Show page

Differences

This shows you the differences between two versions of the page.

--- sred:lab8 [2022/12/09 15:15]
horia.stoenescu
+++ sred:lab8 [2022/12/16 19:18] (current)
horia.stoenescu [Lab infra]
@@ Line 13: / Line 13: @@
 As we have a HA topology, we are required to have the same configuration on both firewalls and as such, a switch is required to link them to clients.
-**A1**. Go to this [[http://www.idum.fr/Telechargements/Images%20GNS3%20-%20EVE-NG/IOL/Cisco%20L2/i86bi-linux-l2-adventerprisek9-15.2d/|link]] and download the switch binary '**i86bi-linux-l2-adventerprisek9-15.2d.bin**'. Scp it to your eve-ng machine with ip 10.3.0.* (remember the credentials root:student) on path **/opt/unetlab/addons/iol/bin**.
+Go to eve-ng webui and create a new node, using 'Cisco IOL' template. Keep the default config, then start it. No other configurations are required.
-**A2**. Add for current eve-ng user +x (otherwise the binary cannot be started):
+=== B. New firewall node: remote Fortigate machine ===
-<code>
-root@SRED:/opt/unetlab/addons/iol/bin# chmod +x i86bi-linux-l2-adventerprisek9-15.2d.bin
-</code>
-**A3**. We need now to generate a serial for switch device. Copy on the same location as above the following python script:
+The already existing firewall will be called from now **Local-FortiGate** and the new one **Remote-FortiGate**.
-<code>
-#! /usr/bin/python
-print("*********************************************************************")
-print("Cisco IOU License Generator - Kal 2011, python port of 2006 C version")
-print("Modified to work with python3 by c_d 2014")
-import os
-import socket
-import hashlib
-import struct
-# get the host id and host name to calculate the hostkey
+<note warning>
-hostid=os.popen("hostid").read().strip()
+For HA, we cannot have the same license value on both devices (as this will mean the feature will understand we have 1 device in cluster). See on Moodle the second lic file and upload it to new node. As such, each machine will have a different serial number.
-hostname = socket.gethostname()
+</note>
-ioukey=int(hostid,16)
-for x in hostname:
- ioukey = ioukey + ord(x)
-print("hostid=" + hostid +", hostname="+ hostname + ", ioukey=" + hex(ioukey)[2:])
-# create the license using md5sum
+<note important>
-iouPad1 = b'\x4B\x58\x21\x81\x56\x7B\x0D\xF3\x21\x43\x9B\x7E\xAC\x1D\xE6\x8A'
+In case you need to find the ip address for FGT, you need to go to global mode:
-iouPad2 = b'\x80' + 39*b'\0'
+<code>
-md5input=iouPad1 + iouPad2 + struct.pack('!i', ioukey) + iouPad1
+FGT_81 # config global
-iouLicense=hashlib.md5(md5input).hexdigest()[:16]
-print("\nAdd the following text to ~/.iourc:")
+FGT_81 (root) # show system interface ?
-print("[license]\n" + hostname + " = " + iouLicense + ";\n")
-print("You can disable the phone home feature with something like:")
-print(" echo '127.0.0.127 xml.cisco.com' >> /etc/hosts\n")
-######################################################################################
 </code>
+</note>
-Then, execute it:
+**B1**. Local-FortiGate (first FGT): save the config (admin > Configuration > Revisions > save changes > add comment 'after_vdom_config'), then revert to an old revision 'before_vdom_enabled' (from the 7th lab - VDOM, in case you have it). Wait for machine to reboot, then access it from CLI and check the ip for port1 (mgmt) as it might be changed.
-<code>
-*********************************************************************
-Cisco IOU License Generator - Kal 2011, python port of 2006 C version
-Modified to work with python3 by c_d 2014
-hostid=007f0101, hostname=SRED, ioukey=7f022f
-Add the following text to ~/.iourc:
+Stop it, then connect port4 to port 4, when the node from below is created, port2 to client1 (via switch), and port3 to client2 (via switch).
-[license]
-SRED = eb8d7f0235852d2d;
-You can disable the phone home feature with something like:
+**B2**. Remote-FortiGate (secondary FGT): create a new node with 4 interfaces, 1 vCPU, 2 GB RAM, then connect port1 to Cloud0 (already added to the topology), port2 to client1 (via switch), port3 to client2 (via switch), and port4 to Local-FGT (via port4) . Start the FGT (Remote-FortiGate), then you will need firstly to change the mac address:
- echo '127.0.0.127 xml.cisco.com' >> /etc/hosts
-</code>
-Copy the SRED license with header to /opt/unetlab/addons/iol/bin/iourc file. In the end, you will need to have something like this:
 <code>
-root@SRED:/opt/unetlab/addons/iol/bin# cat iourc
+# config sys int
-[license]
+# edit port1
-SRED = eb8d7f0235852d2d;
+# set macaddr <MAC address> - use here the format: 50:00:00:byte_2_eveng_ip:byte3_eveng_ip+1:byte4_eveng_ip
+# end
+# exec router restart
 </code>
-**A4**. Go to eve-ng webui and create a new node, using 'Cisco IOL' template. Keep the default config, then start it. No other configurations are required.
+Connect to machine via browser, then upload the new license file. Do not configure port2 and port3, as their ips will be synced with the local-forti.
-=== B. Local and remote FortiGate machines ===
+=== C. Network topology ===
-<note warning>
+At last, all nodes should be connected as seen below:
-For HA, we cannot have the same license value on both devices (as this will mean the feature will understand we have 1 device in cluster). As on the latest lab we used 2 different lic files, each machine will have a different serial number.
-</note>
-**B1**. Local-FortiGate (first FGT): save the config (admin > Configuration > Revisions > save changes > add comment 'vdom_and_ipsec'), then revert to an old revision 'before_vdom_enabled' (from the 7th lab - VDOM). Wait for machine to reboot, then access it from CLI and check the ip for port1 as it might be changed.
-**B2**. Remote-FortiGate (secondary FGT): do the same, save config for ipsec (in case you may need to come back to it) and then remove any configuration made for ipsec: go to each ipsec tunnel > Ref (click on the number: you should have 4) > delete each reference (firewall policy, intf and static route), and in the end delete the ipsec tunnel.
-=== C. Same config on both devices ===
-In order to create the HA config, we need to have the same interface configuration for both machines (for local firewall, you should already have the same networks already configured for port2 and port3):
-- for port1, keep the ip as static (we cannot have dhcp mode configured)
-- for port2, use network 172.16.0.0/24 (with .1 for FGT) and dhcp server starting from .2
-- for port3, use network 192.168.0.0/24 (with .1 for FGT) and dhcp server starting from .2
-- add 2 new security rules: allow any traffic from port2 to port3 and from port3 to port2
-Network topology:
 {{:sred:lab9_ha.png?800|}}
 ==== Exercises ====
-We are going again to use the [[https://curs.upb.ro/2021/pluginfile.php/430773/mod_resource/content/1/FortiGate_Infrastructure_6.4_Lab_Guide-Online.pdf|pdf]] file with Fortinet Exercises - go to Lab 7: High Availability (page 125).
+We are going again to use the [[https://curs.upb.ro/2022/pluginfile.php/397572/mod_folder/content/0/FortiGate_Infrastructure_6.4_Lab_Guide-Online.pdf|pdf]] file with Fortinet Exercises - go to Lab 7: High Availability (page 125).
 === Exercise 1 [5p] ===
@@ Line 112: / Line 64: @@
 <note important>
-Before starting doing the tasks from guide, remember these 3 rules:
+Before starting doing the tasks from guide, remember these 2 rules:
-. have the **same configuration** for interfaces on both fortigates
 . machines need to have **different serial numbers** (so, different licenses)
 . the **highest** priority in a cluster wins the election (becomes the master) - there will be other priorities in other conditions, see task 2 for more details.
 Also, after the HA cluster is established, the interface port1 will have the same static ip value on both machines (which is the ip found on primary device). There is a sync made between them and the secondary's ip is rewritten.
@@ Line 124: / Line 74: @@
 <note warning>
-HA config also require to add a group-id (based on it, the 5th bytes of mac addreses of each interface will be changed - see more [[https://kb.fortinet.com/kb/documentLink.do?externalID=11772|here]] and configure it on both of your firewalls:
+HA config also require to add a group-id (based on it, the 5th bytes of mac addreses of each interface will be changed - see more [[https://kb.fortinet.com/kb/documentLink.do?externalID=11772|here]] and configure it on both of your firewalls using the WebUI or from CLI directly:
 <code>
 FGT81_2 # config sys ha