- Forums
- Knowledge Base
- Customer Service
- FortiGate
- FortiClient
- FortiAP
- FortiAnalyzer
- FortiADC
- FortiAuthenticator
- FortiBridge
- FortiCache
- FortiCarrier
- FortiCASB
- FortiConnect
- FortiConverter
- FortiCNP
- FortiDAST
- FortiDDoS
- FortiDB
- FortiDNS
- FortiDeceptor
- FortiDevSec
- FortiDirector
- FortiEDR
- FortiExtender
- FortiGate Cloud
- FortiGuard
- FortiHypervisor
- FortiInsight
- FortiIsolator
- FortiMail
- FortiManager
- FortiMonitor
- FortiNAC
- FortiNAC-F
- FortiNDR (on-premise)
- FortiNDRCloud
- FortiPAM
- FortiPortal
- FortiProxy
- FortiRecon
- FortiRecorder
- FortiSandbox
- FortiSASE
- FortiScan
- FortiSIEM
- FortiSOAR
- FortiSwitch
- FortiTester
- FortiToken
- FortiVoice
- FortiWAN
- FortiWeb
- Wireless Controller
- RMA Information and Announcements
- FortiCloud Products
- ZTNA
- 4D Documents
- Customer Service
- Community Groups
- Blogs
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
- Fortinet Community
- Forums
- Support Forum
- FortiManager overwrites settings on HA unicast hea...
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Mute
- Printer Friendly Page
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
FortiManager overwrites settings on HA unicast heartbeat interface
I have an HA cluster of two FortiGates (v6.0.9) managed by a FortiManager (v6.0.8).
The FortiGates run in a cloud, so I must use unicast heartbeat on HA interfaces to sync them. I use port10 on both FortiGates as such interface: [style="background-color: #c0c0c0;"]FortiGate01, port10, IP 192.168.219.251 <================> IP 192.168.219.252, port10, FortiGate02[/style]
The problem is: apparently, FortiManager doesn't understand what "Unicast HA heartbeat interface" is.
Let's say, FortiGate01 is now the Master. FortiManager remembers that the address on port10 is [style="background-color: #c0c0c0;"]192.168.219.251[/style]. Now, if a failover occurs and FortiGate02 becomes Master, then on next policy push from FortiManager its port10 IP address will be overwritten by [style="background-color: #c0c0c0;"]192.168.219.251[/style]. Which will in fact kill the cluster. Is there a way to instruct FortiManager to treat this interface differently? Maybe make it completely ignore this port10?
3 REPLIES 3
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Response from Fortinet support: either disable validation on FortiManager ("[link=https://docs2.fortinet.com/document/fortimanager/6.0.8/cli-reference/784395/dm]set verify-install disable[/link]") or upgrade to FortiManager v6.2.3, which doesn't have this problem (according to them, I didn't verify that).
More details:
Yes, the install verification is disabled by "set verify-install disable" under "config system dm". It's more inconvenient than dangerous, because if the automatic verification is disabled, you would need to manually check the post install log (even if install=OK), to make sure that there were no errors returned by the target FortiGate. Generally if no errors in the install log the change is pushed correctly, but to stay on the safe side, you may also check in the FortiGate config, to confirm. Another option is to use "set verify-install optimal", which triggers automatic install verification only if an error is returned by the FortiGate. However, if the verification is triggered by an error, it may again change the HB IPs and break the cluster. Another strategy can be to leave the "dm" config as it is, and manually retrieve config revision (just retrieve, no import needed) after FortiGate HA failover. But this is also risky, because a failover can happen in any moment, may remain unnoticed by the FortiManager administrator, and ultimately cause the same problem. So unfortunately none of workarounds for FortiManager 6.0.8 is perfect.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Known Issue:
Bug id 613057 During install verification FMG is changing the IP of unicast hb interfaces after FGT cluster failover
To be fixed in FortiManager 6.2.4 (i.e., the FMG will not configure this parameter)
Vladimir.Ostrovsky
As you has pointed out, using Retrieve is in fact the workaround. But, as a workaround, this means you need to Retrieve before every Install since as you mentioned, you never know when a FGT cluster failover might have occurred.
Regarding verify-install, do you have the Fortinet ticket # that I could cross-reference?
Chris Hall
Fortinet Technical Support
Fortinet Technical Support
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Ticket number is 3849795. The issue #613057 was opened as its result. :)
Related Posts
- FortiManager Import Configuration Address Object interface... 83 Views
- Adding Standalone FortiSwitch to FortiManager Problem 154 Views
- Connect Fortigate to internet with 2... 223 Views
- FortiManager DeviceDB information into Jinja templates 197 Views
- FortiManager ADOM GlobalDatabase How to Normalized... 294 Views
Labels
-
FortiGate
6,490 -
FortiClient
1,294 -
5.2
801 -
5.4
639 -
FortiManager
563 -
6.0
416 -
FortiAnalyzer
413 -
5.6
362 -
FortiSwitch
331 -
FortiAP
331 -
FortiClient EMS
260 -
6.2
251 -
FortiMail
239 -
FortiAuthenticator v5.5
234 -
5.0
196 -
FortiWeb
149 -
6.4
128 -
FortiNAC
104 -
FortiGuard
102 -
FortiGateCloud
87 -
FortiSIEM
86 -
FortiCloud Products
82 -
IPsec
70 -
FortiToken
69 -
Customer Service
69 -
4.0MR3
64 -
Wireless Controller
58 -
SSL-VPN
57 -
FortiProxy
44 -
FortiADC
42 -
Fortivoice
41 -
FortiEDR
39 -
FortiGate v5.4
34 -
FortiDNS
34 -
FortiExtender
31 -
FortiSandbox
31 -
FortiSwitch v6.4
28 -
FortiConnect
23 -
SD-WAN
23 -
FortiWAN
22 -
Firewall policy
22 -
FortiConverter
21 -
High Availability
20 -
VLAN
18 -
FortiPortal
18 -
ZTNA
16 -
FortiSwitch v6.2
16 -
FortiGate v5.2
16 -
FortiMonitor
14 -
Certificate
14 -
DNS
13 -
FortiDDoS
13 -
SAML
12 -
BGP
12 -
Routing
12 -
FortiCASB
12 -
Interface
11 -
Logging
11 -
FortiGate v5.0
10 -
FortiRecorder
10 -
VDOM
10 -
FortiWeb v5.0
9 -
LDAP
9 -
FortiManager v5.0
9 -
4.0MR2
9 -
RADIUS
8 -
Traffic shaping
8 -
Virtual IP
8 -
FortiAuthenticator
8 -
RMA Information and Announcements
7 -
FortiSOAR
7 -
fortilink
7 -
FortiAnalyzer v5.0
7 -
NAT
7 -
FortiGate v4.0 MR3
7 -
Admin
7 -
4.0
7 -
SSID
6 -
SSL SSH inspection
6 -
Authentication
6 -
Fortigate Cloud
6 -
IP address management - IPAM
6 -
Security profile
5 -
Traffic shaping policy
5 -
FortiBridge
5 -
SNMP
5 -
SSO
5 -
Application control
5 -
FortiManager v4.0
5 -
Static route
5 -
FortiDirector
4 -
WAN optimization
4 -
Web application firewall profile
4 -
DNS Filter
4 -
FortiTester
4 -
FortiCarrier
4 -
FortiCache
4 -
OSPF
4 -
3.6
4 -
FortiScan
4 -
Proxy policy
4 -
IPS signature
3 -
packet capture
3 -
FortiToken Cloud
3 -
Intrusion prevention
3 -
Automation
3 -
DoS policy
3 -
Port policy
3 -
FortiDB
3 -
FortiDeceptor
2 -
FortiInsight
2 -
VoIP profile
2 -
Antivirus profile
2 -
Web profile
2 -
Traffic shaping profile
2 -
FortiAP profile
2 -
FortiAI
2 -
FortiHypervisor
2 -
Netflow
2 -
Fortinet Engage Partner Program
2 -
trunk
2 -
SDN connector
1 -
4.0MR1
1 -
NAC policy
1 -
Users
1 -
Subscription Renewal Policy
1 -
FortiCWP
1 -
FortiNDR
1 -
Web rating
1 -
FortiPAM
1 -
Application signature
1 -
Multicast routing
1 -
Authentication rule and scheme
1 -
Zone
1 -
FortiManager-VM
1 -
Internet Service Database
1 -
System settings
1 -
Explicit proxy
1 -
TACACS
1
Broad. Integrated. Automated.
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Security Research
Company
News & Articles
Copyright 2024 Fortinet, Inc. All Rights Reserved.