FortiGate HA Cluster – Zugriff auf Secondary Device

/ Allgemein, Fortinet, IT / Von

Wenn man auf der sekundären FortiGate in einem HA Verbund Befehle ausführen möchte, macht man das wie folgt.

Commandline auf dem primären System

Firewall_primary # get sys ha status
HA Health Status: OK
Model: FortiGate-100E
Mode: HA A-P
Group Name: Cluster_Name
Group ID: 0
Debug: 0
Cluster Uptime: 154 days 0:43:20
Cluster state change time: 2025-02-16 10:40:36
Primary selected using:
    <2025/02/16 10:40:36> vcluster-1: FG100ETK*** is selected as the primary because its override priority is larger than peer member FG100ETK***.
    <2025/02/16 10:36:37> vcluster-1: FG100ETK*** is selected as the primary because it's the only member in the cluster.
    <2025/02/16 10:36:36> vcluster-1: FG100ETK*** is selected as the primary because UPGRADE_SECONDARY flag is set on peer member FG100ETK***.
    <2025/02/16 10:35:52> vcluster-1: FG100ETK*** is selected as the primary because UPGRADE_PRIMARY flag is unset on peer member FG100ETK***.
ses_pickup: enable, ses_pickup_delay=disable
override: disable
Configuration Status:
    FG100ETK***(updated 0 seconds ago): in-sync
    FG100ETK*** chksum dump: c9 f0 5d 35 3f 77 68 7e 95 37 6d f1 98 cd 6d 40 
    FG100ETK***(updated 0 seconds ago): in-sync
    FG100ETK*** chksum dump: c9 f0 5d 35 3f 77 68 7e 95 37 6d f1 98 cd 6d 40 
System Usage stats:
    FG100ETK***(updated 0 seconds ago):
        sessions=3200, average-cpu-user/nice/system/idle=5%/0%/0%/87%, memory=51%
    FG100ETK***(updated 0 seconds ago):
        sessions=717, average-cpu-user/nice/system/idle=1%/0%/0%/98%, memory=46%
HBDEV stats:
    FG100ETK***(updated 0 seconds ago):
        ha1: physical/1000auto, up, rx-bytes/packets/dropped/errors=2391445908/75031841/0/0, tx=73288485/181542440/0/0
        ha2: physical/1000auto, up, rx-bytes/packets/dropped/errors=3364982964/53076532/0/0, tx=3842627065/53076446/0/0
    FG100ETK***(updated 0 seconds ago):
        ha1: physical/1000auto, up, rx-bytes/packets/dropped/errors=73798704/181541596/0/0, tx=2388149913/75030649/0/0
        ha2: physical/1000auto, up, rx-bytes/packets/dropped/errors=3842536201/53076253/0/0, tx=3364768492/53076079/0/0
MONDEV stats:
    FG100ETK***(updated 0 seconds ago):
        wan1: physical/1000auto, up, rx-bytes/packets/dropped/errors=1152838151/2249050852/0/0, tx=3275539528/3200261189/0/0
        wan2: physical/1000auto, up, rx-bytes/packets/dropped/errors=2395981040/3648108044/0/0, tx=2421425867/2407230274/0/0
    FG100ETK***(updated 0 seconds ago):
        wan1: physical/1000auto, up, rx-bytes/packets/dropped/errors=87462822/528282/0/0, tx=0/0/0/0
        wan2: physical/1000auto, up, rx-bytes/packets/dropped/errors=2149620375/24604108/0/0, tx=0/0/0/0
Primary     : firewall_primary       , FG100ETK***, HA cluster index = 1
Secondary   : firewall_secondary       , FG100ETK***, HA cluster index = 0
number of vcluster: 1
vcluster 1: work 169.254.0.2
Primary: FG100ETK***, HA operating index = 0
Secondary: FG100ETK***, HA operating index = 1

firewall_primary # 


In dieser Ausgabe findet man die HA Cluster Index ID der secondary Firewall. Jetzt kann man sich mittels der ID auf die zweite Firewall verbinden.


execute ha manage <ID> <USERNAME>

Sample:

execute ha manage 0 admin