Lab 9. Fortigate High Availability



After linking branches securely using ipsec vpn connections (primary and backup), we decided to also create a local setup consisting in 2 forti devices and 2 different networks. We need to test load balancing using HA feature Active-Active and also hot standby firewall (like HSRP) using HA Active-Passive.

Lab infra

A. New device in network: switch

As we have a HA topology, we are required to have the same configuration on both firewalls and as such, a switch is required to link them to clients.

A1. Go to this link and download the switch binary 'i86bi-linux-l2-adventerprisek9-15.2d.bin'. Scp it to your eve-ng machine with ip 10.3.0.* (remember the credentials root:student) on path /opt/unetlab/addons/iol/bin.

A2. Add for current eve-ng user +x (otherwise the binary cannot be started):

root@SRED:/opt/unetlab/addons/iol/bin# chmod +x i86bi-linux-l2-adventerprisek9-15.2d.bin 

A3. We need now to generate a serial for switch device. Copy on the same location as above the following python script:

#! /usr/bin/python
print("Cisco IOU License Generator - Kal 2011, python port of 2006 C version")
print("Modified to work with python3 by c_d 2014")
import os
import socket
import hashlib
import struct

# get the host id and host name to calculate the hostkey
hostname = socket.gethostname()
for x in hostname:
 ioukey = ioukey + ord(x)
print("hostid=" + hostid +", hostname="+ hostname + ", ioukey=" + hex(ioukey)[2:])

# create the license using md5sum
iouPad1 = b'\x4B\x58\x21\x81\x56\x7B\x0D\xF3\x21\x43\x9B\x7E\xAC\x1D\xE6\x8A'
iouPad2 = b'\x80' + 39*b'\0'
md5input=iouPad1 + iouPad2 + struct.pack('!i', ioukey) + iouPad1

print("\nAdd the following text to ~/.iourc:")
print("[license]\n" + hostname + " = " + iouLicense + ";\n")
print("You can disable the phone home feature with something like:")
print(" echo '' >> /etc/hosts\n")

Then, execute it:

Cisco IOU License Generator - Kal 2011, python port of 2006 C version
Modified to work with python3 by c_d 2014
hostid=007f0101, hostname=SRED, ioukey=7f022f

Add the following text to ~/.iourc:
SRED = eb8d7f0235852d2d;

You can disable the phone home feature with something like:
 echo '' >> /etc/hosts

Copy the SRED license with header to /opt/unetlab/addons/iol/bin/iourc file. In the end, you will need to have something like this:

root@SRED:/opt/unetlab/addons/iol/bin# cat iourc 
SRED = eb8d7f0235852d2d;

A4. Go to eve-ng webui and create a new node, using 'Cisco IOL' template. Keep the default config, then start it. No other configurations are required.

B. Local and remote FortiGate machines

For HA, we cannot have the same license value on both devices (as this will mean the feature will understand we have 1 device in cluster). As on the latest lab we used 2 different lic files, each machine will have a different serial number.

B1. Local-FortiGate (first FGT): save the config (admin > Configuration > Revisions > save changes > add comment 'vdom_and_ipsec'), then revert to an old revision 'before_vdom_enabled' (from the 7th lab - VDOM). Wait for machine to reboot, then access it from CLI and check the ip for port1 as it might be changed.

B2. Remote-FortiGate (secondary FGT): do the same, save config for ipsec (in case you may need to come back to it) and then remove any configuration made for ipsec: go to each ipsec tunnel > Ref (click on the number: you should have 4) > delete each reference (firewall policy, intf and static route), and in the end delete the ipsec tunnel.

C. Same config on both devices

In order to create the HA config, we need to have the same interface configuration for both machines (for local firewall, you should already have the same networks already configured for port2 and port3):

- for port1, keep the ip as static (we cannot have dhcp mode configured)

- for port2, use network (with .1 for FGT) and dhcp server starting from .2

- for port3, use network (with .1 for FGT) and dhcp server starting from .2

- add 2 new security rules: allow any traffic from port2 to port3 and from port3 to port2

Network topology:


We are going again to use the pdf file with Fortinet Exercises - go to Lab 7: High Availability (page 125).

Exercise 1 [5p]

For exchanging the heartbeat messages between the firewalls, use port4 (instead of port2, as stated on pdf).

Before starting doing the tasks from guide, remember these 3 rules:

1. have the same configuration for interfaces on both fortigates

2. machines need to have different serial numbers (so, different licenses)

3. the highest priority in a cluster wins the election (becomes the master) - there will be other priorities in other conditions, see task 2 for more details.

Also, after the HA cluster is established, the interface port1 will have the same static ip value on both machines (which is the ip found on primary device). There is a sync made between them and the secondary's ip is rewritten.

HA config also require to add a group-id (based on it, the 5th bytes of mac addreses of each interface will be changed - see more here and configure it on both of your firewalls:

FGT81_2 # config sys ha 
FGT81_2 (ha) # set group-id 81 # use the 4th byte of your eveng ipv4 address
FGT81_2 (ha) # end

At the end, on the remote FGT (that with priority 100), you will see the following:

and check also the system status:

# primary
FGT81 # get sys status
Current HA mode: a-a, master
# backup
FGT81_2 # get sys status
Current HA mode: a-a, backup

For session statistics, ping from each client the other one.

Exercise 2 [4p]

For failover triggering, we cannot ping external ip or access youtube website (due to blackhole for def route) and instead, ping with delay of 1 sec client2 from client2:

client1@hostname:$ ping -i 1 # client2 ip

In this time, do the failover and see if ping requests are dropped (FGT secondary changing to primary should be smoothless).

After resetting the secondary firewall, you should see the following logs (election in cluster):

Exercise 3 [1p]

Look here only over the first part (access secondary fortigate remotely via CLI).

sred/lab8.txt ยท Last modified: 2022/01/26 15:08 by horia.stoenescu
CC Attribution-Share Alike 3.0 Unported Valid CSS Driven by DokuWiki do yourself a favour and use a real browser - get firefox!! Recent changes RSS feed Valid XHTML 1.0