Table of Contents
Lab 8. Fortigate High Availability (HA)
Setup
Story
After setting virtual domains on FGT device, we decided to also implement high availability (HA) on 2 machines in Active-Active mode. For this, we require to deploy a new node on the current topology and 2 switches for connecting the existing endpoints.
HA will permit load balancing between multiple firewall instances.
Lab infra
A. New device in network: switch
As we have a HA topology, we are required to have the same configuration on both firewalls and as such, a switch is required to link them to clients.
Go to eve-ng webui and create a new node, using 'Cisco IOL' template. Keep the default config, then start it. No other configurations are required.
B. New firewall node: remote Fortigate machine
The already existing firewall will be called from now Local-FortiGate and the new one Remote-FortiGate.
FGT_81 # config global FGT_81 (root) # show system interface ?
B1. Local-FortiGate (first FGT): save the config (admin > Configuration > Revisions > save changes > add comment 'after_vdom_config'), then revert to an old revision 'before_vdom_enabled' (from the 7th lab - VDOM, in case you have it). Wait for machine to reboot, then access it from CLI and check the ip for port1 (mgmt) as it might be changed.
Stop it, then connect port4 to port 4, when the node from below is created, port2 to client1 (via switch), and port3 to client2 (via switch).
B2. Remote-FortiGate (secondary FGT): create a new node with 4 interfaces, 1 vCPU, 2 GB RAM, then connect port1 to Cloud0 (already added to the topology), port2 to client1 (via switch), port3 to client2 (via switch), and port4 to Local-FGT (via port4) . Start the FGT (Remote-FortiGate), then you will need firstly to change the mac address:
# config sys int # edit port1 # set macaddr <MAC address> - use here the format: 50:00:00:byte_2_eveng_ip:byte3_eveng_ip+1:byte4_eveng_ip # end # exec router restart
Connect to machine via browser, then upload the new license file. Do not configure port2 and port3, as their ips will be synced with the local-forti.
C. Network topology
At last, all nodes should be connected as seen below:
Exercises
We are going again to use the pdf file with Fortinet Exercises - go to Lab 7: High Availability (page 125).
Exercise 1 [5p]
For exchanging the heartbeat messages between the firewalls, use port4 (instead of port2, as stated on pdf).
1. machines need to have different serial numbers (so, different licenses)
2. the highest priority in a cluster wins the election (becomes the master) - there will be other priorities in other conditions, see task 2 for more details.
Also, after the HA cluster is established, the interface port1 will have the same static ip value on both machines (which is the ip found on primary device). There is a sync made between them and the secondary's ip is rewritten.
FGT81_2 # config sys ha FGT81_2 (ha) # set group-id 81 # use the 4th byte of your eveng ipv4 address FGT81_2 (ha) # end
At the end, on the remote FGT (that with priority 100), you will see the following:
and check also the system status:
# primary FGT81 # get sys status [...] Current HA mode: a-a, master # backup FGT81_2 # get sys status [...] Current HA mode: a-a, backup
For session statistics, ping from each client the other one.
Exercise 2 [4p]
For failover triggering, we cannot ping external ip or access youtube website (due to blackhole for def route) and instead, ping with delay of 1 sec client2 from client2:
client1@hostname:$ ping -i 1 172.16.0.2 # client2 ip [...]
In this time, do the failover and see if ping requests are dropped (FGT secondary changing to primary should be smoothless).
After resetting the secondary firewall, you should see the following logs (election in cluster):
Exercise 3 [1p]
Look here only over the first part (access secondary fortigate remotely via CLI).