If you create a Fortigate HA Cluster, you got an option “Reserve Management Port for Cluster Member” which you can activate. If active you can select an interface for this option.

This is a nice feature.

Like that you can assign an IP address to an interface, which is not synchronized. Every machine got it’s own IP address. This is very helpful, if you got virtual clusters with different masters. It also helps to monitor the CPU and memory of a subordinate device.

Again, there is much more you can do on the command line, then on the GUI:

First you activate the feature:

config system ha
   set ha-mgmt-status enable
   config ha-mgmt-interfaces
      edit 1
         set interface wan2
         set gateway 192.168.147.254
      next
   end
end

Do not forget to set a default gateway. This interface is isolated and requires its own routing.

Then you assign an individual IP address to every node in the cluster:

System 1:

config system interface 
   edit wan2 
      set ip 10.11.101.101/24 
      set allowaccess https ping ssh snmp 
   next
end

System 2:

config system interface
   edit wan2
      set ip 10.11.101.102/24
      set allowaccess https ping ssh snmp
   next
end

That’s it. Now you can easily access every single machine in the cluster.

New since FortiOS 5.6:

Starting with FortiOS 5.6, there is a new way to access every machine directly. This method is In-Band and does not require a reserved interface.

Assign on any interface a management IP-address. This address will not be synchronised in the cluster.

System 1:

config system interface 
   edit mgmt1 
      set ip 10.11.101.254/24
      set management-ip 10.11.101.251/24
      set allow access https ping ssh snmp 
   next
end

System 2:

config system interface
   edit mgmt1 
      set ip 10.11.101.254/24 
      set management-ip 10.11.101.252/24 
      set allow access https ping ssh snmp 
   next 
end

Every device can be accessed individually now. The regular routing table applies.