Hot!FGCP Management IP

Author
j.a.m.e.s
New Member
  • Total Posts : 19
  • Scores: 0
  • Reward points: 0
  • Joined: 2019/09/22 04:47:24
  • Status: offline
2021/01/30 04:10:57 (permalink)
0

FGCP Management IP

Dear All,
 
When running FGCP is there any way to maintain a separate MGT IP on the active and passive FGTs? 
 
I can see that the data-plane interfaces on the units need layer two reachability because in the event of a failover the IP and MAC will float to the standby unit (and GARP will take place). It seems a bit awkward to have the same MGT IP float between the boxes because you wouldn't get any direct SSH/SNMP/HTTPS reachability of the standby for monitoring purposes.
 
Additionally, if one used dynamic routing on the FGT, wouldn't you need to peer with the virtual IP on the upstream switch? Again, this seems a bit awkward compared with FGSP.
 
Many thanks again for any insight.
 
James.
 
#1
lobstercreed
Platinum Member
  • Total Posts : 372
  • Scores: 43
  • Reward points: 0
  • Joined: 2018/11/28 14:57:58
  • Location: Sedalia, MO
  • Status: online
Re: FGCP Management IP 2021/02/01 08:33:55 (permalink)
0
I believe this is what you're looking for?
 
https://kb.fortinet.com/kb/documentLink.do?externalID=FD32214
#2
j.a.m.e.s
New Member
  • Total Posts : 19
  • Scores: 0
  • Reward points: 0
  • Joined: 2019/09/22 04:47:24
  • Status: offline
Re: FGCP Management IP 2021/02/01 14:51:21 (permalink)
0
Thank you! I deleted all references to my existing "mgmt1" interface then applied the commands you referenced. Now I can SSH individually to each. This is progress, but may I ask some follow-on questions?
 
config system ha
 set ha-mgmt-status enable
 config ha-mgmt-interfaces
  edit 1
   set interface "mgmt1"
   set dst 10.0.0.254
  next
end
end

DeviceA:
config system interface
  edit mgmt1
   set ip 10.0.0.1 255.255.255.0
   set allowaccess ping ssh fgfm https snmp
   set type physical
   set dedicated-to-management
  next
end

DeviceB:
config system interface
  edit mgmt1
   set ip 10.0.0.2 255.255.255.0
   set allowaccess ping ssh fgfm https snmp
   set type physical
   set dedicated-to-management
  next
end

 
1. Will this work with FMG and FAZ?
2. Will on-box agents like NTP and SNMP-Traps know to use this MGT path?
3. I used to keep mgmt1 in the a vdom named root and set a local-in policy. Is this no longer possible? I notice that I can no longer do a "set vdom root" under the mgmt1 interface? Is there anyway to secure the management?
 
Kind regards
 
James.
 
#3
lobstercreed
Platinum Member
  • Total Posts : 372
  • Scores: 43
  • Reward points: 0
  • Joined: 2018/11/28 14:57:58
  • Location: Sedalia, MO
  • Status: online
Re: FGCP Management IP 2021/02/01 17:11:36 (permalink)
0
Interesting questions, and I'm afraid I don't know all the answers.  Perhaps one of the other more experienced admins will weigh in, but I can say this:
  1. It works, yes.  Both systems recognize this as an HA cluster, and to be honest I haven't really investigated which interface the source traffic comes from.  I think it's the dedicated management but I'm not really sure.
  2. I know that SNMP uses the dedicated management port as that's part of the point (mentioned explicitly in the link), and I think NTP does but again haven't necessarily double-checked the sniffs.
  3. I've never used VDOMs that way and am not sure the exact ramifications of this but I don't know why local-in policies wouldn't still apply the same way they do to any other interface.
#4
BensonLEI
Silver Member
  • Total Posts : 85
  • Scores: 0
  • Reward points: 0
  • Joined: 2020/06/01 21:08:14
  • Status: offline
Re: FGCP Management IP 2021/02/01 23:00:18 (permalink)
0
Hi, guys,
I am also facing this problem ( I am using Forti600E with V6.4.4 ):
 
When I configured the "mgmt" port, got the following problem:
Forti600E_04 # config system ha
Forti600E_04 (ha) # set ha-mgmt-status enable
Forti600E_04 (ha) # config ha-mgmt-interfaces
Forti600E_04 (ha-mgmt-interfaces) # edit 1
new entry '1' added
Forti600E_04 (1) # set interface "mgmt"
node_check_object fail! for interface mgmt
value parse error before 'mgmt'
Command fail. Return code -23
Forti600E_04 (1) #
 
 
The command "set dedicated-to management"also can not be applied to this physical interface "mgmt".
 
May I know if the "mgmt1" is virtual interface or what else ?
 
many thanks
post edited by BensonLEI - 2021/02/01 23:03:22
#5
j.a.m.e.s
New Member
  • Total Posts : 19
  • Scores: 0
  • Reward points: 0
  • Joined: 2019/09/22 04:47:24
  • Status: offline
Re: FGCP Management IP 2021/02/02 00:53:06 (permalink)
0
Had a similar problem last night. You need to go through every vdom and delete references to the interface giving the error (mgmt). It's a pain, but the GUI can show you show many references are left. Check out this post (near the end) which show the same problem and solution: https://forum.fortinet.com/tm.aspx?m=126650
 
Also, after "set interface " enter the ? (question mark) to see what is in the list. On my model it's mgmt1 or mgmt2. If you have just mgmt, it might be a virtual IF created by someone, you can check by doing a "show" under "config system interface".
post edited by j.a.m.e.s - 2021/02/02 01:34:43
#6
j.a.m.e.s
New Member
  • Total Posts : 19
  • Scores: 0
  • Reward points: 0
  • Joined: 2019/09/22 04:47:24
  • Status: offline
Re: FGCP Management IP 2021/02/02 01:43:10 (permalink)
0
Do you think I also need ha-direct to get SNMP, NTP etc working?
 

config system ha
 set ha-direct enable
end

 
There some interesting discussion about the reserved-management interface being added to a hidden vdom named "vsys_ha". I wonder if the local-in policy can be tweaked inside this?
 
Unfortunately the whole MGT configuration with FGCP is a bit messy. It's a shame because the "HA Reserved Management"  really would solve a lot of problems if you could only secure it.
 
#7
j.a.m.e.s
New Member
  • Total Posts : 19
  • Scores: 0
  • Reward points: 0
  • Joined: 2019/09/22 04:47:24
  • Status: offline
Re: FGCP Management IP 2021/02/07 06:08:21 (permalink)
0
Update. Our Fortinet SE provided some helpful guidance on this. 
 
# Indicate the managementVDOM here ('root' by default):
config system global
 set management-vdom root
end

 
# Your ha-reserved-management IP can then be secured using local-in policies in the indicated vdom with an extra line on each policy

config vdom
edit root
config firewall local-in-policy
    edit 1
        set ha-mgmt-intf-only enable <- applies the local-in poliy to the ha-reserved-management ip
        set intf "any"
        set srcaddr "all"
        set dstaddr "all"
        set service "SSH"
        set schedule "always"
        set action accept
    next
    edit 9
        set ha-mgmt-intf-only enable <- applies the local-in poliy to the ha-reserved-management ip
        set intf "any"
        set srcaddr "all"
        set dstaddr "all"
        set service "ALL"
        set schedule "always"
        set action deny
    next
end

#8
WD40
New Member
  • Total Posts : 3
  • Scores: 0
  • Reward points: 0
  • Joined: 2021/02/08 04:30:47
  • Status: offline
Re: FGCP Management IP 2021/02/09 01:54:39 (permalink)
0
Yes it's possible to achieve that, you can use the "set management-ip" command to set a different ip on each cluster node.
https://docs.fortinet.com/document/fortigate/6.0.0/handbook/349060/in-band-management
 
 
#9
j.a.m.e.s
New Member
  • Total Posts : 19
  • Scores: 0
  • Reward points: 0
  • Joined: 2019/09/22 04:47:24
  • Status: offline
Re: FGCP Management IP 2021/02/12 09:44:08 (permalink)
0
Another important discovery is that FMG doesn't work with the ha-reserved-management IP. It will add the device correctly, but once you install a policy the installation gets stuck at 35% and the FGFM connection will drop. 
 
There is a KB mentioning this, but not suggesting a solution:
https://kb.fortinet.com/kb/viewContent.do?externalId=FD37209&sliceId=1
 
It seems that another interface can be used for the FMG. If anyone has tried this could you let me know please?
#10
HaTiMuX
Bronze Member
  • Total Posts : 27
  • Scores: 4
  • Reward points: 0
  • Joined: 2017/04/26 07:57:16
  • Status: offline
Re: FGCP Management IP 2021/02/15 08:47:49 (permalink)
0
Hi James,
 
Yes I had a similar issue where the policy install didn't succeed when using the dedicated management interface with FortiManager.
 
As mentionned by the KB article, it is recommanded to use another interface to communicate with Fortimanager so that you don't loose access to the cluster in case of a failover. The dedicated management interface is intended for SNMP monitoring and direct access to the secondary device.
#11
Jump to:
© 2021 APG vNext Commercial Version 5.5