Application Delivery Controller

Expand all | Collapse all

FortiADC: Active/Passive HA, dedicated management interface?

  Thread closed by the administrator, not accepting new replies.
  • 1.  FortiADC: Active/Passive HA, dedicated management interface?

    Posted Feb 15, 2019 02:55 PM
    No replies, thread closed.
    Is it possible to define a per member node dedicated management interface?

    And how?

    I have not been able to do that like in FortiGate.

    ------------------------------
    Thx
    ------------------------------


  • 2.  RE: FortiADC: Active/Passive HA, dedicated management interface?

     
    Posted Feb 18, 2019 01:14 AM
    No replies, thread closed.
    Hello Patrick,

    See FortiADC handbook:

    "In an Active-Passive cluster, only the management IP address for the primary node is active. In an active-passive cluster, you can log into a node only when it has primary node status and its IP address is active. To access the user interface of an appliance in status (the active-passive slave), you must use a console port connection. "

    Thanks,
    Ferry

    ------------------------------
    Manager Consulting Systems Engineer, Enhanced Technologies INTL
    Fortinet
    Netherlands
    ------------------------------



  • 3.  RE: FortiADC: Active/Passive HA, dedicated management interface?

    Posted Feb 18, 2019 03:01 AM
    No replies, thread closed.
    Dear Ferry,

    I'm  bit confused because of the description in the HA Guide. The Guide mentions something that I cannot clearly decipher and thought that it should be possible to have access to both appliances:


    fortiadc-v5.1.x-ha-deployment-guide.pdf :

    3.1 Deploy HA-AP mode 1) Enable the management-interface It is recommended that the management-interface should be enabled when the HA-AP mode is deployed. Because once you complete the HA-AP mode, only the master can handle the traffic; it means that you're not able to access slave device directly. It is not convenient in most cases. Management-interface, on the other hand, binds the virtual interface to the physical interface. It can always work on all the modes including "standalone." Please perform the following steps on all the HA nodes.


    Now, this sounds like it should be possible or ?



    ------------------------------
    Thx
    ------------------------------



  • 4.  RE: FortiADC: Active/Passive HA, dedicated management interface?

     
    Posted Feb 18, 2019 04:24 AM
    No replies, thread closed.

    Hello Patrick,

    Confirm from AP setup that it is possible to access both A/P cluster-members per WebUI.

    Configure A/P cluster without dedicated mgt-interface (set mgmt-status disable) and specify uniq IP-addresses on non-cluster interfaces (set dedicate-to-mgmt enable).

    Regards,
    Ferry



    ------------------------------
    Ferry
    ------------------------------



  • 5.  RE: FortiADC: Active/Passive HA, dedicated management interface?

    Posted Feb 18, 2019 10:47 AM
    No replies, thread closed.
    Dear Ferry,

    Just to clarify. ADC does not have a management interface that will switch between Active (in case of a failover) to the other new Active? The management address stays on the node?

    Also in the HA Guide it specifies that one should configure it on the ha config but does not mention to use "set dedicate-to-mgmt enable"?



    2) Since the manage-interface is a virtual-interface inside the system, so it has the similar routing mechanism as other interface. So there should be no overlapping subnet in the system. Therefore, usually we clear the original IP address of the physical interface.

    FAD2 # config system interface FAD2 (interface) # edit port1 FAD2 (port1) # unset ip FAD2 (port1) # end This can result in losing the connectivity, so the first step is requiring the console. (3) Configure the management-interface FAD2 # config system ha FAD2 (ha) # set mgmt-status enable FAD2 (ha) # set mgmt-interface port1 FAD2 (ha) # set mgmt-ip 10.106.188.42/23 FAD2 (ha) # set mgmt-ip-allowaccess http https ping snmp ssh telnet FAD2 (ha) # end

    ------------------------------
    Thx
    ------------------------------



  • 6.  RE: FortiADC: Active/Passive HA, dedicated management interface?

     
    Posted Feb 18, 2019 11:08 PM
    No replies, thread closed.
    Hello Patrick,

    By default, there is one management interface connected to the active cluster member as part of the HA config. Management of passive cluster member needs to be done through the console.

    As you requested to have both active and passive WebUI's reachable you can do so by what I specified.

    Thanks,
    Ferry

    ------------------------------
    Ferry
    ------------------------------



  • 7.  RE: FortiADC: Active/Passive HA, dedicated management interface?

    Posted Feb 22, 2019 06:51 AM
    No replies, thread closed.
    I do not understand it yet.


    usually you want to have a management IP for the A/P Cluster, let's say IP .1

    then this IP you want to monitor and use for all sorts of activities, such as snmp, ssh, GUI, REST API ....

    this .1 is moved from box to box when failovers occur and all activities are always done through .1 are executed on the current active node.


    Now for monitoring and alerting it is best to have an additional IP for each node, so that you always have direct access to that node for some management functionality.

    so each node has an IP that is not moving but always on the same instance, e.g. .2 node 1 and .3 node 2

    those IPs reside usually in the same network:
    e.g.

    Cluster IP. 10.0.0.1/24 - interface mgmt or port1 on node 1 and 2
    Node 1 IP 10.0.0.2/24 - interface port x, on node 1
    Node 2 IP 10.0.0.3/24 - interface port x, on node 2

    Now with Fortigate you can do this quite easily. On each Box (2 interfaces) 1 Interface for the Cluster IP and a 2nd interface for the node IP.



    How about this on FortiADC?

    2 interfaces as well?

    Can one use mgmt and port x?

    Or is it recommended to not use mgmt for the cluster IP? Or not at all?

    Or is it recommended to use only port x, y for the above requirement?


    There are a couple of options I see on ADC but do not understand their function:

    - mgmt interface - dedicated to management
    - port x - dedicated to managment
    - ha interface - mgmt-status enable



    ------------------------------
    Thx
    ------------------------------