Information
Ensure Reserved Management Interfaces are configured on HA devices.
To be able to access both the primary and secondary firewalls in an HA cluster, Reserved Management Interfaces need to be configured to prevent them from syncing with HA and sharing a virtual MAC address.
Solution
Remediate through the GUI:
1. Go to System > HA edit the "Master" device.
2. Enable "Management Interface Reservation" once this is enabled select an an interface, and configure the appropriate gateway.
Remediate through the CLI:
FGT1 #config system ha
FGT1 (ha) # set ha-mgmt-status enable
FGT1 (ha) # config ha-mgmt-interfaces
FGT1 (ha-mgmt-interfaces) # edit 1
new entry '1' added
FGT1 (1) # set interface port6
FGT1 (1) # set gateway 10.10.10.1
FGT1 (1) # end
FGT1 (ha) # show
config system ha
set group-name "FGT-HA"
set mode a-p
set password ENC enrwD467hJmO6j6YW/l6FEOa1YNVYdo8Z5mCcTDEKUFpOVXcNYnPBmQDGX//ViXk6TkwNH0il5aJr/fZY25lq+husndQHZVWp2LIlXmCv/n81U43nkZUWaIKvqkellGFbhv0/IHoOLzQPCsVcBbyrsgoprYMvh6w7F06+nRriBtMNQxpiTE+12xAHz7lA3EoYZzf8A==
set ha-mgmt-status enable
config ha-mgmt-interfaces
edit 1
set interface "port6"
set gateway 10.10.10.1
next
end
set override disable
end
FGT1 (ha) # end
Impact:
Not configuring Reserved Management Interfaces impacts the ability to access secondary devices directly due to the primary and secondary devices syncing configuration exactly and floating a virtualized mac address between them for failover.