Lab 8. Fortigate High Availability

Setup

Story

After linking branches securely using ipsec vpn connections (primary and backup), we decided to also create a local setup consisting in 2 forti devices and 2 different networks. We need to test load balancing using HA feature Active-Active and also hot standby firewall (like HSRP) using HA Active-Passive.

Lab infra

Remember that on the last lab we reused the same license for each FGT (local and remote). For HA, we cannot have the same license value on both devices (as this will mean the feature will understand we have 1 device in cluster). See on point (B) details about the setup.

A. New device in network: switch

As we have a HA topology, we are required to have the same configuration on both firewalls and as such, a switch is required to link them to clients.

A1. Go to this link and download the switch binary 'i86bi-linux-l2-adventerprisek9-15.2d.bin'. Scp it to your eve-ng machine with ip 10.3.0.* (remember the credentials root:student) on path /opt/unetlab/addons/iol/bin.

A2. Add for current eve-ng user +x (otherwise the binary cannot be started):

root@SRED:/opt/unetlab/addons/iol/bin# chmod +x i86bi-linux-l2-adventerprisek9-15.2d.bin 

A3. We need now to generate a serial for switch device. Copy on the same location as above the following python script:

#! /usr/bin/python
print("*********************************************************************")
print("Cisco IOU License Generator - Kal 2011, python port of 2006 C version")
print("Modified to work with python3 by c_d 2014")
import os
import socket
import hashlib
import struct

# get the host id and host name to calculate the hostkey
hostid=os.popen("hostid").read().strip()
hostname = socket.gethostname()
ioukey=int(hostid,16)
for x in hostname:
 ioukey = ioukey + ord(x)
print("hostid=" + hostid +", hostname="+ hostname + ", ioukey=" + hex(ioukey)[2:])

# create the license using md5sum
iouPad1 = b'\x4B\x58\x21\x81\x56\x7B\x0D\xF3\x21\x43\x9B\x7E\xAC\x1D\xE6\x8A'
iouPad2 = b'\x80' + 39*b'\0'
md5input=iouPad1 + iouPad2 + struct.pack('!i', ioukey) + iouPad1
iouLicense=hashlib.md5(md5input).hexdigest()[:16]

print("\nAdd the following text to ~/.iourc:")
print("[license]\n" + hostname + " = " + iouLicense + ";\n")
print("You can disable the phone home feature with something like:")
print(" echo '127.0.0.127 xml.cisco.com' >> /etc/hosts\n")
######################################################################################

Then, execute it:

*********************************************************************
Cisco IOU License Generator - Kal 2011, python port of 2006 C version
Modified to work with python3 by c_d 2014
hostid=007f0101, hostname=SRED, ioukey=7f022f

Add the following text to ~/.iourc:
[license]
SRED = eb8d7f0235852d2d;

You can disable the phone home feature with something like:
 echo '127.0.0.127 xml.cisco.com' >> /etc/hosts

Copy the SRED license with header to /opt/unetlab/addons/iol/bin/iourc file. In the end, you will need to have something like this:

root@SRED:/opt/unetlab/addons/iol/bin# cat iourc 
[license]
SRED = eb8d7f0235852d2d;

A4. Go to eve-ng webui and create a new node, using 'Cisco IOL' template. Keep the default config, then start it. No other configurations are required.

B. Different licenses

B1. Local-FortiGate (first FGT): keep it in its current - you can save the config (admin > Configuration > Revisions > save changes > add comment 'vdom_and_ipsec') and then shut it down.

B2. As both Local and Remote have the same license (cannot do HA in this case), create a new FGT (Local-FortiGate) instead of the old one. Change mac address for port1 to 50:00:00:byte_2_eveng_ip:byte3_eveng_ip+2:byte4_eveng_ip:

# config sys int
# edit <interface>
# set macaddr <MAC address> - use here the format: 50:00:00:byte_2_eveng_ip:byte3_eveng_ip+2:byte4_eveng_ip
# end
# exec router restart

And then redo all the configuration from Licensing (ask me to upload the license - it will have a different serial number than the one from Remote-FortiGate).

After licensing, save the configuration: admin > Configuration > Revisions > save changes > add comment 'initial_config_FGT'.

B3. For Remote-FortiGate (secondary FGT), do the same: save config for ipsec (in case you may need to come back to it) and then remove any configuration made for ipsec: go to each ipsec tunnel > Ref > delete each reference (firewall policy, intf and static route).

C. Same config on both devices

In order to create the HA config, we need to have the same interface configuration for both machines:

- for port1, keep the ip as static (we cannot have dhcp mode configured)

- for port2, use network 192.168.0.0/24 (with .1 for FGT) and dhcp server starting from .2

- for port3, use network 172.16.0.0/24 (with .1 for FGT) and dhcp server starting from .2

Network topology:

Exercises

We are going again to use the pdf file with Fortinet Exercises - go to Lab 7: High Availability (page 125).

Exercise 1 [5p]

Before starting doing the tasks from guide, remember these 3 rules:

1. have the same configuration for interfaces on both fortigates

2. machines need to have different serial numbers (so, different licenses)

3. the highest priority in a cluster wins the election (becomes the master) - there will be other priorities in other conditions, see task 2 for more details.

HA config also require to add a group-id (based on it, the 5th bytes of mac addreses of each interface will be changed - see more here and configure it on your own firewalls.

FGT81_2 # config sys ha 
FGT81_2 (ha) # set group-id 81 # use the 4th byte of your eveng ipv4 address
FGT81_2 (ha) # end

At the end, on the remote FGT (that with priority 100), you will see the following:

and check also the system status:

# primary
FGT81 # get sys status
[...]
Current HA mode: a-a, master
# backup
FGT81_2 # get sys status
[...]
Current HA mode: a-a, backup

For session statistics, ping from each client the other one.

Exercise 2 [4p]

For failover triggering, we cannot ping external ip or access youtube website (due to blackhole for def route) and instead, ping with delay of 1 sec client2 from client2:

client1@hostname:$ ping -i 1 172.16.0.2 # client2 ip
[...]

In this time, do the failover and see if ping requests are dropped (FGT secondary changing to primary should be smoothless).

After resetting the secondary firewall, you should see the following logs (election in cluster):

Exercise 3 [1p]

Look here only over the first part (access secondary fortigate via CLI).

sred/lab8.txt ยท Last modified: 2021/01/24 15:20 by horia.stoenescu
CC Attribution-Share Alike 3.0 Unported
www.chimeric.de Valid CSS Driven by DokuWiki do yourself a favour and use a real browser - get firefox!! Recent changes RSS feed Valid XHTML 1.0