

set dst <destination-ip>

set gateway <gateway-ip>

set gateway6 <gateway-ipv6-ip>

end

end

Enabling ha-direct from the CLI is required if you plan to use the HA reserved management interface for SNMP, remote logging, or communicating with FortiSandbox. Enabling ha-direct is also required for some types of remote authentication, but is not required for RADIUS remote authentication.

<interface> can be any VLAN interface that you have added to the FortiGate-7000E management interface (mgmt).

For more information, see Out-of-band management.