Administration Guide

Getting started
- Summary of steps
- Using the GUI
- Using the CLI
- Configuration and management
- Product registration with FortiCare
- FortiGate models
Dashboards and Monitors
- Using dashboards
- Using widgets
- Viewing device dashboards in the Security Fabric
- Creating a fabric system and license dashboard
- Dashboards
- Monitors
Network
- Interfaces
- DNS
- Explicit and transparent proxies
- DHCP servers and relays
- Static routing
- Dynamic routing
- Multicast
  - Multicast routing and PIM support
  - Configuring multicast forwarding
- FortiExtender
  - Adding a FortiExtender
- Direct IP support for LTE/4G
- LLDP reception
- Virtual routing and forwarding
- NetFlow
- sFlow
- Link monitor
- IPv6
- FortiGate LAN extension
- SCTP packets with zero checksum on the NP7 platform NEW
- Diagnostics
  - Using the packet capture tool
  - Using the debug flow tool
SD-WAN
- SD-WAN overview
  - SD-WAN components and design principles
  - SD-WAN designs and architectures
- SD-WAN quick start
- SD-WAN members and zones
  - Specify an SD-WAN zone in static routes and SD-WAN rules
- Performance SLA
- SD-WAN rules
- Advanced routing
- VPN overlay
- Advanced configuration
- SD-WAN cloud on-ramp
- SD-WAN Network Monitor service
- Troubleshooting SD-WAN
Zero Trust Network Access
- Zero Trust Network Access introduction
- ZTNA advanced configurations
  - Access control of unmanageable and unknown devices
  - HTTP2 connection coalescing and concurrent multiplexing for ZTNA
- ZTNA configuration examples
- ZTNA troubleshooting and debugging commands
- ZTNA troubleshooting scenarios
Policy and Objects
- Policies
- Address objects
- Protocol options
- Traffic shaping
- Internet Services
Security Profiles
- Inspection modes
- Antivirus
- Web filter
- Video filter
- DNS filter
- Application control
- Intrusion prevention
- File filter
  - Supported file types
- Email filter
- Data leak prevention
- VoIP solutions
- ICAP
- Web application firewall
  - Protecting a server running web applications
- SSL & SSH Inspection
- Custom signatures
- Overrides
- IP ban
- Profile groups
IPsec VPN
- General IPsec VPN configuration
- Site-to-site VPN
  - FortiGate-to-FortiGate
  - FortiGate-to-third-party
- Remote access
- Aggregate and redundant VPN
- Overlay Controller VPN (OCVPN)
- ADVPN
- Fabric Overlay Orchestrator
- Other VPN topics
- VPN IPsec troubleshooting
  - Understanding VPN related logs
  - IPsec related diagnose commands
SSL VPN
- SSL VPN best practices
- SSL VPN security best practices
- SSL VPN quick start
- SSL VPN tunnel mode
- SSL VPN web mode
- SSL VPN authentication
- SSL VPN to IPsec VPN
- SSL VPN protocols
- Configuring OS and host check
- FortiGate as SSL VPN Client
- Dual stack IPv4 and IPv6 support for SSL VPN
- Disable the clipboard in SSL VPN web mode RDP connections
- SSL VPN IP address assignments
- Using SSL VPN interfaces in zones
- SSL VPN troubleshooting
  - Debug commands
  - Troubleshooting common issues
User & Authentication
- User definition, groups, and settings
- LDAP servers
- RADIUS servers
- SAML
- TACACS+ servers
- FortiTokens
- PKI
  - Configuring a PKI user
  - Using the SAN field for LDAP-integrated certificate authentication
- FSSO
- Include usernames in logs
Wireless configuration
Switch Controller
System
- Administrators
  - Local authentication
  - Remote authentication for administrators
  - Administrator account options
  - REST API administrator
  - SSO administrators
  - FortiCloud SSO
  - Allowing the FortiGate to override FortiCloud SSO administrator user permissions
  - Password policy
  - Public key SSH access
  - Restricting SSH and Telnet jump host capabilities
  - Remote administrators with TACACS VSA attributes
- Administrator profiles
- Fabric Management
  - About firmware installations
  - Firmware maturity levels
  - Upgrading individual devices
  - Upgrading Fabric or managed devices
  - Enabling automatic firmware updates
  - Authorizing devices
  - Firmware upgrade notifications
  - Downloading a firmware image
  - Testing a firmware version
  - Installing firmware from system reboot
  - Restoring from a USB drive
  - Using controlled upgrades
  - Downgrading individual device firmware
  - Downloading the EOS support package for supported Fabric devices
- Settings
  - Default administrator password
  - Changing the host name
  - Setting the system time
    - SHA-1 authentication support (for NTPv4)
    - PTPv2
  - Configuring ports
    - Custom default service port range
  - Setting the idle timeout time
  - Setting the password policy
  - Changing the view settings
  - Setting the administrator password retries and lockout time
  - TLS configuration
  - Controlling return path with auxiliary session
  - Email alerts
  - Using configuration save mode
  - Trusted platform module support
  - Using the default certificate for HTTPS administrative access
- Virtual Domains
  - VDOM overview
  - General configurations
  - Backing up and restoring configurations in multi-VDOM mode
  - Inter-VDOM routing configuration example: Internet access
  - Inter-VDOM routing configuration example: Partial-mesh VDOMs
- High Availability
  - FGCP
  - FGSP
  - Standalone configuration synchronization
    - Layer 3 unicast standalone configuration synchronization
  - VRRP
  - Session failover
- SNMP
  - Basic configuration
  - MIB files
  - Access control for SNMP
  - Important SNMP traps
  - SNMP examples
- Replacement messages
- Replacement message groups
- FortiGuard
  - Anycast
  - Configuring FortiGuard updates
  - Using a proxy server to connect to the FortiGuard Distribution Network
  - Manual updates
  - Automatic updates
  - Scheduled updates
  - Sending malware statistics to FortiGuard
  - Update server location
  - Filtering
  - Online security tools
  - Anycast and unicast services
  - Using FortiManager as a local FortiGuard server
  - Cloud service communication statistics
  - IoT detection service
  - FortiAP query to FortiGuard IoT service to determine device details
  - FortiGate Cloud / FDN communication through an explicit proxy
  - FDS-only ISDB package in firmware images
  - Licensing in air-gap environments
  - License expiration
- Feature visibility
- Certificates
  - Automatically provision a certificate
  - Generate a new certificate
  - Regenerate default certificates
  - Import a certificate
  - Generate a CSR
  - CA certificate
  - Remote certificate
  - Certificate revocation list
  - Export a certificate
  - Uploading certificates using an API
  - Procuring and importing a signed SSL certificate
  - Microsoft CA deep packet inspection
  - Administrative access using certificates
  - Creating certificates with XCA
- Security
  - BIOS-level signature and file integrity checking
  - Real-time file system integrity checking
  - Running a file system check automatically
  - Built-in entropy source
  - FortiGate VM unique certificate
- Configuration scripts
- Workspace mode
- Custom languages
- RAID
- FortiGate encryption algorithm cipher suites
- Conserve mode
- Using APIs
- Configuration backups and reset
Fortinet Security Fabric
- Components
- Security Fabric connectors
- Using the Security Fabric
- Configuring the Security Fabric with SAML
- Security rating
  - Security Fabric score
- Automation stitches
- Public and private SDN connectors
- Endpoint/Identity connectors
- Threat feeds
- Monitoring the Security Fabric using FortiExplorer for Apple TV
  - NOC and SOC example
- Troubleshooting
  - Viewing a summary of all connected FortiGates in a Security Fabric
  - Diagnosing automation stitches
Log and Report
- Viewing event logs
- System Events log page
- Security Events log page
- Reports page
- Log settings and targets
- Logging to FortiAnalyzer
- Advanced and specialized logging
- Sample logs by log type
- Troubleshooting
WAN optimization
- Overview
- Example topologies
- Configuration examples
VM
- Amazon Web Services
- Microsoft Azure
- Google Cloud Platform
- OCI
- AliCloud
- Private cloud
- VM license
- Permanent trial mode for FortiGate-VM
- Adding VDOMs with FortiGate v-series
- PF and VF SR-IOV driver and virtual SPU support
- Using OCI IMDSv2
- FIPS cipher mode for AWS, Azure, OCI, and GCP FortiGate-VMs
- Cloud-init
- TPM support for FortiGate-VM
Hyperscale firewall
Troubleshooting
- Troubleshooting methodologies
- Troubleshooting scenarios
- CLI troubleshooting cheat sheet
- CLI error codes
- Additional resources
Change Log

Home FortiGate / FortiOS 7.2.8 Administration Guide

7.2.8

Out-of-band management with reserved management interfaces

As part of an HA configuration, you can reserve up to four management interfaces to provide direct management access to all cluster units. For each reserved management interface, you can configure a different IP address, administrative access, and other interface settings, for each cluster unit. By connecting these interfaces to your network, you can separately manage each cluster unit from different IP addresses.

Reserved management interfaces provide direct management access to each cluster unit, and give each cluster unit a different identity on your network. This simplifies using external services, such as SNMP, to monitor separate cluster units.
Reserved management interfaces are not assigned HA virtual MAC addresses. They retain the permanent hardware address of the physical interface, unless you manually change it using the config system interface command.
Reserved management interfaces and their IP addresses should not be used for managing a cluster using FortiManager. To manage a FortiGate HA cluster with FortiManager, use the IP address of one of the cluster unit interfaces.
Configuration changes to a reserved management interface are not synchronized to other cluster units. Other configuration changes are automatically synchronized to all cluster units.

You can configure an in-band management interface for a cluster unit. See In-band management for information. In-band management does not reserve the interface exclusively for HA management.

Management interface

Enable HTTPS or HTTP administrative access on the reserved management interfaces to connect to the GUI of each cluster unit. On secondary units, the GUI has the same features as the primary unit, except for unit specific information, for example:

The System Information widget on the Status dashboard shows the secondary unit's serial number.
In the cluster members list at System > HA, you can change the HA configuration of the unit that you are logged into. You can only change the host name and device priority of the primary and other secondary units.
The system events logs show logs for the device that you are logged into. Use the HA device drop down to view the log messages for other cluster units, including the primary unit.

Enable SSH administrative access on the reserved management interfaces to connect to the CLI of each cluster unit. The CLI prompt includes the host of the cluster unit that you are connected to. Use the execute ha manage command to connect to other cluster unit CLIs.

Enable SNMP administrative access on a reserved management interface to use SNMP to monitor each cluster unit using the interface's IP address. Direct management of cluster members must also be enabled, see Configuration examples.

Reserved management interfaces are available in both NAT and transparent mode, and when the cluster is operating with multiple VDOMs.

FortiCloud, FortiSandbox, and other management services

By default, management services such as FortiCloud, FortiSandbox, SNMP, remote logging, and remote authentication, use a cluster interface. This means that communication from each cluster unit will come from a cluster interface of the primary unit, and not from the individual cluster unit's interface.

You can configure HA reserved management interfaces to be used for communication with management services by enabling the ha-direct option. This separates management traffic for each cluster unit, and allows each unit to be individually managed. This is especially useful when cluster units are in different physical locations.

The following management features will then use the HA reserved management interface:

SSH, HTTP, HTTPS administration
Remote logging, including syslog, FortiAnalyzer, and FortiCloud
SNMP queries and traps
Remote authentication and certificate verification using LDAP, RADIUS, or TACACS+
Communication with FortiSandbox
Netflow and sflow, see Routing NetFlow data over the HA management interface for information.
FortiManager management tunnel

Any other management function not explicitly listed above is not supported, such as Security Fabric connectivity and new device registration.

Syntax for HA reserved management interfaces is as follows:

config system ha
    set ha-direct enable
    set ha-mgmt-status enable
    config ha-mgmt-interfaces
        edit 1
            set interface <interface>
            set dst <destination IP>
            set gateway <IPv4 gateway>
            set gateway6 <IPv6 gateway>
        next
    end
end

The ha-direct option is a pre-requisite for allowing communication on each HA reserved management interface for various management services listed above. Once enabled, all source-ip settings will be unset from log related, netflow and sflow management services.

SNMP requires ha-direct to be configured under SNMP settings only. See below for more configuration options.

Configuration examples

The configuration examples below will use the following topology:

Two FortiGate units are already operating in a cluster. On each unit, port8 is connected to the internal network through a switch and configured as an out-of-band reserved management interface.

Configuration changes to the reserved management interface are not synchronized to other cluster units.

Administrative access and default route for HA management interface

To configure the primary unit's reserved management interface, configure an IP address and management access on port8. Then, configure the necessary HA settings to enable the HA reserved management interface and its route. To configure the secondary unit's reserved management interface, access the unit's CLI through the primary unit, and configure an IP address, management access on port8, and the necessary HA settings. Configuration changes to the reserved management interface are not synchronized to other cluster units.

To configure the primary unit reserved management interface to allow HTTPS, SSH, and ICMP access:

From a computer on the internal network, connect to the CLI at 10.11.101.100 on port2.

Change the port8 IP address and management access:

config system interface
    edit port8
        set ip 10.11.101.101/24
        set allowaccess https ping ssh
    next
end

Configure the HA settings for the HA reserved management interface by defining a default route to route to the gateway 10.11.101.2:
```
config system ha
    set ha-mgmt-status enable
    config ha-mgmt-interfaces
        edit 1
            set interface port8
            set gateway 10.11.101.2
        next
    end
end
```
You can now log into the primary unit's GUI by browsing to https://10.11.101.101. You can also log into the primary unit's CLI by using an SSH client to connect to 10.11.101.101.

To configure secondary unit reserved management interfaces to allow HTTPS, SSH, and ICMP access:

From a computer on the internal network, connect to the primary unit's CLI.
Connect to the secondary unit with the following command:
```
execute ha manage <unit id> <username> <password>
```

Change the port8 IP address and management access:

config system interface
    edit port8
        set ip 10.11.101.102/24
        set allowaccess https ping ssh
    next
end

exit

Configure the HA settings for the HA reserved management interface by defining a default route to route to the gateway 10.11.101.2:
```
config system ha
    set ha-mgmt-status enable
    config ha-mgmt-interfaces
        edit 1
            set interface port8
            set gateway 10.11.101.2
        next
    end
end
```
You can now log into the secondary unit's GUI by browsing to https://10.11.101.102. You can also log into the secondary unit's CLI by using an SSH client to connect to 10.11.101.102.

SNMP monitoring

The SNMP server can get status information from the cluster members. To use the reserved management interfaces, you must add at least one HA direct management host to an SNMP community. If the SNMP configuration includes SNMP users with user names and passwords, HA direct management must be enabled for the users.

To configure the cluster for SNMP management using the reserved management interfaces in the CLI:

Allow SNMP on port8 on both primary and secondary units:

config system interface
    edit port8
        append allowaccess snmp
    next
end

Add an SNMP community with a host for the reserved management interface of each cluster member. The host includes the IP address of the SNMP server.

config system snmp community
    edit 1
        set name "Community"
        config hosts
            edit 1
                set ip 10.11.101.20 255.255.255.255
                set ha-direct enable
            next
        end
    next
end

Enabling ha-direct in a non-HA environment will make SNMP unusable.

Add an SNMP user for the reserved management interface:

config system snmp user
    edit "1"
        set notify-hosts 10.11.101.20
        set ha-direct enable
    next
end

The SNMP configuration is synchronized to all cluster units.

To get CPU, memory, and network usage information from the SNMP manager for each cluster unit using the reserved management IP addresses:

Connect to the SNMP manager CLI.

Get resource usage information for the primary unit using the MIB fields:

snmpget -v2c -c Community 10.11.101.101 fgHaStatsCpuUsage
snmpget -v2c -c Community 10.11.101.101 fgHaStatsMemUsage
snmpget -v2c -c Community 10.11.101.101 fgHaStatsNetUsage

Get resource usage information for the primary unit using the OIDs:

snmpget -v2c -c Community 10.11.101.101 1.3.6.1.4.1.12356.101.13.2.1.1.3.1
snmpget -v2c -c Community 10.11.101.101 1.3.6.1.4.1.12356.101.13.2.1.1.4.1
snmpget -v2c -c Community 10.11.101.101 1.3.6.1.4.1.12356.101.13.2.1.1.5.1

Get resource usage information for the secondary unit using the MIB fields:

snmpget -v2c -c Community 10.11.101.102 fgHaStatsCpuUsage
snmpget -v2c -c Community 10.11.101.102 fgHaStatsMemUsage
snmpget -v2c -c Community 10.11.101.102 fgHaStatsNetUsage

Get resource usage information for the primary unit using the OIDs:

snmpget -v2c -c Community 10.11.101.102 1.3.6.1.4.1.12356.101.13.2.1.1.3.1
snmpget -v2c -c Community 10.11.101.102 1.3.6.1.4.1.12356.101.13.2.1.1.4.1
snmpget -v2c -c Community 10.11.101.102 1.3.6.1.4.1.12356.101.13.2.1.1.5.1

Firewall local-in policies for the reserved management interface

Enabling ha-mgmt-intf-only applies the local-in policy only to the VDOM that contains the reserved management interface. The incoming interface is set to match any interface in the VDOM.

To add local-in policies for the reserved management interface:

config firewall local-in-policy
    edit 0
        set ha-mgmt-intf-only enable
        set intf any
        set srcaddr internal-net
        set dstaddr mgmt-int
        set action accept
        set service HTTPS
        set schedule weekdays
    next
end

NTP over reserved management interfaces

When NTP is enabled in an HA cluster, the primary unit will always be the unit to contact the NTP server and synchronize system time to the secondary units over the HA heartbeat interface. However, in the event that the primary should contact the NTP server over the HA reserved management interface, then the ha-direct option should be enabled under the config system ha settings.

config system interface
    edit port5
        set ip 172.16.79.46 255.255.255.0
    next
end

config system ha
    set group-name FGT-HA
    set mode a-p
    set ha-mgmt-status enable
    config ha-mgmt-interfaces
        edit 1
            set interface port5
            set gateway 172.16.79.1
        next
    end
    set ha-direct enable
end

config system ntp
    set ntpsync enable
    set syncinterval 5
end

Out-of-band management with reserved management interfaces

Reserved management interfaces provide direct management access to each cluster unit, and give each cluster unit a different identity on your network. This simplifies using external services, such as SNMP, to monitor separate cluster units.
Reserved management interfaces are not assigned HA virtual MAC addresses. They retain the permanent hardware address of the physical interface, unless you manually change it using the config system interface command.
Reserved management interfaces and their IP addresses should not be used for managing a cluster using FortiManager. To manage a FortiGate HA cluster with FortiManager, use the IP address of one of the cluster unit interfaces.
Configuration changes to a reserved management interface are not synchronized to other cluster units. Other configuration changes are automatically synchronized to all cluster units.

You can configure an in-band management interface for a cluster unit. See In-band management for information. In-band management does not reserve the interface exclusively for HA management.

Management interface

The System Information widget on the Status dashboard shows the secondary unit's serial number.
In the cluster members list at System > HA, you can change the HA configuration of the unit that you are logged into. You can only change the host name and device priority of the primary and other secondary units.
The system events logs show logs for the device that you are logged into. Use the HA device drop down to view the log messages for other cluster units, including the primary unit.

Reserved management interfaces are available in both NAT and transparent mode, and when the cluster is operating with multiple VDOMs.

FortiCloud, FortiSandbox, and other management services

The following management features will then use the HA reserved management interface:

SSH, HTTP, HTTPS administration
Remote logging, including syslog, FortiAnalyzer, and FortiCloud
SNMP queries and traps
Remote authentication and certificate verification using LDAP, RADIUS, or TACACS+
Communication with FortiSandbox
Netflow and sflow, see Routing NetFlow data over the HA management interface for information.
FortiManager management tunnel

Any other management function not explicitly listed above is not supported, such as Security Fabric connectivity and new device registration.

Syntax for HA reserved management interfaces is as follows:

config system ha
    set ha-direct enable
    set ha-mgmt-status enable
    config ha-mgmt-interfaces
        edit 1
            set interface <interface>
            set dst <destination IP>
            set gateway <IPv4 gateway>
            set gateway6 <IPv6 gateway>
        next
    end
end

SNMP requires ha-direct to be configured under SNMP settings only. See below for more configuration options.

Configuration examples

The configuration examples below will use the following topology:

Two FortiGate units are already operating in a cluster. On each unit, port8 is connected to the internal network through a switch and configured as an out-of-band reserved management interface.

Configuration changes to the reserved management interface are not synchronized to other cluster units.

Administrative access and default route for HA management interface

To configure the primary unit reserved management interface to allow HTTPS, SSH, and ICMP access:

From a computer on the internal network, connect to the CLI at 10.11.101.100 on port2.

Change the port8 IP address and management access:

config system interface
    edit port8
        set ip 10.11.101.101/24
        set allowaccess https ping ssh
    next
end

Configure the HA settings for the HA reserved management interface by defining a default route to route to the gateway 10.11.101.2:
```
config system ha
    set ha-mgmt-status enable
    config ha-mgmt-interfaces
        edit 1
            set interface port8
            set gateway 10.11.101.2
        next
    end
end
```
You can now log into the primary unit's GUI by browsing to https://10.11.101.101. You can also log into the primary unit's CLI by using an SSH client to connect to 10.11.101.101.

To configure secondary unit reserved management interfaces to allow HTTPS, SSH, and ICMP access:

From a computer on the internal network, connect to the primary unit's CLI.
Connect to the secondary unit with the following command:
```
execute ha manage <unit id> <username> <password>
```

Change the port8 IP address and management access:

config system interface
    edit port8
        set ip 10.11.101.102/24
        set allowaccess https ping ssh
    next
end

exit

Configure the HA settings for the HA reserved management interface by defining a default route to route to the gateway 10.11.101.2:
```
config system ha
    set ha-mgmt-status enable
    config ha-mgmt-interfaces
        edit 1
            set interface port8
            set gateway 10.11.101.2
        next
    end
end
```
You can now log into the secondary unit's GUI by browsing to https://10.11.101.102. You can also log into the secondary unit's CLI by using an SSH client to connect to 10.11.101.102.

SNMP monitoring

To configure the cluster for SNMP management using the reserved management interfaces in the CLI:

Allow SNMP on port8 on both primary and secondary units:

config system interface
    edit port8
        append allowaccess snmp
    next
end

Add an SNMP community with a host for the reserved management interface of each cluster member. The host includes the IP address of the SNMP server.

config system snmp community
    edit 1
        set name "Community"
        config hosts
            edit 1
                set ip 10.11.101.20 255.255.255.255
                set ha-direct enable
            next
        end
    next
end

Enabling ha-direct in a non-HA environment will make SNMP unusable.

Add an SNMP user for the reserved management interface:

config system snmp user
    edit "1"
        set notify-hosts 10.11.101.20
        set ha-direct enable
    next
end

The SNMP configuration is synchronized to all cluster units.

To get CPU, memory, and network usage information from the SNMP manager for each cluster unit using the reserved management IP addresses:

Connect to the SNMP manager CLI.

Get resource usage information for the primary unit using the MIB fields:

snmpget -v2c -c Community 10.11.101.101 fgHaStatsCpuUsage
snmpget -v2c -c Community 10.11.101.101 fgHaStatsMemUsage
snmpget -v2c -c Community 10.11.101.101 fgHaStatsNetUsage

Get resource usage information for the primary unit using the OIDs:

snmpget -v2c -c Community 10.11.101.101 1.3.6.1.4.1.12356.101.13.2.1.1.3.1
snmpget -v2c -c Community 10.11.101.101 1.3.6.1.4.1.12356.101.13.2.1.1.4.1
snmpget -v2c -c Community 10.11.101.101 1.3.6.1.4.1.12356.101.13.2.1.1.5.1

Get resource usage information for the secondary unit using the MIB fields:

snmpget -v2c -c Community 10.11.101.102 fgHaStatsCpuUsage
snmpget -v2c -c Community 10.11.101.102 fgHaStatsMemUsage
snmpget -v2c -c Community 10.11.101.102 fgHaStatsNetUsage

Get resource usage information for the primary unit using the OIDs:

snmpget -v2c -c Community 10.11.101.102 1.3.6.1.4.1.12356.101.13.2.1.1.3.1
snmpget -v2c -c Community 10.11.101.102 1.3.6.1.4.1.12356.101.13.2.1.1.4.1
snmpget -v2c -c Community 10.11.101.102 1.3.6.1.4.1.12356.101.13.2.1.1.5.1

Firewall local-in policies for the reserved management interface

Enabling ha-mgmt-intf-only applies the local-in policy only to the VDOM that contains the reserved management interface. The incoming interface is set to match any interface in the VDOM.

To add local-in policies for the reserved management interface:

config firewall local-in-policy
    edit 0
        set ha-mgmt-intf-only enable
        set intf any
        set srcaddr internal-net
        set dstaddr mgmt-int
        set action accept
        set service HTTPS
        set schedule weekdays
    next
end

NTP over reserved management interfaces

config system interface
    edit port5
        set ip 172.16.79.46 255.255.255.0
    next
end

config system ha
    set group-name FGT-HA
    set mode a-p
    set ha-mgmt-status enable
    config ha-mgmt-interfaces
        edit 1
            set interface port5
            set gateway 172.16.79.1
        next
    end
    set ha-direct enable
end

config system ntp
    set ntpsync enable
    set syncinterval 5
end

Secure Networking

Hybrid Mesh Firewall

NOC Management

LAN

WAN

Unified SASE

Single Vendor SASE

Cloud Network Security

Secure Endpoint Connectivity

Web Application / API Protection

Security Operations

Security Operations Automation

Identity

Early Detection & Prevention

Secure Networking

Hybrid Mesh Firewall

NOC Management

LAN

WAN

Communication & Surveillance

Unified SASE

Single Vendor SASE

Secure Endpoint Connectivity

Cloud Network Security

Cloud-Native Security

Web Application / API Protection

Security Operations

Security Operations Automation

Endpoint

Data Protection

Identity

Email

Early Detection & Prevention

Expert Services

Edge Firewall

Orchestration & management

SD Branch

Application Delivery

Single Vendor SASE

Secure Endpoint Connectivity

Secure Private Access

Thin Edge

Identity

Application Gateway

Enterprise Asset Management

Endpoint Agent

Agentless Security Posture

Identity

Wireless

Switching

Identity

Privilege Acccess Management

Next Generation Firewall

Orchestration & management

Expert Services

All

All

Account Management

SAAS Management

SAAS Application Security

Managed Services

Platform as a service (PAAS)

Other SAAS Services

4D Pillars

Cloud

Popular Solutions

Administration Guide

Out-of-band management with reserved management interfaces

Out-of-band management with reserved management interfaces

Management interface

FortiCloud, FortiSandbox, and other management services

Configuration examples

Administrative access and default route for HA management interface

To configure the primary unit reserved management interface to allow HTTPS, SSH, and ICMP access:

To configure secondary unit reserved management interfaces to allow HTTPS, SSH, and ICMP access:

SNMP monitoring

To configure the cluster for SNMP management using the reserved management interfaces in the CLI:

To get CPU, memory, and network usage information from the SNMP manager for each cluster unit using the reserved management IP addresses:

Firewall local-in policies for the reserved management interface

To add local-in policies for the reserved management interface: