HA集群带外管理

在HA集群中，所有集群成员的配置全部相同，通过IP只能管理到主设备，无法通过IP对每个slave设备进行单独的管理。同时为了业务的安全，需要将管理网络与业务网络独立开。

为实现如上需求，可以使用HA使用独立的管理接口来实现带外管理功能。独立管理口的相关配置不会被HA所同步。

初始化配置防火墙的时候可以通过mgmt口登陆到防火墙上，一般mgmt口的管理IP是192.168.1.99，第一步可以通过此IP登陆防火墙，或者通过console口管理防火墙。具体型号初始化如果网管和接口的网管IP信息等可参考

按照以上方式登陆第一次开箱的防火墙。先登陆主防火墙，并配置进行HA的基础配置，然后登陆到备防火墙，配置备防火墙的HA基础配置。

分别配置主防火墙和备防火墙的HA，主防火墙优先级调整为150，备防火墙的优先级保持默认的120，配置HA-cluster组名字和密码，监控业务接口wan1和port1，使用HA1和HA2接口将二者互联。双方的HA配置完毕之后将ha1和ha2线相互直连，将会进行HA的选举，此时优先级150高的FGT将成为主防火墙，优先级低的120的FGT将成为备防火墙。然后备防火墙的配置将会和主防火墙进行同步，备防火墙所有配置和主防火墙一致，此时备防火墙也将不再可以WEB/SSH登录，仅仅可以Console登录。在没有配置HA独立管理口之前，所有的操作和配置都在主防火墙上的GUI、SSH或Console完成。

要注意如果mgmt有关联的配置，则独立管理口不能选择mgmt，比如mgmt默认配置DHCP，则需要把dhcp相关的功能先去掉。

此时如果本身就是通过mgmt接口管理的防火墙，则可能管理会中断，必须使用console口进行mgmt接口IP的配置。如果使用的业务接口lan（port1）管理的防火墙，则直接修改mgmt接口IP地址即可。

FGT101E_Master_379 # execute ha manage

<id> please input peer box index.

<1> Subsidary unit FG101E4Q17000045

FGT101E_Master_379 # execute ha manage 1 \\ 从主机登陆到备机的命令行

FGT101E_Slave_045 login: admin

Password: ********

Welcome !

然后配置备防火墙的mgmt管理口IP地址（开启HA独立管理口功能之后，mgmt的配置不会再同步，需要手工配置mgmt的IP地址）

FGT101E_Slave_045 $

FGT101E_Slave_045 $ config system interface

FGT101E_Slave_045 (interface) $ edit mgmt

FGT101E_Slave_045 (mgmt) $ set ip 192.168.91.22/24

FGT101E_Slave_045 (mgmt) $ set alias "HA_Dedicated_MGMT"

FGT101E_Slave_045 (mgmt) $ set allowaccess ping https ssh http fgfm

FGT101E_Slave_045 (mgmt) $ show

config system interface

edit "mgmt"

set ip 192.168.91.22 255.255.255.0

set allowaccess ping https ssh http fgfm

set type physical

set alias "HA_Dedicated_MGMT"

set role lan

set snmp-index 2

end

FGT101E_Slave_045 (mgmt) $ end

FGT101E_Slave_045 $

配置HA独立管理口的网关（此配置不会从主设备同步，需要单独配置）

FGT101E_Slave_045 $ config system ha

FGT101E_Slave_045 (ha) $ show

config system ha

set group-name "FGT-101E"

set mode a-p

set password ENC 83BaXxwY9eb/e/fqJN7QSxx2C+v3QDkq0nW+cLvs2rJBSD4zD3U65g/ed75GV/dAVcmQaCQ2+tGahYVG0ipDo/yOB3Ln+yYpkzbwMEj4kHwz2Sk9ehx48gmOIY1305mUqMSFe+z3HJ+5V7djq6MQg2/NXyeBPKJoCIAyVidQtNwiU49C7zcZfRNMQKJpa0EMT/ZzvQ==

set hbdev "ha1" 50 "ha2" 50

set session-pickup enable

set ha-mgmt-status enable \\ 从主机同步

config ha-mgmt-interfaces \\ 从主机同步

edit 1

set interface "mgmt"

end

set override disable

set priority 120

set monitor "port1" "wan1"

end

FGT101E_Slave_045 (ha) $ config ha-mgmt-interfaces

FGT101E_Slave_045 (ha-mgmt-interfaces) $ edit 1

FGT101E_Slave_045 (1) $ set gateway 192.168.91.254 \\ 需要手工配置备机的独立管理口的网关IP

FGT101E_Slave_045 (1) $ next

FGT101E_Slave_045 (ha-mgmt-interfaces) $ end

FGT101E_Slave_045 (ha) $ show

config system ha

set group-name "FGT-101E"

set mode a-p

set password ENC nM3GuvSrKPWgx5geIt06tXQbTvbVJMM68qGr1osN5OtZVofrHjd1VctW0jJdPCE7UydZmFuQN/9n/pM/fdTc3xN3dwZUvhaxAUICx0SjD9Fp5iCvo1chhcMPGuoYdJpt8gQ6E2DBA9XvbsYlyDeRMymwusaNi6pNVRUv+peCD/DdrS9Ja/OjPufH3W3WCFVlpi5mgg==

set hbdev "ha1" 50 "ha2" 50

set session-pickup enable

set ha-mgmt-status enable

config ha-mgmt-interfaces

edit 1

set interface "mgmt"

set gateway 192.168.91.254

end

set override disable

set priority 120

set monitor "port1" "wan1"

end

FGT101E_Slave_045 (ha) $ end

FGT101E_Slave_045 $

FGT101E_Master_379 #

FGT101E_Master_379 # execute enter

<name> vdom name

vsys_hamgmt

root

FGT101E_Master_379 # execute enter vsys_hamgmt // 进入轻量级独立管理vdom

current vdom=vsys_hamgmt:3

FGT101E_Master_379 # get router info routing-table all // 拥有独立的路由表

Routing table for VRF=0

Codes: K - kernel, C - connected, S - static, R - RIP, B - BGP

O - OSPF, IA - OSPF inter area

N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2

E1 - OSPF external type 1, E2 - OSPF external type 2

i - IS-IS, L1 - IS-IS level-1, L2 - IS-IS level-2, ia - IS-IS inter area

* - candidate default

C 192.168.91.0/24 is directly connected, mgmt

FGT101E_Master_379 # diagnose ip route list

tab=255 vf=3 scope=253 type=3 proto=2 prio=0 0.0.0.0/0.0.0.0/0->127.0.0.0/32 pref=127.0.0.1 gwy=0.0.0.0 dev=39(vsys_hamgmt)

tab=255 vf=3 scope=254 type=2 proto=2 prio=0 0.0.0.0/0.0.0.0/0->127.0.0.0/8 pref=127.0.0.1 gwy=0.0.0.0 dev=39(vsys_hamgmt)

tab=255 vf=3 scope=254 type=2 proto=2 prio=0 0.0.0.0/0.0.0.0/0->127.0.0.1/32 pref=127.0.0.1 gwy=0.0.0.0 dev=39(vsys_hamgmt)

tab=255 vf=3 scope=253 type=3 proto=2 prio=0 0.0.0.0/0.0.0.0/0->127.255.255.255/32 pref=127.0.0.1 gwy=0.0.0.0 dev=39(vsys_hamgmt)

tab=255 vf=3 scope=253 type=3 proto=2 prio=0 0.0.0.0/0.0.0.0/0->192.168.91.0/32 pref=192.168.91.21 gwy=0.0.0.0 dev=6(mgmt)

tab=255 vf=3 scope=254 type=2 proto=2 prio=0 0.0.0.0/0.0.0.0/0->192.168.91.21/32 pref=192.168.91.21 gwy=0.0.0.0 dev=6(mgmt)

tab=255 vf=3 scope=253 type=3 proto=2 prio=0 0.0.0.0/0.0.0.0/0->192.168.91.255/32 pref=192.168.91.21 gwy=0.0.0.0 dev=6(mgmt)

tab=254 vf=3 scope=0 type=1 proto=17 prio=0 0.0.0.0/0.0.0.0/0->0.0.0.0/0 pref=0.0.0.0 gwy=192.168.91.254 dev=6(mgmt) // 独立管理的默认路由

tab=254 vf=3 scope=253 type=1 proto=2 prio=0 0.0.0.0/0.0.0.0/0->192.168.91.0/24 pref=192.168.91.21 gwy=0.0.0.0 dev=6(mgmt)

FGT101E_Master_379 #

FGT101E_Master_379 # execute ping 192.168.91.254

PING 192.168.91.254 (192.168.91.254): 56 data bytes

64 bytes from 192.168.91.254: icmp_seq=0 ttl=255 time=0.3 ms

64 bytes from 192.168.91.254: icmp_seq=1 ttl=255 time=0.1 ms

64 bytes from 192.168.91.254: icmp_seq=2 ttl=255 time=0.1 ms

64 bytes from 192.168.91.254: icmp_seq=3 ttl=255 time=0.1 ms

64 bytes from 192.168.91.254: icmp_seq=4 ttl=255 time=0.1 ms

--- 192.168.91.254 ping statistics ---

5 packets transmitted, 5 packets received, 0% packet loss

round-trip min/avg/max = 0.1/0.1/0.3 ms

FGT101E_Master_379 #

FGT101E_Master_379 # diagnose sniffer packet any "host 192.168.91.254" 4

interfaces=[any]

filters=[host 192.168.91.254]

3.235814 mgmt out 192.168.91.21 -> 192.168.91.254: icmp: echo request //匹配明细直连路由，ping 数据从mgmt out，可以成功ping通网关

3.235900 mgmt in 192.168.91.254 -> 192.168.91.21: icmp: echo reply

4.245672 mgmt out 192.168.91.21 -> 192.168.91.254: icmp: echo request

4.245747 mgmt in 192.168.91.254 -> 192.168.91.21: icmp: echo reply

退出独立管理口轻量级vdom：

FGT101E_Master_379 #

FGT101E_Master_379 # execute enter

<name> vdom name

vsys_hamgmt

root

FGT101E_Master_379 # execute enter root // 退出轻量级独立管理vdom，回到root vdom（业务VDOM）

current vdom=root:0

FGT101E_Master_379 # get router info routing-table all // 业务的独立路由表，和独立管理的路由表完全独立，相当于路由的轻量级隔离。

Routing table for VRF=0

Codes: K - kernel, C - connected, S - static, R - RIP, B - BGP

O - OSPF, IA - OSPF inter area

N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2

E1 - OSPF external type 1, E2 - OSPF external type 2

i - IS-IS, L1 - IS-IS level-1, L2 - IS-IS level-2, ia - IS-IS inter area

* - candidate default

S* 0.0.0.0/0 [1/0] via 202.100.1.192, wan1

C 101.100.1.0/24 is directly connected, wan2

C 192.168.10.0/24 is directly connected, port1

C 202.100.1.0/24 is directly connected, wan1

FGT101E_Master_379 # execute ping 192.168.91.254 // 通过root ping 192.168.91.254

PING 192.168.91.254 (192.168.91.254): 56 data bytes

--- 192.168.91.254 ping statistics ---

5 packets transmitted, 0 packets received, 100% packet loss

FGT101E_Master_379 #

FGT101E_Master_379 # diagnose sniffer packet any "host 192.168.91.254 and icmp" 4

interfaces=[any]

filters=[host 192.168.91.254 and icmp]

12.785835 wan1 out 202.100.1.21 -> 192.168.91.254: icmp: echo request // 匹配到默认路由，ping 数据从wan1 out，无法ping通独立管理的网关，结果是正确的，但这不是我们想要的结果。处于一个错误的状态，实际并不是不通，只是没有进入vsys_hamgmt而已。

13.795618 wan1 out 202.100.1.21 -> 192.168.91.254: icmp: echo request

14.805621 wan1 out 202.100.1.21 -> 192.168.91.254: icmp: echo request

15.815615 wan1 out 202.100.1.21 -> 192.168.91.254: icmp: echo request

16.825621 wan1 out 202.100.1.21 -> 192.168.91.254: icmp: echo request

测试备机的独立管理口网关ping测试：

FGT101E_Slave_045 # execute enter

<name> vdom name

vsys_hamgmt

root

FGT101E_Slave_045 # execute enter vsys_hamgmt // 进入轻量级独立管理的vdom

current vdom=vsys_hamgmt:3

FGT101E_Slave_045 # execute ping 192.168.91.254 // 发起ping测试

PING 192.168.91.254 (192.168.91.254): 56 data bytes

64 bytes from 192.168.91.254: icmp_seq=0 ttl=255 time=0.3 ms

64 bytes from 192.168.91.254: icmp_seq=1 ttl=255 time=0.1 ms

64 bytes from 192.168.91.254: icmp_seq=2 ttl=255 time=0.1 ms

64 bytes from 192.168.91.254: icmp_seq=3 ttl=255 time=0.1 ms

64 bytes from 192.168.91.254: icmp_seq=4 ttl=255 time=0.1 ms

--- 192.168.91.254 ping statistics ---

5 packets transmitted, 5 packets received, 0% packet loss

round-trip min/avg/max = 0.1/0.1/0.3 ms

FGT101E_Slave_045 # execute enter root // 测试完毕，退出轻量级独立管理vdom

current vdom=root:0

FGT101E_Slave_045 #

通过独立管理IP：192.168.91.22 管理备防火墙。

4、配置防火墙的SYSLOG、SNMP和FMG

关于发送syslog日志：

配置SYSLOG等本机发出的网管配置：

对应命令行：

config log syslogd setting

set status enable

set server "192.168.10.125"

end

主/备防火墙的日志都会通过业务接口port1 192.168.10.1将syslog日志发送出去，备防火墙的syslog日志会通过心跳线到主机，然后由主机代为转发。

FGT101E_Master_379 # dia sniff pa any "port 514" 4

interfaces=[any]

filters=[port 514]

0.918154 port1 out 192.168.10.1.15840 -> 192.168.10.125.514: udp 635 // 主防火墙的syslog日志

0.918225 port1 out 192.168.10.1.15840 -> 192.168.10.125.514: udp 649

5.492057 port1 out 192.168.10.1.22418 -> 192.168.10.125.514: udp 649

5.961902 port_ha in 169.254.0.2.514 -> 169.254.0.1.514: udp 454 // 备防火墙的console登陆日志

5.962018 port1 out 192.168.10.1.22418 -> 192.168.10.125.514: udp 418

5.968684 port1 out 192.168.10.1.15840 -> 192.168.10.125.514: udp 554

8.314617 port1 out 192.168.10.1.22418 -> 192.168.10.125.514: udp 730

8.507346 port_ha in 169.254.0.2.514 -> 169.254.0.1.514: udp 473 // 备防火墙的console退出日志

8.507479 port1 out 192.168.10.1.22418 -> 192.168.10.125.514: udp 437

8.964545 port1 out 192.168.10.1.22418 -> 192.168.10.125.514: udp 724

9.074989 port1 out 192.168.10.1.15840 -> 192.168.10.125.514: udp 597

关于SNMP的配置：

lan接口下开启SNMP协议

开启SNMP协议：

对应命令行：

config system interface

edit "port1"

set allowaccess ping https ssh snmp http fgfm

end

config system snmp sysinfo

set status enable

set description "FGT101E"

set contact-info "support_cn@fortinet.com"

set location "BEIJING"

end

config system snmp community

edit 1

set name "public"

config hosts

edit 1

set ip 192.168.10.125 255.255.255.255

edit 2

end

FGT101E_Master_379 # dia sniff pa any "port 161 and host 192.168.10.1" 4

interfaces=[any]

filters=[port 161 and host 192.168.10.1]

122.490897 port1 in 192.168.10.125.4543 -> 192.168.10.1.161: udp 39

122.491500 port1 out 192.168.10.1.161 -> 192.168.10.125.4543: udp 44

168.788284 port1 in 192.168.10.125.4644 -> 192.168.10.1.161: udp 39

168.788623 port1 out 192.168.10.1.161 -> 192.168.10.125.4644: udp 44

186.464508 port1 in 192.168.10.125.4676 -> 192.168.10.1.161: udp 39

186.478596 port1 out 192.168.10.1.161 -> 192.168.10.125.4676: udp 257

186.482659 port1 in 192.168.10.125.4676 -> 192.168.10.1.161: udp 44

186.483107 port1 out 192.168.10.1.161 -> 192.168.10.125.4676: udp 268

186.487744 port1 in 192.168.10.125.4676 -> 192.168.10.1.161: udp 44

186.488298 port1 out 192.168.10.1.161 -> 192.168.10.125.4676: udp 227

186.492820 port1 in 192.168.10.125.4676 -> 192.168.10.1.161: udp 44

186.507569 port1 out 192.168.10.1.161 -> 192.168.10.125.4676: udp 247

186.510309 port1 in 192.168.10.125.4676 -> 192.168.10.1.161: udp 44

HA切换的时候发送snmp trap：

关于FortiManger的管理（只能通过业务接口添加）：

防火墙主动去找FMG：

对应命令行：

config system interface

edit "port1"

set allowaccess ping https ssh snmp http fgfm

end

config system central-management

set type fortimanager

set fmg "192.168.147.250"

end

或者FMG主动添加FGT都可以：

如果是FGT主动去注册FMG，则FMG会有未注册的设备提示：

只需要将设备添加到FMG的设备管理中即可：

以上的发送syslog、snmp都是通过业务接口port1 192.168.10.1发送的，如果想要syslog、snmp通过mgmt发送出去，则需要在HA里面开启一个“ha-direct”功能才可以实现：

FGT101E_Master_379 # config system ha

FGT101E_Master_379 (ha) # show

config system ha

set group-name "FGT-101E"

set mode a-p

set password ENC G4xA3PQabTXNoS7B5i1P8m483HEhlbzzDyI2mbP3pHITh9aDsbhAFVsZwij2ZDO8ASQQoQe/0D71jlPrX+MS0zValS5BexPtIxZ1ULl9C561CqAIctrmCM1vCUIdwJezq8sBPKeGXigcAqS1BrimVTBeDzfeSsMaF9kMakrNB+9pdMh8jsV1fUEV0tWauklYgebZmw==

set hbdev "ha1" 50 "ha2" 50

set session-pickup enable

set ha-mgmt-status enable

config ha-mgmt-interfaces

edit 1

set interface "mgmt"

set gateway 192.168.91.254

end

set override disable

set priority 150

set monitor "port1" "wan1"

end

FGT101E_Master_379 (ha) # set ha-direct

enable Enable using ha-mgmt interface for syslog, SNMP, remote authentication (RADIUS), FortiAnalyzer, FortiManager and FortiSandbox.

disable Disable using ha-mgmt interface for syslog, SNMP, remote authentication (RADIUS), FortiAnalyzer, FortiManager and FortiSandbox.

FGT101E_Master_379 (ha) # set ha-direct enable

FGT101E_Master_379 (ha) # end

When ha-direct is enabled, source ip may not work.

We recommend to unset all log-related source ip.

By selecting to continue, all source ip will be unset.

Do you want to continue? (y/n)y

FGT101E_Master_379 #

再次查看syslog和snmp的发送情况：

FGT101E_Master_379 # diagnose sniffer packet any "port 514" 4

interfaces=[any]

filters=[port 514]

0.411000 mgmt out 192.168.91.21.4483 -> 192.168.10.125.514: udp 597 // syslog这次就从mgmt发送出去了

0.411157 mgmt out 192.168.91.21.7511 -> 192.168.10.125.514: udp 598

0.441364 mgmt out 192.168.91.21.4483 -> 192.168.10.125.514: udp 598

0.966813 mgmt out 192.168.91.21.4483 -> 192.168.10.125.514: udp 735

0.966839 mgmt out 192.168.91.21.7511 -> 192.168.10.125.514: udp 733

0.966893 mgmt out 192.168.91.21.7511 -> 192.168.10.125.514: udp 733

2.411768 mgmt out 192.168.91.21.4483 -> 192.168.10.125.514: udp 598

2.412099 mgmt out 192.168.91.21.7511 -> 192.168.10.125.514: udp 597

2.867694 mgmt out 192.168.91.21.4483 -> 192.168.10.125.514: udp 735

2.877663 mgmt out 192.168.91.21.7511 -> 192.168.10.125.514: udp 733

3.137715 mgmt out 192.168.91.21.4483 -> 192.168.10.125.514: udp 564

FGT101E_Slave_045 # diagnose sniffer packet any "port 514" 4

interfaces=[any]

filters=[port 514]

12.591838 mgmt out 192.168.91.22.11919 -> 192.168.10.125.514: udp 450 // syslog这次就从mgmt发送出去了

18.692843 mgmt out 192.168.91.22.11919 -> 192.168.10.125.514: udp 470

26.222700 mgmt out 192.168.91.22.11919 -> 192.168.10.125.514: udp 449

28.773623 mgmt out 192.168.91.22.11919 -> 192.168.10.125.514: udp 470

FGT101E_Master_379 # diagnose sniffer packet any "port 162" 4

interfaces=[any]

filters=[port 162]

56.593410 wan1 out 202.100.1.21.162 -> 192.168.10.125.162: udp 163 // snmp这次就从mgmt发送出去了

56.593834 wan1 out 202.100.1.21.162 -> 192.168.10.125.162: udp 188

56.594072 tun_fgfm out 169.254.0.2.162 -> 169.254.0.1.162: udp 194

56.594313 wan1 out 202.100.1.21.162 -> 192.168.10.125.162: udp 43

56.594533 wan1 out 202.100.1.21.162 -> 192.168.10.125.162: udp 68

56.594726 tun_fgfm out 169.254.0.2.162 -> 169.254.0.1.162: udp 74

59.521716 wan1 out 202.100.1.21.162 -> 192.168.10.125.162: udp 162

59.521939 wan1 out 202.100.1.21.162 -> 192.168.10.125.162: udp 187

59.522395 tun_fgfm out 169.254.0.2.162 -> 169.254.0.1.162: udp 193

59.522508 wan1 out 202.100.1.21.162 -> 192.168.10.125.162: udp 43

59.522719 wan1 out 202.100.1.21.162 -> 192.168.10.125.162: udp 68

59.523025 tun_fgfm out 169.254.0.2.162 -> 169.254.0.1.162: udp 74

FGT101E_Slave_045 # diagnose sniffer packet any "port 162" 4

interfaces=[any]

filters=[port 162]

60.670191 wan1 out 202.100.1.21.162 -> 192.168.10.125.162: udp 162 // snmp这次就从mgmt发送出去了

60.671248 wan1 out 202.100.1.21.162 -> 192.168.10.125.162: udp 187

60.671581 wan1 out 202.100.1.21.162 -> 192.168.10.125.162: udp 43

60.671807 wan1 out 202.100.1.21.162 -> 192.168.10.125.162: udp 68

60.946043 wan1 out 202.100.1.21.162 -> 192.168.10.125.162: udp 162

60.946258 wan1 out 202.100.1.21.162 -> 192.168.10.125.162: udp 187

60.946487 wan1 out 202.100.1.21.162 -> 192.168.10.125.162: udp 43

60.946650 wan1 out 202.100.1.21.162 -> 192.168.10.125.162: udp 68

关于FMG还是建议使用业务接口进行管理，不能使用独立管理口进行管理。对于FMG来说HA-Cluster就是一台设备，因此需要一个固定的IP地址来网管FGT会比较合适，可以有效的避免HA发生切换的时候，FGT和FMG的tunnel中断的情况。

关于DNS和FortiGuard还是通过root VDOM进行解析和更新的：

FGT101E_Master_379 # diagnose sniffer packet any "port 53" 4

interfaces=[any]

filters=[port 53]

6.698838 wan1 out 202.100.1.21.2340 -> 208.91.112.53.53: udp 28

6.940655 wan1 in 208.91.112.53.53 -> 202.100.1.21.2340: udp 441

14.028251 wan1 out 202.100.1.21.2340 -> 208.91.112.52.53: udp 31

14.358963 wan1 in 208.91.112.52.53 -> 202.100.1.21.2340: udp 184

要彻底的完完全全的实现HA-Cluster的独立管理同时又与业务完全隔离，则需要使用独立管理VDOM。