FortiGate High Availability interface addressing

Be the first to like.

When setting up High Availability on FortiGate, one thing struck me as a bit unusual. Differently from other firewall clustering solutions (correct me if I’m wrong), FortiGate devices don’t force you to assign both physical and logical IP addresses on interfaces. You are supposed to configure logical IP addresses only. This implies that you can’t directly access a specific node/firewall in your cluster. You have to SSH into the Master unit and, from there, log into the Subordinate one(s). Here are the relevant CLI commans:

FW-NODE-A # get system ha status
Model: 100
Mode: a-p
Group: 0
Debug: 0
ses_pickup: disable
Master:129 FW-NODE-A      FG100C3000000000 0
Slave :128 FW-NODE-B      FG100C3000000001 1
number of vcluster: 1
vcluster 1: work
Master:0 FG100C3000000000
Slave :1 FG100C3000000001

FW-NODE-A # execute ha manage ?
please input peer box index.
<1>     Subsidary unit FG100C3000000001

FW-NODE-A # execute ha manage 1


I wonder what would happen if the Master unit were to hang. I mean: stuck itself in a state where the failover mechanism doesn’t work and neither does SSH/HTTPS access. How could you remotely force a failover to another node? In such a scenario, is a physical power cycle of the master unit the only option?


2 comments so far

Add Your Comment
  1. if Fortigates are like the Netscreen/Juniper in this respect (like they are in many other) it’s not mandatory so assign physical addresses to the ha interfaces, but it’s indeed possible. They call it the management address! Very useful when you’re short on ip addresses, and you can afford to lose two addresses just on the trust or on the untrust interface, but not both! Choice at least! 😉

    • Right, thanks for pointing that out.

      A single interface on each cluster node can be configured as “reserved management interface”. Each node can then have its own IP address assigned on the management interface: it won’t be took over to the surviving firewalls should one fail.

      Still, if I’m right, you can’t have a management interface on the LAN and one (with restricted access) on WAN side. Making it possible to distinguish between physical (to use only when needed) and logical (cluster) IP addresses in each “interface group” would provide a little more fexibility.

      For reference: page 140 of FortiOS High Availability handbook.

      (btw: being the first one to comment entitles you to a free beer. 😉 )