2.5.3 Ensure HA Reserved Management Interface is configured


Ensure Reserved Management Interfaces are configured on HA devices.


To be able to access both the primary and secondary firewalls in an HA cluster, Reserved Management Interfaces need to be configured to prevent them from syncing with HA and sharing a virtual MAC address.


Not configuring Reserved Management Interfaces impacts the ability to access secondary devices directly due to the primary and secondary devices syncing configuration exactly and floating a virtualized mac address between them for failover.


Remediate through the GUI:

1. Go to System -> HA edit the 'Master' device.
2. Enable 'Management Interface Reservation' once this is enabled select an an interface, and configure the appropriate gateway.

Remediate through the CLI:

FGT1 #config system ha
FGT1 (ha) # set ha-mgmt-status enable
FGT1 (ha) # config ha-mgmt-interfaces
FGT1 (ha-mgmt-interfaces) # edit 1
new entry '1' added
FGT1 (1) # set interface port6
FGT1 (1) # set gateway
FGT1 (1) # end
FGT1 (ha) # show
config system ha
set group-name 'FGT-HA'
set mode a-p
set password ENC enrwD467hJmO6j6YW/l6FEOa1YNVYdo8Z5mCcTDEKUFpOVXcNYnPBmQDGX//ViXk6TkwNH0il5aJr/fZY25lq+husndQHZVWp2LIlXmCv/n81U43nkZUWaIKvqkellGFbhv0/IHoOLzQPCsVcBbyrsgoprYMvh6w7F06+nRriBtMNQxpiTE+12xAHz7lA3EoYZzf8A==
set ha-mgmt-status enable
config ha-mgmt-interfaces
edit 1
set interface 'port6'
set gateway
set override disable
FGT1 (ha) # end

Default Value:


See Also