Fortinet white logo
Fortinet docs logo DOCUMENT LIBRARY
Fortinet white logo
Fortinet docs logo DOCUMENT LIBRARY
Products Best Practices Hardware Guides Products A-Z
Summary
By Solution
By 4D Pillars
By Cloud
Secure Networking
Unified SASE
Security Operations
Secure SD-WAN
Secure Access Service Edge (SASE)
ZTNA
LAN Edge
Identity and Access Management
Next Generation Firewall
Public Cloud
Private Cloud
FortiCloud
Secure Networking
  • Hybrid Mesh Firewall
  • NOC Management
  • LAN
  • WAN
    • More >>
    Unified SASE
  • Single Vendor SASE
  • Cloud Network Security
  • Secure Endpoint Connectivity
  • Web Application / API Protection
    • More >>
    Security Operations
  • Security Operations Automation
  • Identity
  • Early Detection & Prevention
    • More >>
    Secure Networking
  • Hybrid Mesh Firewall
  • NOC Management
  • LAN
  • WAN
  • Communication & Surveillance
    • Unified SASE
  • Single Vendor SASE
  • Secure Endpoint Connectivity
  • Cloud Network Security
  • Cloud-Native Security
  • Web Application / API Protection
    • Security Operations
  • Security Operations Automation
  • Endpoint
  • Data Protection
  • Identity
  • Email
  • Early Detection & Prevention
  • Expert Services
  • Edge Firewall
  • Orchestration & management
  • SD Branch
  • Application Delivery
  • Single Vendor SASE
  • Secure Endpoint Connectivity
  • Secure Private Access
  • Thin Edge
  • Identity
  • Application Gateway
  • Enterprise Asset Management
  • Endpoint Agent
  • Agentless Security Posture
  • Identity
  • Wireless
  • Switching
  • Identity
  • Privilege Acccess Management
  • Next Generation Firewall
  • Orchestration & management
  • Expert Services
  • All
  • All
  • Account Management
  • SAAS Management
  • SAAS Application Security
  • Managed Services
  • Platform as a service (PAAS)
  • Other SAAS Services
    • 4D Resources
    Solution Hubs
  • 4D Pillars
  • Cloud
  • Popular Solutions

    • Administration Guide

    Home FortiManager 7.6.0 Administration Guide
    7.6.0
    7.6.1
    7.6.0
    7.4.5
    7.4.4
    7.4.3
    7.4.2
    7.4.1
    7.4.0
    7.2.8
    7.2.7
    7.2.6
    7.2.5
    7.2.4
    7.2.3
    7.2.2
    7.2.1
    7.2.0
    7.0.13
    7.0.12
    7.0.11
    7.0.10
    7.0.9
    7.0.8
    7.0.7
    7.0.6
    7.0.5
    7.0.4
    7.0.3
    7.0.2
    7.0.1
    7.0.0
    6.4.15
    6.4.14
    6.4.13
    6.4.12
    6.4.11
    6.4.10
    6.4.9
    6.4.8
    6.4.7
    6.4.6
    6.4.5
    6.4.4
    6.4.3
    6.4.2
    6.4.1
    6.4.0
    6.2.13
    6.2.12
    6.2.11
    6.2.10
    6.2.9
    6.2.8
    6.2.7
    6.2.6
    6.2.6
    6.2.5
    6.2.3
    6.2.2
    6.2.1
    6.2.0
    6.0.12
    6.0.11
    6.0.10
    6.0.9
    6.0.8
    6.0.7
    6.0.6
    6.0.5
    6.0.4
    6.0.3
    6.0.2
    6.0.1
    6.0.0
    5.6.11
    5.6.10
    5.6.9
    5.6.8
    5.6.7
    5.6.6
    5.6.5
    5.6.4
    5.6.3
    5.6.2
    5.6.1
    5.6.0
    5.4.7
    5.4.6
    5.4.5
    5.4.4
    5.4.3
    5.4.2
    5.4.1
    5.4.0
    5.2.10
    5.2.7
    5.2.6
    5.2.4
    5.2.3
    5.2.2
    5.2.1
    5.2.0
    5.0.12
    5.0.11
    5.0.10
    5.0.9
    5.0.8
    5.0.7
    5.0.6
    5.0.5
    5.0.4
    5.0.3
    5.0.2
    4.3.8
    4.3.7
    4.3.6
    4.3.5
    4.3.4
    4.3.3
    4.3.2
    4.3.1
    4.3.0
    4.2.9
    4.2.8
    4.2.7
    4.2.6
    4.2.5
    4.2.4
    4.2.3
    4.2.2
    4.2.1
    4.2.0
    4.1.0
    4.0.3
    4.0.2
    4.0.1
    4.0.0

    Configuring geo-redundant HA with VRRP failover with NAT

    Configuring geo-redundant HA with VRRP failover with NAT

    In the following scenario, HA with VRRP failover is configured for two FortiManager devices in different geographic areas for geo-redundancy using Layer 3.

    In this example, FortiManager-A is on the 192.0.2.160/28 subnet and FortiManager-B is on the 192.0.2.176/28 subnet. FortiManager-A has a static NAT to public IP 198.51.100.1, and FortiManager-B has static NAT to public IP 203.0.113.1.

    The internal FortiGates have internal routing to both FortiManagers using the private IPs 192.0.2.161 and 192.0.2.117 for FortiManager-A and FortiManager-B respectively. External FortiGates can reach the public IPs 198.51.100.1 and 203.0.113.1 for FortiManager-A and FortiManager-B respectively.

    This topic includes the following sections:

    Configure geo-redundant FortiManager HA with VRRP failover

    To configure geo-redundant HA with VRRP failover:

    1. Configure the HA settings on FortiManager-A.

      1. On FortiManager-A, go to System Settings > HA.

      2. Configure the Cluster Settings as follows, and click Apply.

        Failover Mode VRRP
        Peer IP and Peer SN

        Choose the following:

        • IP Type: IPv4

        • Peer IP: Enter the IP address of FortiManager-B (example, 192.0.2.177)

        • Peer SN: Enter the serial number of the peer device.
        VIP

        Enter the VIP address for the cluster (example, 192.0.2.1).

        This is a dummy IP and will not be used for deployment or management.

        The VIP MUST be identical in all peers.

        VRRP Interface

        Choose the VRRP interface (example, port1).

        Priority

        200

        Unicast

        On.

        In Geo-HA it is mandatory to use Unicast as peers will not be in the same Layer2.

    2. Configure the HA settings on FortiManager-B.

      1. On FortiManager-B device, go to System Settings > HA.

      2. Configure the Cluster Settings as follows, and click Apply.

        Failover Mode VRRP
        Peer IP and Peer SN

        Choose the following:

        • IP Type: IPv4

        • Peer IP: Enter the IP address of FortiManager-A (example, 192.0.2.161).

        • Peer SN: Enter the serial number of the peer device.
        VIP

        Enter the VIP address for the cluster (example, 192.0.2.1).

        This is a dummy IP and will not be used for deployment or management.

        The VIP MUST be identical in all peers.

        VRRP Interface

        Choose the VRRP interface (example, port1).

        Priority

        100

        Unicast

        On.

        In Geo-HA it is mandatory to use Unicast as peers will not be in the same Layer2.

    Verifying the HA status

    To verify the HA status:

    1. Access both FortiManager-A and FortiManager-B.

    2. Using the GUI, you can view the HA Status on the top-right corner of each FortiManager and from System Settings > HA.

    3. Using the CLI, you can run the following commands to get additional information about the HA status:

      Command

      Description
      get system ha-status Print the HA status.
      diagnose ha stats Diagnose the HA status.
      diagnose sniffer packet <interface> "vrrp"

      Perform a packet sniffer on the port used by the VRRP protocol using "vrrp" as a filter.

      This command can be used to verify that the advertisements are sent using the preferred method when Unicast mode is disabled/enabled.

    Additional FortiManager configuration

    Depending on the scenario, FortiManager can be using either 2 or 4 IP addresses (192.0.2.161 and 192.0.2.177 for internal FortiGates and 198.51.100.1 and 203.0.133.1 for external FortiGates). It is a best practice to define all FortiManager IPs that will be used to manage FortiGates so that it is reflected in the FortiGate config system central-management settings if FortiGate is added from FortiManager.

    Defining FortiManager IPs:

    • Using the FortiManager CLI, you can run the following configuration:

      config system admin setting

      set mgmt-fqdn <FQDN_1 | IP_1> <FQDN_2 | IP_2> ... <FQDN_N | IP_N>

      end

      Note

      You can add up to a total of 10 IP addresses or FQDNs to the mgmt-fqdn attribute.

    • For example, in this scenario it will be as follows:

      config system admin setting

      set mgmt-fqdn 192.0.2.161 192.0.2.177 198.51.100.1 203.0.113.1

      end

    Adding a managed FortiGate to the FortiManager cluster

    To onboard using the FortiManager Device Manager:

    1. On FortiManager-A, go to Device Manager > Device & Groups > Managed FortiGate.

    2. Click Add Device > Discover Device.

    3. Enable Use Legacy Device Login and enter the device IP Address, User Name, and Password.

    4. Click Next, Next, and Import Later.

    5. Run the show system central-management command in the FortiGate CLI to check the management IP addresses:

    show system central-management

    config system central-management

    set type fortimanager

    set fmg "192.0.2.161" "192.0.2.177" "198.51.100.1" "203.0.113.1"

    end

    The IP addresses shown should reflect the IP addresses and FQDNs configured in FortiManager under config system admin setting as explained in the previous section.

    Note

    In case of failover, FortiGate will try to reach out to all IP addresses configured under system central management and only the Primary FortiManager will respond.
    To onboard using the Central Management connector on FortiGate:

    1. On FortiGate, go to Security Fabric > Fabric Connectors > Central Management.

    2. Under IP/Domain, click the + button to add more IP addresses.

    3. Enter all of the FortiManager IP addresses and click OK.
      For example, in this scenario the external FortiGate devices will use the public IPs 198.51.100.1 and 203.0.113.1.

    4. You can authorize the device using the dialog from the FortiGate or from the Device Manager on the Primary FortiManager in the root ADOM.

    5. Run show system central-management in the FortiGate CLI to check the management IP addresses. For example:

      show system central-management

      config system central-management

      set type fortimanager

      set fmg "198.51.100.1" "203.0.113.1"

      end

      The IP addresses displayed should match those configured in step 2.

    Testing VRRP failover

    To test the failover configuration:
    1. On the FortiGate, run the following command in the CLI:

      get system central-management

      In the serial-number field, the serial numbers for both FortiManager-A and FortiManager-B are listed. FortiManager-A is listed first because it is currently acting as the Primary device.

    2. In the CLI for FortiManager-A, run diagnose ha force-vrrp-election which will trigger failover to the FortiManager with the next highest priority.

    3. Refresh the page and you will notice that the HA status of FortiManager-A becomes Secondary.

    4. Go to FortiManager-B, and confirm that the HA status has changed to Primary.

    5. Enter the following command in the CLI to confirm the status of FortiManager-A. FortiManager-A continues to act as the Secondary device until the next VRRP election occurs.

      diagnose ha stats

    6. On the FortiGate, run the following command in the CLI.

      get system central-management

      In the serial-number field, the serial numbers for both FortiManager-A and FortiManager-B are listed. FortiManager-B will be listed first because it is now acting as the Primary device.

    Previous
    Next

    Configuring geo-redundant HA with VRRP failover with NAT

    Configuring geo-redundant HA with VRRP failover with NAT

    In the following scenario, HA with VRRP failover is configured for two FortiManager devices in different geographic areas for geo-redundancy using Layer 3.

    In this example, FortiManager-A is on the 192.0.2.160/28 subnet and FortiManager-B is on the 192.0.2.176/28 subnet. FortiManager-A has a static NAT to public IP 198.51.100.1, and FortiManager-B has static NAT to public IP 203.0.113.1.

    The internal FortiGates have internal routing to both FortiManagers using the private IPs 192.0.2.161 and 192.0.2.117 for FortiManager-A and FortiManager-B respectively. External FortiGates can reach the public IPs 198.51.100.1 and 203.0.113.1 for FortiManager-A and FortiManager-B respectively.

    This topic includes the following sections:

    Configure geo-redundant FortiManager HA with VRRP failover

    To configure geo-redundant HA with VRRP failover:

    1. Configure the HA settings on FortiManager-A.

      1. On FortiManager-A, go to System Settings > HA.

      2. Configure the Cluster Settings as follows, and click Apply.

        Failover Mode VRRP
        Peer IP and Peer SN

        Choose the following:

        • IP Type: IPv4

        • Peer IP: Enter the IP address of FortiManager-B (example, 192.0.2.177)

        • Peer SN: Enter the serial number of the peer device.
        VIP

        Enter the VIP address for the cluster (example, 192.0.2.1).

        This is a dummy IP and will not be used for deployment or management.

        The VIP MUST be identical in all peers.

        VRRP Interface

        Choose the VRRP interface (example, port1).

        Priority

        200

        Unicast

        On.

        In Geo-HA it is mandatory to use Unicast as peers will not be in the same Layer2.

    2. Configure the HA settings on FortiManager-B.

      1. On FortiManager-B device, go to System Settings > HA.

      2. Configure the Cluster Settings as follows, and click Apply.

        Failover Mode VRRP
        Peer IP and Peer SN

        Choose the following:

        • IP Type: IPv4

        • Peer IP: Enter the IP address of FortiManager-A (example, 192.0.2.161).

        • Peer SN: Enter the serial number of the peer device.
        VIP

        Enter the VIP address for the cluster (example, 192.0.2.1).

        This is a dummy IP and will not be used for deployment or management.

        The VIP MUST be identical in all peers.

        VRRP Interface

        Choose the VRRP interface (example, port1).

        Priority

        100

        Unicast

        On.

        In Geo-HA it is mandatory to use Unicast as peers will not be in the same Layer2.

    Verifying the HA status

    To verify the HA status:

    1. Access both FortiManager-A and FortiManager-B.

    2. Using the GUI, you can view the HA Status on the top-right corner of each FortiManager and from System Settings > HA.

    3. Using the CLI, you can run the following commands to get additional information about the HA status:

      Command

      Description
      get system ha-status Print the HA status.
      diagnose ha stats Diagnose the HA status.
      diagnose sniffer packet <interface> "vrrp"

      Perform a packet sniffer on the port used by the VRRP protocol using "vrrp" as a filter.

      This command can be used to verify that the advertisements are sent using the preferred method when Unicast mode is disabled/enabled.

    Additional FortiManager configuration

    Depending on the scenario, FortiManager can be using either 2 or 4 IP addresses (192.0.2.161 and 192.0.2.177 for internal FortiGates and 198.51.100.1 and 203.0.133.1 for external FortiGates). It is a best practice to define all FortiManager IPs that will be used to manage FortiGates so that it is reflected in the FortiGate config system central-management settings if FortiGate is added from FortiManager.

    Defining FortiManager IPs:

    • Using the FortiManager CLI, you can run the following configuration:

      config system admin setting

      set mgmt-fqdn <FQDN_1 | IP_1> <FQDN_2 | IP_2> ... <FQDN_N | IP_N>

      end

      Note

      You can add up to a total of 10 IP addresses or FQDNs to the mgmt-fqdn attribute.

    • For example, in this scenario it will be as follows:

      config system admin setting

      set mgmt-fqdn 192.0.2.161 192.0.2.177 198.51.100.1 203.0.113.1

      end

    Adding a managed FortiGate to the FortiManager cluster

    To onboard using the FortiManager Device Manager:

    1. On FortiManager-A, go to Device Manager > Device & Groups > Managed FortiGate.

    2. Click Add Device > Discover Device.

    3. Enable Use Legacy Device Login and enter the device IP Address, User Name, and Password.

    4. Click Next, Next, and Import Later.

    5. Run the show system central-management command in the FortiGate CLI to check the management IP addresses:

    show system central-management

    config system central-management

    set type fortimanager

    set fmg "192.0.2.161" "192.0.2.177" "198.51.100.1" "203.0.113.1"

    end

    The IP addresses shown should reflect the IP addresses and FQDNs configured in FortiManager under config system admin setting as explained in the previous section.

    Note

    In case of failover, FortiGate will try to reach out to all IP addresses configured under system central management and only the Primary FortiManager will respond.
    To onboard using the Central Management connector on FortiGate:

    1. On FortiGate, go to Security Fabric > Fabric Connectors > Central Management.

    2. Under IP/Domain, click the + button to add more IP addresses.

    3. Enter all of the FortiManager IP addresses and click OK.
      For example, in this scenario the external FortiGate devices will use the public IPs 198.51.100.1 and 203.0.113.1.

    4. You can authorize the device using the dialog from the FortiGate or from the Device Manager on the Primary FortiManager in the root ADOM.

    5. Run show system central-management in the FortiGate CLI to check the management IP addresses. For example:

      show system central-management

      config system central-management

      set type fortimanager

      set fmg "198.51.100.1" "203.0.113.1"

      end

      The IP addresses displayed should match those configured in step 2.

    Testing VRRP failover

    To test the failover configuration:
    1. On the FortiGate, run the following command in the CLI:

      get system central-management

      In the serial-number field, the serial numbers for both FortiManager-A and FortiManager-B are listed. FortiManager-A is listed first because it is currently acting as the Primary device.

    2. In the CLI for FortiManager-A, run diagnose ha force-vrrp-election which will trigger failover to the FortiManager with the next highest priority.

    3. Refresh the page and you will notice that the HA status of FortiManager-A becomes Secondary.

    4. Go to FortiManager-B, and confirm that the HA status has changed to Primary.

    5. Enter the following command in the CLI to confirm the status of FortiManager-A. FortiManager-A continues to act as the Secondary device until the next VRRP election occurs.

      diagnose ha stats

    6. On the FortiGate, run the following command in the CLI.

      get system central-management

      In the serial-number field, the serial numbers for both FortiManager-A and FortiManager-B are listed. FortiManager-B will be listed first because it is now acting as the Primary device.

    Previous
    Next