Advertisement
If you have a new account but are having problems posting or verifying your account, please email us on hello@boards.ie for help. Thanks :)
Hello all! Please ensure that you are posting a new thread or question in the appropriate forum. The Feedback forum is overwhelmed with questions that are having to be moved elsewhere. If you need help to verify your account contact hello@boards.ie
Hi there,
There is an issue with role permissions that is being worked on at the moment.
If you are having trouble with access or permissions on regional forums please post here to get access: https://www.boards.ie/discussion/2058365403/you-do-not-have-permission-for-that#latest

FortiGate Question

  • 29-07-2016 12:05pm
    #1
    Registered Users, Registered Users 2 Posts: 6,309 ✭✭✭


    Hi guys,

    In a Fortigate cluster with a ha-mgmt interface, is it possible to use that interface for a mgmt network.

    One I configure the interface, it is no longer in the root vdom and I cannot hit the default gateway.


Comments

  • Registered Users, Registered Users 2 Posts: 14,012 ✭✭✭✭Cuddlesworth


    T-K-O wrote: »
    Hi guys,

    In a Fortigate cluster with a ha-mgmt interface, is it possible to use that interface for a mgmt network.

    One I configure the interface, it is no longer in the root vdom and I cannot hit the default gateway.

    Did you create a gateway for the ha management interface.
    config system ha
        set ha-mgmt-status enable
        set ha-mgmt-interface "mgmt1"
        set ha-mgmt-interface-gateway 10.100.200.254
    end
    
    config system interface
        edit "mgmt1"
            set ip 10.100.200.1 255.255.255.0
            set allowaccess ping https ssh snmp fgfm
        next
    

    In the web GUI, did you enable "dedicated management interface" on it?


  • Registered Users, Registered Users 2 Posts: 6,309 ✭✭✭T-K-O


    Thanks for the response. I do not believe I can create the 'mgmt1' interface as I am working on 60D, no Mgmt Port ?

    My HA config:
    config system ha
    set group-name "My-Cluster"
    set mode a-p
    set password ENC password
    set hbdev "internal7" 100
    set ha-mgmt-status enable
    set ha-mgmt-interface "internal6"
    set ha-mgmt-interface-gateway 172.16.0.6
    set override enable
    set priority 130
    set monitor "internal4" "internal5" "wan1" "wan2"
    end

    Interface 6:

    edit "internal6"
    set ip 172.16.0.5 255.255.255.248
    set allowaccess ping https fgfm
    set type physical
    set alias "mgmt"
    set device-identification enable
    set snmp-index 9
    next

    Also, there is no option for a dedicated management interface in the GUI or the cli
    Did you create a gateway for the ha management interface.
    config system ha
        set ha-mgmt-status enable
        set ha-mgmt-interface "mgmt1"
        set ha-mgmt-interface-gateway 10.100.200.254
    end
    
    config system interface
        edit "mgmt1"
            set ip 10.100.200.1 255.255.255.0
            set allowaccess ping https ssh snmp fgfm
        next
    
    In the web GUI, did you enable "dedicated management interface" on it?


  • Registered Users, Registered Users 2 Posts: 14,012 ✭✭✭✭Cuddlesworth


    Its been a while, but since OS5.2 its better to work out of the GUI. Configuring HA is done via System > Config > HA.

    If I'm clear on this, you are looking to set up management IP's on both individual boxes as well as using the HA address?

    Because if this is not the case, and you lose access to the gateway, I'd look at your l2 config first. The HA and interface config looks good.


  • Registered Users, Registered Users 2 Posts: 6,309 ✭✭✭T-K-O


    Its been a while, but since OS5.2 its better to work out of the GUI. Configuring HA is done via System > Config > HA.

    If I'm clear on this, you are looking to set up management IP's on both individual boxes as well as using the HA address?

    Because if this is not the case, and you lose access to the gateway, I'd look at your l2 config first. The HA and interface config looks good.

    Yep , I thought the HA config was good, no issues with failover, syncing etc.

    I could live with a single management IP for the cluster. Ideally, I want to manage my l2 switches from the Fortigate.

    Internal6 - 172.16.0.5 is directly connected to a switch, IP 172.16.0.2

    However, Pings fail and there is no route in the FG routing table. I have several networks connected and working. The only difference in the config, is that internal 6 is not in the root Vdom :/


  • Registered Users, Registered Users 2 Posts: 14,012 ✭✭✭✭Cuddlesworth


    I think you need to do this within the webgui if you need to do that.

    1. Go to System > Config > HA.
    2. Edit the primary unit.
    3. Select Reserve Management Port for Cluster Member and select port 6.
    4. Select OK

    Page 156 onwards.

    http://docs.fortinet.com/uploaded/files/1088/fortigate-ha-50.pdf


  • Advertisement
  • Registered Users, Registered Users 2 Posts: 6,309 ✭✭✭T-K-O


    No luck :(

    Once I tick that box or enter the following

    set ha-mgmt-status enable
    set ha-mgmt-interface "internal6"
    set ha-mgmt-interface-gateway 172.16.0.6

    The routing table entry for the 172 network disappears and the interface6 is removed from the root vdom.

    That document talks about the management of the Fortigate unit and not l2 devices downstream, beginning to think this is by design and my layout is square peg round hole!


  • Registered Users, Registered Users 2 Posts: 14,012 ✭✭✭✭Cuddlesworth


    T-K-O wrote: »
    No luck :(

    Once I tick that box or enter the following

    set ha-mgmt-status enable
    set ha-mgmt-interface "internal6"
    set ha-mgmt-interface-gateway 172.16.0.6

    The routing table entry for the 172 network disappears and the interface6 is removed from the root vdom.

    That document talks about the management of the Fortigate unit and not l2 devices downstream, beginning to think this is by design and my layout is square peg round hole!


    Would you not just trunk a management vlan into the switches directly bypassing the firewall?


  • Registered Users, Registered Users 2 Posts: 6,309 ✭✭✭T-K-O


    Would you not just trunk a management vlan into the switches directly bypassing the firewall?

    l need remote access to L2. Worst case scenario, ill dedicated Int5 for remote mgmt and Int6 for HA-mgmt.


Advertisement