Lab 8. Fortigate High Availability (HA)



After setting virtual domains on FGT device, we decided to also implement high availability (HA) on 2 machines in Active-Active mode. For this, we require to deploy a new node on the current topology and 2 switches for connecting the existing endpoints.

HA will permit load balancing between multiple firewall instances.

Lab infra

A. New device in network: switch

As we have a HA topology, we are required to have the same configuration on both firewalls and as such, a switch is required to link them to clients.

Go to eve-ng webui and create a new node, using 'Cisco IOL' template. Keep the default config, then start it. No other configurations are required.

B. New firewall node: remote Fortigate machine

The already existing firewall will be called from now Local-FortiGate and the new one Remote-FortiGate.

For HA, we cannot have the same license value on both devices (as this will mean the feature will understand we have 1 device in cluster). See on Moodle the second lic file and upload it to new node. As such, each machine will have a different serial number.

In case you need to find the ip address for FGT, you need to go to global mode:

FGT_81 # config global

FGT_81 (root) # show system interface ?

B1. Local-FortiGate (first FGT): save the config (admin > Configuration > Revisions > save changes > add comment 'after_vdom_config'), then revert to an old revision 'before_vdom_enabled' (from the 7th lab - VDOM, in case you have it). Wait for machine to reboot, then access it from CLI and check the ip for port1 (mgmt) as it might be changed.

Stop it, then connect port4 to port 4, when the node from below is created, port2 to client1 (via switch), and port3 to client2 (via switch).

B2. Remote-FortiGate (secondary FGT): create a new node with 4 interfaces, 1 vCPU, 2 GB RAM, then connect port1 to Cloud0 (already added to the topology), port2 to client1 (via switch), port3 to client2 (via switch), and port4 to Local-FGT (via port4) . Start the FGT (Remote-FortiGate), then you will need firstly to change the mac address:

# config sys int
# edit port1
# set macaddr <MAC address> - use here the format: 50:00:00:byte_2_eveng_ip:byte3_eveng_ip+1:byte4_eveng_ip
# end
# exec router restart

Connect to machine via browser, then upload the new license file. Do not configure port2 and port3, as their ips will be synced with the local-forti.

C. Network topology

At last, all nodes should be connected as seen below:


We are going again to use the pdf file with Fortinet Exercises - go to Lab 7: High Availability (page 125).

Exercise 1 [5p]

For exchanging the heartbeat messages between the firewalls, use port4 (instead of port2, as stated on pdf).

Before starting doing the tasks from guide, remember these 2 rules:

1. machines need to have different serial numbers (so, different licenses)

2. the highest priority in a cluster wins the election (becomes the master) - there will be other priorities in other conditions, see task 2 for more details.

Also, after the HA cluster is established, the interface port1 will have the same static ip value on both machines (which is the ip found on primary device). There is a sync made between them and the secondary's ip is rewritten.

HA config also require to add a group-id (based on it, the 5th bytes of mac addreses of each interface will be changed - see more here and configure it on both of your firewalls using the WebUI or from CLI directly:

FGT81_2 # config sys ha 
FGT81_2 (ha) # set group-id 81 # use the 4th byte of your eveng ipv4 address
FGT81_2 (ha) # end

At the end, on the remote FGT (that with priority 100), you will see the following:

and check also the system status:

# primary
FGT81 # get sys status
Current HA mode: a-a, master
# backup
FGT81_2 # get sys status
Current HA mode: a-a, backup

For session statistics, ping from each client the other one.

Exercise 2 [4p]

For failover triggering, we cannot ping external ip or access youtube website (due to blackhole for def route) and instead, ping with delay of 1 sec client2 from client2:

client1@hostname:$ ping -i 1 # client2 ip

In this time, do the failover and see if ping requests are dropped (FGT secondary changing to primary should be smoothless).

After resetting the secondary firewall, you should see the following logs (election in cluster):

Exercise 3 [1p]

Look here only over the first part (access secondary fortigate remotely via CLI).

sred/lab8.txt ยท Last modified: 2022/12/16 19:18 by horia.stoenescu
CC Attribution-Share Alike 3.0 Unported Valid CSS Driven by DokuWiki do yourself a favour and use a real browser - get firefox!! Recent changes RSS feed Valid XHTML 1.0