Configuring active-passive HA cluster that includes aggregate interfaces – CLI

Leave a reply

Configuring active-passive HA cluster that includes aggregate interfaces – CLI

These procedures assume you are starting with two FortiGate units with factory default settings.

 

To configure the FortiGate units for HA operation

1. Register and apply licenses to the FortiGate unit. This includes FortiCloud activation, FortiClient licensing, and

FortiToken licensing, and entering a license key if you purchased more than 10 Virtual Domains (VDOMS).

2. Install any third-party certificates on the FortiGate.

3. Change the host name for this FortiGate unit:

config system global

set hostname FGT_ha_1 end

4. Configure HA settings.

config system ha set mode a-p

set group-name example5.com set password HA_pass_5

set hbdev port5 50 port6 50 end

Since port3 and port4 will be used for an aggregated interface, you must change the HA heartbeat configuration.

 

The FortiGate unit negotiates to establish an HA cluster. You may temporarily lose connectivity with the FortiGate unit as the HA cluster negotiates and the FGCP changes the MAC address of the FortiGate unit interfaces. The MAC addresses of the FortiGate interfaces change to the following virtual MAC addresses:

  • port1 interface virtual MAC: 00-09-0f-09-00-00
  • port10 interface virtual MAC: 00-09-0f-09-00-01 l  port11 interface virtual MAC: 00-09-0f-09-00-02 l  port12 interface virtual MAC: 00-09-0f-09-00-03 l  port13 interface virtual MAC: 00-09-0f-09-00-04 l  port14 interface virtual MAC: 00-09-0f-09-00-05 l  port15 interface virtual MAC: 00-09-0f-09-00-06 l  port16 interface virtual MAC: 00-09-0f-09-00-07 l  port17 interface virtual MAC: 00-09-0f-09-00-08 l  port18 interface virtual MAC: 00-09-0f-09-00-09 l  port19 interface virtual MAC: 00-09-0f-09-00-0a l  port2 interface virtual MAC: 00-09-0f-09-00-0b
  • port20 interface virtual MAC: 00-09-0f-09-00-0c
  • port3 interface virtual MAC: 00-09-0f-09-00-0d l  port4 interface virtual MAC: 00-09-0f-09-00-0e l  port5 interface virtual MAC: 00-09-0f-09-00-0f l  port6 interface virtual MAC: 00-09-0f-09-00-10 l  port7 interface virtual MAC: 00-09-0f-09-00-11 l  port8 interface virtual MAC: 00-09-0f-09-00-12 l  port9 interface virtual MAC: 00-09-0f-09-00-13

To reconnect sooner, you can update the ARP table of your management PC by deleting the ARP table entry for the FortiGate unit (or just deleting all arp table entries). You may be able to delete the arp table of your management PC from a command prompt using a command similar to arp -d.

You can use the get hardware nic (or diagnose hardware deviceinfo nic) CLI command to view the virtual MAC address of any FortiGate unit interface. For example, use the following command to view the port1 interface virtual MAC address (Current_HWaddr) and the port1 permanent MAC address (Permanent_HWaddr):

get hardware nic port1

 

MAC: 00:09:0f:09:00:00

Permanent_HWaddr: 02:09:0f:78:18:c9

4. Repeat these steps for the other FortiGate unit.

Set the other FortiGate unit host name to:

 

config system global

set hostname FGT_ha_2 end

 

To connect the cluster to the network

1. Connect the port1 and port2 interfaces of FGT_ha_1 and FGT_ha_2 to a switch connected to the Internet.

Configure the switch so that the port1 and port2 of FGT_ha_1 make up an aggregated interface and port1 and port2 of FGT_ha_2 make up another aggregated interface.

2. Connect the port3 and port4 interfaces of FGT_ha_1 and FGT_ha_2 to a switch connected to the internal network.

Configure the switch so that the port3 and port4 of FGT_ha_1 make up an interfaced and port3 and port4 of FGT_ha_2 make up another aggregated interface.

3. Connect the port5 interfaces of FGT_ha_1 and FGT_ha_2 together. You can use a crossover Ethernet cable or regular Ethernet cables and a switch.

4. Connect the port5 interfaces of the cluster units together. You can use a crossover Ethernet cable or regular

Ethernet cables and a switch.

5. Power on the cluster units.

The units start and negotiate to choose the primary unit and the subordinate unit. This negotiation occurs with no user intervention and normally takes less than a minute.

When negotiation is complete the cluster is ready to be configured for your network.


Having trouble configuring your Fortinet hardware or have some questions you need answered? Check Out The Fortinet Guru Youtube Channel! Want someone else to deal with it for you? Get some consulting from Fortinet GURU!

Pages: 1 2

Configuring active-passive HA cluster that includes aggregated interfaces web-based manager

Leave a reply

Configuring active-passive HA cluster that includes aggregated interfaces – web-based manager

These procedures assume you are starting with two FortiGate units with factory default settings.

To configure the FortiGate units for HA operation

1. Register and apply licenses to the FortiGate unit. This includes FortiCloud activation, FortiClient licensing, and
FortiToken licensing, and entering a license key if you purchased more than 10 Virtual Domains (VDOMS).

2. You can also install any third-party certificates on the primary FortiGate before forming the cluster. Once the cluster is formed third-party certificates are synchronized to the backup FortiGate.
3. On the System Information dashboard widget, beside Host Name select Change.
4. Enter a new Host Name for this FortiGate unit.

New Name FGT_ha_1

5. Select OK.
6. Go to System > HA and change the following settings.

Mode Active-Passive
Group Name example5.com
Password HA_pass_5
Heartbeat Interface
Enable Priority
port5 Select 50
port6 Select 50

Since port3 and port4 will be used for an aggregated interface, you must change the HA heartbeat configuration to not use those interfaces.

7. Select OK.

The FortiGate unit negotiates to establish an HA cluster. When you select OK you may temporarily lose connectivity with the FortiGate unit as the HA cluster negotiates and the FGCP changes the MAC address of the FortiGate unit interfaces. The MAC addresses of the FortiGate interfaces change to
the following virtual MAC addresses:

l port1 interface virtual MAC: 00-09-0f-09-00-00
l port10 interface virtual MAC: 00-09-0f-09-00-01 l port11 interface virtual MAC: 00-09-0f-09-00-02 l port12 interface virtual MAC: 00-09-0f-09-00-03 l port13 interface virtual MAC: 00-09-0f-09-00-04 l port14 interface virtual MAC: 00-09-0f-09-00-05 l port15 interface virtual MAC: 00-09-0f-09-00-06 l port16 interface virtual MAC: 00-09-0f-09-00-07 l port17 interface virtual MAC: 00-09-0f-09-00-08 l port18 interface virtual MAC: 00-09-0f-09-00-09 l port19 interface virtual MAC: 00-09-0f-09-00-0a l port2 interface virtual MAC: 00-09-0f-09-00-0b
l port20 interface virtual MAC: 00-09-0f-09-00-0c
l port3 interface virtual MAC: 00-09-0f-09-00-0d l port4 interface virtual MAC: 00-09-0f-09-00-0e l port5 interface virtual MAC: 00-09-0f-09-00-0f l port6 interface virtual MAC: 00-09-0f-09-00-10 l port7 interface virtual MAC: 00-09-0f-09-00-11 l port8 interface virtual MAC: 00-09-0f-09-00-12 l port9 interface virtual MAC: 00-09-0f-09-00-13
To reconnect sooner, you can update the ARP table of your management PC by deleting the ARP table entry for the FortiGate unit (or just deleting all arp table entries). You may be able to delete the arp table of your management PC from a command prompt using a command similar to arp -d.

You can use the get hardware nic (or diagnose hardware deviceinfo nic) CLI command to view the virtual MAC address of any FortiGate unit interface. For example, use the following command to view the port1 interface virtual MAC address (Current_HWaddr) and the port1 permanent MAC address (Permanent_HWaddr):

get hardware nic port1

MAC: 00:09:0f:09:00:00
Permanent_HWaddr: 02:09:0f:78:18:c9
7. Power off the first FortiGate unit.
8. Repeat these steps for the second FortiGate unit.
Set the second FortiGate unit host name to:

New Name FGT_ha_2

To connect the cluster to the network

1. Connect the port1 and port2 interfaces of FGT_ha_1 and FGT_ha_2 to a switch connected to the Internet.
Configure the switch so that the port1 and port2 of FGT_ha_1 make up an aggregated interface and port1 and port2 of FGT_ha_2 make up a second aggregated interface.

2. Connect the port3 and port4 interfaces of FGT_ha_1 and FGT_ha_2 to a switch connected to the internal network.
Configure the switch so that the port3 and port4 of FGT_ha_1 make up an aggregated interface and port3 and port4 of FGT_ha_2 make up another aggregated interface.

3. Connect the port5 interfaces of FGT_ha_1 and FGT_ha_2 together. You can use a crossover Ethernet cable or regular Ethernet cables and a switch.
4. Connect the port5 interfaces of the cluster units together. You can use a crossover Ethernet cable or regular
Ethernet cables and a switch.
5. Power on the cluster units.
The units negotiate to choose the primary unit and the subordinate unit. This negotiation occurs with no user intervention and normally takes less than a minute.

When negotiation is complete, the cluster is ready to be configured for your network.

To view cluster status

Use the following steps to view the cluster dashboard and cluster members list to confirm that the cluster units are operating as a cluster.

1. View the system dashboard.
The System Information dashboard widget shows the Cluster Name (example5.com) and the host names and serial numbers of the Cluster Members. The Unit Operation widget shows multiple cluster units.

2. Go to System > HA to view the cluster members list.
The list shows two cluster units, their host names, their roles in the cluster, and their priorities. You can use this list to confirm that the cluster is operating normally.

To troubleshoot the cluster configuration

See FGCP HA with 802.3ad aggregated interfaces on page 1401 to troubleshoot the cluster.

To add basic configuration settings and the aggregate interfaces

Use the following steps to add a few basic configuration settings.

1. Log into the cluster web-based manager.
2. Go to System > Admin > Administrators.
3. Edit admin and select Change Password.
4. Enter and confirm a new password.
5. Select OK.
6. Go to Router > Static > Static Routes and temporarily delete the default route.

You cannot add an interface to a aggregated interface if any settings (such as the default route) are configured for it.

7. Go to System > Network > Interfaces and select Create New to add the aggregate interface to connect to the
Internet.
8. Set Type to 802.3ad Aggregate and configure the aggregate interface to be connected to the Internet:

Name Port1_Port2

Physical Interface Members port1, port2

IP/Network Mask 172.20.120.141/24

9. Select OK.
10. Select Create New to add the aggregate interface to connect to the internal network.
11. Set Type to 802.3ad Aggregate and configure the aggregate interface to be connected to the Internet:

Name Port3_Port4

Physical Interface Members port3, port4

IP/Netmask 10.11.101.100/24

Administrative Access HTTPS, PING, SSH

12. Select OK.
The virtual MAC addresses of the FortiGate interfaces change to the following. Note that port1 and port2 both have the port1 virtual MAC address and port3 and port4 both have the port3 virtual MAC address:

  • port1 interface virtual MAC: 00-09-0f-09-00-00
  • port10 interface virtual MAC: 00-09-0f-09-00-01 l port11 interface virtual MAC: 00-09-0f-09-00-02 l port12 interface virtual MAC: 00-09-0f-09-00-03 l port13 interface virtual MAC: 00-09-0f-09-00-04 l port14 interface virtual MAC: 00-09-0f-09-00-05 l port15 interface virtual MAC: 00-09-0f-09-00-06 l port16 interface virtual MAC: 00-09-0f-09-00-07 l port17 interface virtual MAC: 00-09-0f-09-00-08 l port18 interface virtual MAC: 00-09-0f-09-00-09 l port19 interface virtual MAC: 00-09-0f-09-00-0a
  • port2 interface virtual MAC: 00-09-0f-09-00-00 (same as port1)
  • port20 interface virtual MAC: 00-09-0f-09-00-0c
  • port3 interface virtual MAC: 00-09-0f-09-00-0d
  • port4 interface virtual MAC: 00-09-0f-09-00-0d (same as port3)
  • port5 interface virtual MAC: 00-09-0f-09-00-0f l port6 interface virtual MAC: 00-09-0f-09-00-10 l port7 interface virtual MAC: 00-09-0f-09-00-11
  • port8 interface virtual MAC: 00-09-0f-09-00-12
  • port9 interface virtual MAC: 00-09-0f-09-00-13

13. Connect to the CLI and enter the following command to disable sending LACP packets from the subordinate unit:
config system interface edit Port1_Port2
set lacp-ha-slave disable next
edit Port3_Port4
set lacp-ha-slave disable
end

14. Go to Router > Static > Static Routes.
15. Add the default route.

Destination IP/Mask 0.0.0.0/0.0.0.0

Gateway 172.20.120.2

Device Port1_Port2

Distance 10

16. Select OK.

To configure HA port monitoring for the aggregate interfaces

1. Go to System > HA.
2. In the cluster members list, edit the primary unit.
3. Configure the following port monitoring for the aggregate interfaces:

Port Monitor

Port1_Port2 Select

Port3_Port4 Select

4. Select OK.


Having trouble configuring your Fortinet hardware or have some questions you need answered? Check Out The Fortinet Guru Youtube Channel! Want someone else to deal with it for you? Get some consulting from Fortinet GURU!

Link aggregation, HA failover performance, and HA mode

Leave a reply

Link aggregation, HA failover performance, and HA mode

To operate an active-active or active-passive cluster with aggregated interfaces and for best performance of a cluster with aggregated interfaces, the switches used to connect the cluster unit aggregated interfaces together should support configuring multiple Link Aggregation (LAG) groups.

For example, the cluster shown above should be configured into two LAG groups on the external switch: one for the port1 and port2 aggregated interface of FGT_ha_1 and a second one for the port1 and port2 aggregate interface of FGT_ha_2. You should also be able to do the same on the internal switch for the port3 and port4 aggregated interfaces of each cluster unit.

As a result, the subordinate unit aggregated interfaces would participate in LACP negotiation while the cluster is operating. In an active-active mode cluster, packets could be redirected to the subordinate unit interfaces. As well, in active-active or active-passive mode, after a failover the subordinate unit can become a primary unit without having to perform LACP negotiation before it can process traffic. Performing LACP negotiation causes a minor failover delay.

However if you cannot configure multiple LAG groups on the switches, due to the primary and subordinate unit interfaces having the same MAC address, the switch will put all of the interfaces into the same LAG group which would disrupt the functioning of the cluster. To prevent this from happening, you must change the FortiGate aggregated interface configuration to prevent subordinate units from participating in LACP negotiation.

For example, use the following command to prevent subordinate units from participating in LACP negotiation with an aggregate interface named Port1_Port2:

config system interface edit Port1_Port2

set lacp-ha-slave disable end

As a result of this setting, subordinate unit aggregated interfaces cannot accept packets. This means that you cannot operate the cluster in active-active mode because in active-active mode the subordinate units must be able to receive and process packets. Also, failover may take longer because after a failover the subordinate unit has to perform LACP negotiation before being able to process network traffic.

Also, it may also be necessary to configure the switch to use Passive or even Static mode for LACP to prevent the switch from sending packets to the subordinate unit interfaces, which won’t be able to process them.

Finally, in some cases depending on the LACP configuration of the switches, you may experience delayed failover if the FortiGate LACP configuration is not compatible with the switch LACP configuration. For example, in some cases setting the FortiGate LACP mode to static reduces the failover delay because the FortiGate unit does not perform LACP negotiation. However there is a potential problem with this configuration because static LACP does not send periodic LAC Protocol Data Unit (LACPDU) packets to test the connections. So a non- physical failure (for example, if a device is not responding because its too busy) may not be detected and packets could be lost or delayed.

 

General configuration steps

The section includes web-based manager and CLI procedures. These procedures assume that the FortiGate units are running the same FortiOS firmware build and are set to the factory default configuration.

 

General configuration steps

1. Apply licenses to the FortiGate units to become the cluster.

2. Configure the FortiGate units for HA operation.

  • Change each unit’s host name.
  • Configure HA.

2. Connect the cluster to the network.

3. View cluster status.

4. Add basic configuration settings and configure the aggregated interfaces.

  • Add a password for the admin administrative account.
  • Add the aggregated interfaces.
  • Disable lacp-ha-slave so that the subordinate unit does not send LACP packets.
  • Add a default route.

 

You could also configure aggregated interfaces in each FortiGate unit before the units form a cluster.

5. Configure HA port monitoring for the aggregated interfaces.

 


Having trouble configuring your Fortinet hardware or have some questions you need answered? Check Out The Fortinet Guru Youtube Channel! Want someone else to deal with it for you? Get some consulting from Fortinet GURU!

HA interface monitoring, link failover, and 802.3ad aggregation

Leave a reply

HA interface monitoring, link failover, and 802.3ad aggregation

When monitoring the aggregated interface, HA interface monitoring treats the aggregated link as a single interface and does not monitor the individual physical interfaces in the link. HA interface monitoring registers the link to have failed only if all the physical interfaces in the link have failed. If only some of the physical interfaces in the link fail or become disconnected, HA considers the link to be operating normally.

HA MAC addresses and 802.3ad aggregation if a configuration uses the Link Aggregate Control Protocol (LACP) (either passive or active), LACP is negotiated over all of the interfaces in any link. For a standalone FortiGate unit, the FortiGate LACP implementation uses the MAC address of the first interface in the link to uniquely identify that link. For example, a link consisting of port1 and port2 interfaces would have the MAC address of port1.

In an HA cluster, HA changes the MAC addresses of the cluster interfaces to virtual MAC addresses. An aggregate interface in a cluster acquires the virtual MAC address that would have been acquired by the first interface in the aggregate.


Having trouble configuring your Fortinet hardware or have some questions you need answered? Check Out The Fortinet Guru Youtube Channel! Want someone else to deal with it for you? Get some consulting from Fortinet GURU!

FGCP HA with 802.3ad aggregated interfaces

Leave a reply

FGCP HA with 802.3ad aggregated interfaces

On FortiGate models that support it you can use 802.3ad link aggregation to combine two or more interfaces into a single aggregated interface. 802.3ad Link Aggregation and it’s management protocol, Link Aggregation Control Protocol (LACP) are a method for combining multiple physical links into a single logical link.This increases both potential throughput and network resiliency. Using LACP, traffic is distributed among the physical interfaces in the link, potentially resulting in increased performance.

This example describes how to configure an HA cluster consisting of two FortiGate units with two aggregated 1000 Mb connections to the Internet using port1 and port2 and two aggregated 1000 Mb connections to the internal network using port3 and port4. The aggregated interfaces are also configured as HA monitored interfaces.

Each of the aggregate links connects to a different switch. Each switch is configured for link aggregation (2x1000Mb).

 


Having trouble configuring your Fortinet hardware or have some questions you need answered? Check Out The Fortinet Guru Youtube Channel! Want someone else to deal with it for you? Get some consulting from Fortinet GURU!

Replacing a failed cluster unit

1 Reply

Replacing a failed cluster unit

This procedure describes how to remove a failed cluster unit from a cluster and add a new one to replace it. You can also use this procedure to remove a failed unit from a cluster, repair it and add it back to the cluster. Replacing a failed does not interrupt the operation of the cluster unless you have to change how the cluster is connected to the network to accommodate the replacement unit.

You can use this procedure to replace more than one cluster unit.

 

To replace a failed cluster unit

1. Disconnect the failed unit from the cluster and the network.

If you maintain other connections between the network and the still functioning cluster unit or units and between remaining cluster units network traffic will continue to be processed.

2. Repair the failed cluster unit, or obtain a replacement unit with the exact same hardware configuration as the failed cluster unit.

3. Install the same firmware build on the repaired or replacement unit as is running on the cluster.

4. Register and apply licenses to the FortiGate unit. This includes FortiCloud activation, FortiClient licensing, and FortiToken licensing, and entering a license key if you purchased more than 10 Virtual Domains (VDOMS).

5. You can also install any third-party certificates on the primary FortiGate before forming the cluster. Once the cluster is formed third-party certificates are synchronized to the backup FortiGate.

6. Configure the repaired or replacement unit for HA operation with the same HA configuration as the cluster.

7. If the cluster is running in Transparent mode, change the operating mode of the repaired or replacement unit to Transparent mode.

8. Connect the repaired or replacement cluster unit to the cluster.

For an example see: How to set up FGCP clustering (recommended steps) on page 1354.

9. Power on the repaired or replacement cluster unit.

When the unit starts it negotiates to join the cluster. After it joins the cluster, the cluster synchronizes the repaired or replacement unit configuration with the configuration of the primary unit.

You can add a repaired or replacement unit to a functioning cluster at any time. The repaired or replacement cluster unit must:

  • Have the same hardware configuration as the cluster units. Including the same hard disk configuration and the same AMC cards installed in the same slots.
  • Have the same firmware build as the cluster.
  • Be set to the same operating mode (NAT or Transparent) as the cluster.
  • Be operating in single VDOM mode.

Having trouble configuring your Fortinet hardware or have some questions you need answered? Check Out The Fortinet Guru Youtube Channel! Want someone else to deal with it for you? Get some consulting from Fortinet GURU!

Converting a standalone FortiGate unit to a cluster

Leave a reply

Converting a standalone FortiGate unit to a cluster

In this recipe, a backup FortiGate unit will be installed and connected to a FortiGate unit that has previously been installed to provide redundancy if the primary FortiGate unit fails.

A video of this recipe is available here.

1. Adding the backup FortiGate unit and configuring HA

If the FortiGates in the cluster will be running FortiOS Carrier, apply the FortiOS Carrier license before con- figuring the cluster (and before applying other licenses). Applying the FortiOS Carrier license sets the con- figuration to factory defaults, requiring you to repeat steps performed before applying the license.

If you have not already done so, register the primary FortiGate and apply licenses to it before setting up the cluster. This includes FortiCloud activation, FortiClient and FortiToken licensing, and entering a license key if you purchased more than 10 Virtual Domains (VDOMs). You can also install any third-party cer- tificates on the primary FortiGate before forming the cluster. Once the cluster is formed third-party cer- tificates are synchronized to the backup FortiGate.

Connect your network as shown in the initial dia- gram, with Ethernet cables connecting the HA heartbeat interfaces of the two FortiGate units. If your FortiGate unit does not have dedicated HA heartbeat interfaces, you can use different inter- faces, provided they are not used for any other function.

A switch must be used between the FortiGates and Internet, and another is required between the FortiGates and the internal network, as shown in the network diagram for this recipe.

Connect to the primary FortiGate and go to Sys– tem > Dashboard > Status and locate the Sys– tem Information widget.

Change the unit’s Host Name to identify it as the primary FortiGate.

In the System Information widget, configure

HA Status. Set the Mode to Active-Passive and set a Group Name and Password.

Ensure that the two Heartbeat Interfaces are selected and their priorities are both set to 50.

Connect to the backup FortiGate and go to Sys– tem > Dashboard > Status.

Change the unit’s Host Name to identify it as the backup FortiGate.

Configure HA Status and set the Mode to Act– ive-Passive.

Set the Device Priority to be lower than the primary FortiGate. Ensure that the Group Name and Password match those on the primary FortiGate.

Ensure that the two Heartbeat Interfaces are selected and their priorities are both set to 50.

Connect to the primary FortiGate and go to Sys– tem > HA to view the cluster information.

Select View HA Statistics for more information on how the cluster is operating and processing traffic.

2. Results

Normally, traffic should now be flowing through the primary FortiGate. However, if the primary FortiGate is unavailable, traffic should failover and the backup FortiGate will be used. Failover will also cause the primary and backup FortiGates to reverse roles, even when both FortiGates are available again.

To test this, ping the IP address 8.8.8.8 using a PC on the internal network. After a moment, power off the primary FortiGate. You will see a momentary pause in the Ping results, until traffic diverts to the backup FortiGate, allowing the Ping traffic to continue.

If you are using port monitoring, you can also unplug the primary FortiGate’s Internet-facing interface to test failover.


Having trouble configuring your Fortinet hardware or have some questions you need answered? Check Out The Fortinet Guru Youtube Channel! Want someone else to deal with it for you? Get some consulting from Fortinet GURU!

FortiGate-5000 active-active HA cluster with FortiClient licenses

Leave a reply

FortiGate5000 active-active HA cluster with FortiClient licenses

This section describes how to configure an HA cluster of three FortiGate-5001C units that connect an internal network to the Internet. The FortiGate-5001C units each have a FortiClient license installed on them to support FortiClient profiles.

Normally it is recommended that you add FortiClient licenses to the FortiGate units before setting up the cluster. This example; however, describes how to apply FortiClient licenses to the FortiGate units in an operating cluster.

 

Example network topology

The following diagram shows an HA cluster consisting of three FortiGate-5001C cluster units (host names slot-3, slot-4, and slot-5) installed in a FortiGate-5000 series chassis with two FortiSwitch-5003B units for heartbeat communication between the cluster units. The cluster applies security features including FortiClient profiles to data traffic passing through it.

The cluster is managed from the internal network using the FortiGate-5001C mgmt1 interfaces configured as HA reserved management interfaces. Using these reserved management interfaces the overall cluster can be managed and cluster units can be managed individually. Individual management access to each cluster unit makes some operations, such as installing FortiClient licenses, easier and also allows you to view status of each cluster unit.

The reserved management interface of each cluster unit has a different IP address and retains its own MAC address. The cluster does not change the reserved management interface MAC address.


Having trouble configuring your Fortinet hardware or have some questions you need answered? Check Out The Fortinet Guru Youtube Channel! Want someone else to deal with it for you? Get some consulting from Fortinet GURU!

Pages: 1 2 3 4 5 6