This article describes an option for managing a FortiGate HA cluster. Why is this important? Ideally, you want to make sure you have IP access to both the Active and Standby FortiGate firewalls separately from the combined management IP address. This gets important when you have to do things like a remote upgrade.

This method will give you a separate management IP address on both the primary and standby FortiGate firewall. These IP addresses will be on the same network as the LAN network, meaning it’s in-band management.

For this example, the LAN IP address in use is: 192.168.1.1 255.255.255.0. We have identified we want to use 192.168.1.100 and 192.168.1.101 for the primary and secondary firewalls in-band management IP address, we’ve already made sure these IP addresses are NOT in use currently.

First, fully create the HA cluster, making sure to NOT select dedicated interfaces (using these dedicated interfaces would be considered out of band management).

From the CLI on the primary firewall:
config system interface
edit LAN
set management-ip 192.168.1.100 255.255.255.0
end

From the CLI on the secondary firewall:
config system interface
edit LAN
set management-ip 192.168.1.101 255.255.255.0
end

That’s it! Those IP addresses will respond on the same ports that are configured for the LAN interface with some limitations. The only accessible methods for in-band management are: http, https, ssh and ping.