FortiGate 60F HA Cluster Build

Video Statistics and Information

Video
Captions Word Cloud
Reddit Comments
Captions
hey guys mike here from fortinet guru uh your favorite fortinet youtube channel maybe hopefully um a few weeks ago i released a video specifically talking about h8 clusters why they're important and how to build one um but apparently i buggered it up because the encoding did not go well the quality of the video was such that you couldn't really see what was going on on the screen so all you really got was a 30 minute video of me talking so this is attempt number two so that we can hopefully get this thing working a little bit better for you and provide a little bit more value i deleted the other ones you don't even bother looking for it it was a nightmare anyways anyways as many of you know i run multiple businesses and i have people that do those businesses for me or partners or things like that one of the businesses that i own is called office of the ciso which cso's you know chief information security officer that company focuses on things like virtual cso as a service penetration testing vulnerability assessments things of that nature they also focus pretty heavily on building information security programs for organizations well we're in the process of standing up our infrastructure for said business and it's going to be an h a cluster and i figured you know what better situation to make a video for than for an h8 cluster that you guys can actually see and and witness how things take place so so first things first why would you actually want your fortigates in aj cluster why wouldn't you use something like hsrp or anything like that and what are some of the nuances of h.a clusters on fortigates first things first if you run a business and you need uptime redundancy of hardware is going to be critical you have to make sure that your equipment stays up in the event that you suffer a hardware failure your environment does not go down causing your customers outages and basically what an ha cluster does is it gives you a redundant firewall capability that way if the primary fails or if a interface or something within the primary fails your secondary can take over another thing that folks probably don't think about as much is it actually lightens the load on maintenance windows a little bit for you i mean anytime you update a fortigate's firmware you know it's going to be down for two to five minutes while it reboots performs its checks things of that nature have an ha cluster the backup unit actually receives the firmware update first goes through that whole process comes online synchronizes and then once it's known good the primary then executes the firmware upgrade and in most situations if you're configured properly you only lose a packet or two here or there during that failover process which means you can perform you know firmware updates during the day or during production hours without it being too critical of an event now obviously you still want to announce that you know network connectivity could be degraded or something could take place because it is still a maintenance window even though the outage isn't really witnessed by the end user so those reasons why you would want to do ha my particular ha deployment is going to be 260f it's it's the sock 4 chip is so powerful that the 6df is going to probably be able to support our needs for quite a while and then we have two 124fs for 4 switches that are going to be behind the behind the layout so i have here the overview of how i'm going to have it cabled so as you can see i have two fortigate 60s i will be using their dmz port as the ha port and that will be done because i'm going to hang everything off the ford switches so a dmz vlan will be created and of course the 60 f units do not have dedicated h8 ports on them so i'll take that port i'll repurpose it as a dmz port and then i will configure the cabling via our switches as listed so as you know the four-to-link interface by default is an 802.3ad aggregate interface so i'm going to plug port 23 and port 24 in the ports a and b of the primary fortigate i'm going to have port 25 in the long term be my inner switch link however for the purposes of this video we will actually be using port 22 there mainly because i don't have sfp optics yet and for the sake of the video it's going to serve the same purpose and then of course ports a and b of the secondary fortigate will be plugged into ports 23 and 24 of the other switch now this provides us with redundancy and aggregate throughput capabilities because you'll be able to get the the two gigs of aggregate bandwidth between the 40 gate i will not be utilizing split four to link interfaces because i am not connecting the same fortigate to multiple switches and then if i were to lose ports 23 and 24 of switch one or etc i will have the ability of failing over to the backup unit very straightforward cabling very straightforward deployment and for some of the and for those of you that ask why not run an active active cluster i personally think that running active active clusters on fortigates tips the engineer into doing something they probably shouldn't i mean as we all know budgets get cut or we're constantly from a security perspective being asked to do more with less which is usually funding unfortunately and when you do active active you end up in a situation where you're more likely to over provision your environment now in the grand scheme of things if something were to fail you being up because the primary unit failed or the secondary unit failed an active active cluster it'll just run slower but i like for my failover situation to still be able to support 100 of my traffic without the users noticing activepassive does a very good job of that and that's just where i like to hang out so i have if you see over here these are the actual two fortigates right there and then the two switches beneath them switches are not cabled yet we're going to do the actual active passive cluster build and then once they come back online we will do the cabling of the switches in the base configuration so these guys have been factory reset because obviously i've done this video once already and it doesn't do you a lick of good if there's stuff already in there we want to make sure that you see it top to bottom start to finish and go ahead and go to the process of doing the password okay so the force alrighty so the first fortigate that we are going to configure currently has an internal currently has an ip of 10.1.125. and this is actually going to be my secondary unit the only reason why this one's going to be named secondary is because it's it's already named within the support portal for my assets and i'm a little ocd when it comes to that someone come in here unless that much time i am in the central time zone and this is actually going to be my secondary unit good to go there apply come to uh i like to set my hostname that way i can know which device is which i set my timezone so it makes sense and we're going to do an active passive cluster now this is located i'm doing this within 40 os 7.0 specifically 7.0.2 and then i'll i'll end up updating it the 7.0.3 as that just recently came out and the purpose of doing this in 7.0 when i don't normally recommend folks going to major releases before dot 4 is out um i'm the client in the situation if i get burned by my own stupidity it is what it is uh if a client gets burned by my stupidity that looks bad so and for what the way this device is going to be configured 7.0 is actually pretty stable so so osiso we want to do session pickup set my little password here and our heartbeat interface is going to be our dmz which you can see it already has the alias i did a factory reset too on this so it doesn't change the interface names and then do okay now i'm going to come over to the other one i'm going to log in later go to system settings set my uh my name set my time zone and your naming convention can be whatever you want it to be it's it's strictly based on on your use cases and what you need now we're going to go over here to ha i'm going to go active passive i'm going to set the priority on this one to a higher number that way it's the actual primary the higher the priority when it comes to ha settings uh the more preferred that device is and i did osiso-ha on this one i think i did i think i did we'll find out real quick said that we're seeing them groovy now as you can see once the h8 cluster was built i actually lost access to the fortigates why is that well that's because fortinet does ha on their fortigate devices at layer two which means it does it by mac address so on typical environments where you have a cisco device or or various other vendors you end up in situations where device one will own an ip address usually dot two device two will own an ip address dot three and then they'll share the dot one address between them a floating ip if you will the way fortinet does it is it's at a layer two deployment so fortigate one has its physical mac address fortigate two has its physical mac address and then they do virtual macs for the interfaces that are assigned to them so we lost access to our fortigates because they created a virtual mac which then pulled an ip from the dhcp server making their other ips no longer useful so what i'm going to do is i'm going to log into my home unit find out what ip they pulled and then we'll jump back in there and look at them so they pooled 104 so i update it to the new ip we can log in and check the status make sure all is jiving as you can see both devices are on they're doing their thing go to system h a not quite synchronized yet usually takes a little bit of time but we can go in and manage the subs subsidiary unit i can't talk for anything i want to check that h a group to make sure i didn't figure that out i know i named it aj okay cool that's another thing if you ever need to manage one of your fortigates that's within your h8 cluster directly especially if you're doing things like troubleshooting check some issues or anything like that you just do exec aha manage if you do a question mark it'll tell you the uh the secondary tertiary etc units and you do that and you type the username you want to log in as and it'll prompt you for your password so these guys are in the process of synchronizing while they're doing that we're going to take a look at our interfaces the internal vlan switch ports one through five they're set to default 192 1681.99 we are not going to use these interfaces in any way shape form or fashion because we're gonna have four switches hanging off of them it just you know it's easy peasy don't need it so you remember how i said i was going to cable it i'm going to not have 4-link split interface because i don't need it for this particular deployment and uh we're just going to use these default a's and b's so i'm going to go and cable these guys up real quick and then you will see them come online so just give me one second okay now that they're all cabled up i'll do a refresh we'll actually see them start coming online and in case you couldn't hear me during the actual connection stage port 23 of switch one is going to port a fortigate one port 24 of switch one is going to port b fortigate one port 22 of each switch is going to one another that's their inner switch link in the future that will be port 25. and then of course 23 and 24 of secondary switch is going to ports a and b of the secondary fortigate now these guys should be coming online they're already online see they're already running 7.0 and if we look at their topology they show us a stack very very simple very very straightforward i have these guys cabled the way they are because i'm not using any level of mc lag this is a smaller environment that's not going to push a lot of bandwidth so we don't have to worry about a whole lot of that it's mostly documentation and various scans so so we have our switches they're connected they're jiving and then of course you come over here you can see that they're looking pretty good in the fabric itself as well if we look at our [Music] security fabric our physical topology fortinet security fabric's pretty nice especially if you do a lot of automation and stitches and things like that with other other fortinet gear but so we have a general management interface that i've created this is going to be the vlan that everything defaults to all internal stuff and then we will create vlans for our customers so all we really have to do is plug all these guys into our management because that's going to be our default we're not going to use the default vlan i actually don't recommend using default anything if you can avoid if you can if you can avoid it you might as well just build your own default that way you make sure you're following your platform and of course that vlan is going to be vlan 100 and for the sake of this it's going to be you know 10.100.250. the only thing that i really have to configure at this point is my wan information now obviously i cannot do that as it currently sits because i don't have the static ip information for the device yet it just it is what it is until i get the circuit in line with where it's going um this is pretty much the just the best i get so so what i do need to do is create my zones because as you guys know i love zones make sure i don't have anything there and then we'll do basic um setup our outside is going to be wind one and weighing two first i need to find out what's actually referencing wayne one oh so i got that i'm gonna have an inside zone that's where my management lives um let me go from there easy peasy into our basic policy i'm gonna do a single policy for inside the out mainly because this is just so we could stand up our hypervisor and get updates and things like that going once we're up and running we will be on our way we will no longer have to worry about that so then of course let me create my central net saying if it's coming from the inside and it's going to the outside for any address to any address use that easy peasy and to tell you the truth guys that's pretty much it so basically in 15 or 20 minutes we built an h a cluster we got some switches on them and i configured their ports for my management network this particular firewall cluster is going to use central sourcenet and destination that so we'll have a little bit more granularity there this environment will end up using bgp in the long term with multiple carriers and that's pretty much how you do it guys it's very straightforward a lot of people look at it like a unicorn or some big heavy hurdle that is going to cause them a lot of heartache and that's just simply not the case the pros you get hardware redundancy you get failover you get the ability to do firmware updates at a time other than 2 am and then the cons both devices have to be licensed the same you have to buy both devices so there is more upfront cost and there's more recurring cost but the peace of mind you get knowing that if you lose a win port on a fortigate or a fortigate burns up or anything like that i think it's really worth it especially if you're running a business where clients rely on you so but that's the gist of it if you guys have questions please do me a favor post them below uh questions concerns remarks anything like that i love reading the comments it helps me build a channel and get it more specific if this is your first time stumbling across my channel please do me a favor hit the like button the subscribe button and the notify bell notify bell lets you know when new videos come out subscribe button just lets you you know stay in tune with with me and mine and then of course the light button helps the algorithm or whatever for more people to find the video so hopefully that answers most of your questions when it comes to h8 clusters especially active passive ones we might have a lab where we do an active active one but those are more so for like in azure is if i'm deploying it those are usually in azure so but until next time you guys have a wonderful holiday season and uh keep churning on that fortinet fabric thanks
Info
Channel: Fortinet Guru
Views: 1,100
Rating: undefined out of 5
Keywords:
Id: -m_WHSRPiks
Channel Id: undefined
Length: 22min 25sec (1345 seconds)
Published: Mon Dec 13 2021
Related Videos
XSinator - NSS Has a Bug, Botnet on the Blockchain, HP's Vulnerable Printers, Microsoft Edge Relief
Security Now
6.4K
Computer Vision With Arduino | 2 Hour Course | OpenCV Python
Murtaza's Workshop - Robotics and AI
773K
My FortiGate SDWAN Configuration and Some Use Cases
Fortinet Guru
23K
Drone Programming With Python Course | 3 Hours | Including x4 Projects | Computer Vision
Murtaza's Workshop - Robotics and AI
1.7M
CompTIA Network+ Certification Video Course
PowerCert Animated Videos
3.8M
2020 Getting started with pfsense 2.4 Tutorial: Network Setup, VLANs, Features & Packages
Lawrence Systems
586K
Getting started with Synology for the Home User — Synology Webinar
Synology
48K
i built a Raspberry Pi SUPER COMPUTER!! // ft. Kubernetes (k3s cluster w/ Rancher)
NetworkChuck
745K
Introduction to Networking
Eli the Computer Guy
2M
Special Lecture: F-22 Flight Controls
MIT OpenCourseWare
2.1M
Watch Rocket Lab attempt to recover an Electron Rocket!
Everyday Astronaut
205K
Hyper V Replication and Failover
Eli the Computer Guy
129K
Adding 10 Gigabit Ethernet to my 129-Year-Old House!
Snazzy Labs
1.2M
Vitamin D in Israel
Dr. John Campbell
607K
Rock 3A: Dual M.2 ARM SBC with eMMC socket
ExplainingComputers
74K
Note
Please note that this website is currently a work in progress! Lots of interesting data and statistics to come.