Help
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
vishal1
New Contributor II

Created on ‎02-27-2024 11:55 PM

Fortimanager ha query

I have a query regarding the configuration of FortiManager in VRRP/Manual mode high availability across different geographic locations via MPLS link, using different IP addresses for each unit. Specifically, Unit1 at DC will have the IP address 10.1.1.1/30, while Unit2 will have 10.1.2.1/30.

I am referring to the article (https://community.fortinet.com/t5/FortiManager/Technical-Tip-FortiManager-HA-setup-and-troubleshooti...) for configuration guidance.

Labels:
557
0 Kudos
8 REPLIES 8
AEK
SuperUser
SuperUser

Created on ‎02-28-2024 12:22 AM

From the document you shared:

A Layer-2 connection between Primary- FortiManager and Secondary- FortiManager is mandatory to communicate through Cluster Virtual IP via VRRP.
Virtual IP should be the same in both Primary and Secondary devices. (VRRP mode)

AEK
AEK
546
vraev
Staff
Staff

Created on ‎02-28-2024 01:07 AM

Hi @vishal1 ,
Please check the following article:
https://community.fortinet.com/t5/FortiManager/Technical-Tip-FortiManager-HA-cluster-in-different-VL...

Best,

V.R.
538
vishal1
New Contributor II
In response to vraev

Created on ‎02-28-2024 01:35 AM

It showing manual HA. Would configuring Manual HA would do auto auto failover if primary goes down or it need manual intervention ?

520
0 Kudos
AEK
SuperUser
SuperUser
In response to vishal1

Created on ‎02-28-2024 02:28 AM

When using manual failover settings, you must manually configure one of the secondary units to become the primary unit when the primary unit fails. The new primary unit will keep its IP address. FortiManager's IP address registered on FortiGate will be automatically changed when the new primary unit is selected.

AEK
AEK
506
vraev
Staff
Staff
In response to vishal1

Created on ‎02-28-2024 03:30 AM

Hi,

If you decide to use the VRRP mode you will need to have the same subnet one of their interfaces. Eventually setup a VLAN between them and that will solve the issue.

Best,

V.R.
496
vishal1
New Contributor II
In response to vraev

Created on ‎02-28-2024 06:13 AM

Can you give a example please.

472
0 Kudos
vraev
Staff
Staff
In response to vishal1

Created on ‎02-29-2024 12:06 AM Edited on ‎02-29-2024 12:55 AM

Hi,

There is an article already:
https://community.fortinet.com/t5/FortiAnalyzer/Technical-Tip-Creating-a-VLAN-interface-on-FortiMana...

But it depends on your internal network how is setup. As, you may need to setup it on the other devices that are on the path.

Also for the manual mode(the article is updated):

It is a good practice to share the IPs of both FortiManagers to the FortiGates using the following setting.

 

config system admin setting
    set mgmt-fqdn  <FMmasterIP/FQDN> <FMslaveIP/FQDN>
end

 

For more information and if there is a NAT review the article below:

Docs: Configuring the management address

 

From FortiGate side:

Docs: Configuring central management

Docs: config system central-management


Best,

V.R.
441
vishal1
New Contributor II
In response to vraev

Created on ‎03-26-2024 01:53 AM

I have a couple of queries regarding the FortiManager configuration and the setup of Manual HA, which I hope you could help me clarify:

 

Would my FortiManager configuration remain in sync if I configure Manual HA between devices? Specifically, after the primary device fails, will I only need to designate the secondary device as primary without the necessity to redeploy or push the configuration from FortiManager to the FortiGate devices?

 

FortiManager will be in a different geographical location, is it feasible to establish Manual HA and facilitate communication via an MPLS link?

252
0 Kudos
Labels
Top Kudoed Authors
View all
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2024 Fortinet, Inc. All Rights Reserved.