Fortinet: Configuring HA on FortiGate firewalls

Video Statistics and Information

Video
Captions Word Cloud
Reddit Comments
Captions
in this video we will go over active passive aha and how to configure it on a fortigate firewall okay so to start the purpose of having ha in an active passive scenario like we're going to be covering here is let's say that fortigate number one which will be we'll name this one our active firewall forty gate two is gonna be the passive one but let's say forty gate number one which is processing all of the traffic has some type of issue maybe port one has an issue port three you know has been disconnected maybe the firewall has some type of hardware issue or we've unplugged power something along those lines there's an issue with forty gate number one well now we have an alternate path so that 48 number two can can take over in that case as we can see port one and port 3 on both our active 48 and our passive 48 have the exact same ip address now this is this is not a problem um this is actually by design so 99 of the configuration is going to be identical between the firewalls with the exception of maybe host names and and things like that um but in this case our active firewall is going to be the one that's actually saying okay i own 192.168.56.1 as well as 111.120. the passive firewall is going to have that configuration in place but it's not actually going to take action uh claiming those ip addresses until it needs to so let's take this scenario our active firewall is currently handling all the traffic flow and then there is communication between forty gate one and fortigate two via what's called a heartbeat interface so at any point if 40 gate number one doesn't receive a response from forty gate number two or vice versa that firewall will will take note of that so let's say in our case 48 number one um maybe we've disconnected port one or port three on forty gate number one or let's say the power has been disconnected or there's a hardware issue with forty gate one so we've disconnected power on forty gate one forty eight two realizes that it can't communicate with forty gate one anymore it converts from being the passive fortigate to the active firewall now and when it claims this active membership essentially it's going to send a gratuitous arp so that the connected switches are able to update their mac address tables saying that okay the mac address associated with these you know these ips they're accessible now via you know this port connected to the switch and this port connected the switch versus this port connected the switch and this port connected to the switch so then at this point now 48 number two is going to be claiming these ip addresses 19216856.1 and 111.120 so that traffic flow will also go through 48 number two now okay so let's get into the configuration so we have fortigate one which is um this dot 120 ip address and then we have 48.2 which is the dot 121 ip address so let's say that we want this 40 gate to be essentially the the master fortigate with the master configuration and we want it to be the active unit so in that case how do we actually choose which firewall is going to have the configuration replicated over to the other firewall so that's one question that we need to answer and then another item that we need to address is the firmware version so currently this firewall forty gate one has six stock 4.2 48.2 has 6.4.5 they do both need to be on the same firmware version so in this case we'll start by just upgrading 40 gate number one and just a disclaimer this this should always be done during a maintenance period and before doing anything uh it's best to just back up the configurations on both of the firewalls just to make sure that if there's any issue we can always restore okay perfect so after the upgrade now they are both on 6.4.5 so now we can begin configuring ha so the approach that i like to take is to fully configure both firewalls before connecting the heartbeat cables so i'll ensure that the cab the heartbeat cable is not actually connected between both firewalls we'll configure both sides um double check to make sure that fortigate number one is very likely going to be chosen as the master or the active unit and then we'll connect the cables up okay so let's start by going on firewall 1 to system ha we'll configure the mode to be active passive the group name and the password will have to be the same on both forty gate one which will be the active and forty gate two which will be the passive and then we select the interfaces that we wanna monitor in our case it'll be port one and port three and then our heartbeat interface will be port 2. all right let's save that all right and then we'll do the same on the other firewall again maybe we'll just double check just to make sure that the heartbeat cable is not connected between the two same group name and password we'll monitor port one and three and then the heartbeat interface will be port 2. perfect okay now as for how a unit is going to be selected to become the primary unit this is just a very very brief overview of how that works definitely consult the documentation that fortinet has because there's a lot more caveats and more things to consider but generally think of it like this focus on the failed monitored interfaces as well as the age so let's say let's start with failed monitored interfaces going back to our topology let's say we connected the heartbeat cable up and let's say that port one on forty gate one is has a link down port three has a link up and then port one and port three on fortigate two have a link up right and obviously both of these interfaces on both firewalls are considered monitored interfaces so the end result in that case would actually be that forty gate two would end up becoming the active unit because the first condition that it's looking for is failed monitored interfaces which fortigate 2 has less of now let's consider another scenario which is age so going back to our topology let's assume port one and three on both firewalls have a link up well in that case then the next item that gets looked at is the age of the unit in the ha cluster so now let's just look um on the cli for both firewalls as to how we can actually check this number and how we can reset this number all right so the command is getsysha status so as we can see on fortigate1 we've been up for 20 minutes and 52 seconds and on 408.2 we've been up for 20 minutes and 19 seconds so they're both pretty close um there is a command once the units are connected to reset this uptime but let's forget about that for now let's just simply reboot forty gate number two because we want that number to be lower on 48 number two than forty gate number one so i'm just gonna go ahead and reboot that and then we'll check the command in a moment all right now after the reboot the cluster up time is emitted in 15 seconds so at this point we could connect the the heartbeat cable between the two um just a general note though is try and ensure that there's at least a five minute difference just so we don't run into another issue again it's just another caveat with with ha for all the full details definitely look into the docs okay so i just did a double check on both firewalls to ensure that port 1 and port 3 are up on both sides um so then we're not going to be hitting the first condition which is monitored interfaces we're going to be focusing on the second condition which is the age of the ha cluster uptime which is higher on fortigate number one so now i'm proceeding to just connect the heartbeat cable okay and now when we go back to our primary 48 we'll notice that um we have visibility to both 48's now one is out of sync but we might just need to give it a few minutes before they both show as synchronized but then when we look at fortigate 2 as expected we no longer can access this device and that's because the configuration has been you know practically entirely mirrored between forty gate one and forty gate two all right and after just a couple more minutes we can see now that both of the forty gates are synchronized all right so now that we have aha configured and working on our firewalls let's um let's test it out so let's take a look at our configuration so we have 192.168.56.2 which is our client and let's um let's just send a continuous ping to 4.2.2.2 okay so this traffic is going to be flowing through our current primary firewall which is 48 number one now let's go to this firewall and let's shut it down right so that we can simulate the firewall being unplugged or having some type of hardware issue for example okay okay and let's go back to that client okay so we can still see the ping is still successful here but let's also go back into that same ip address the dot 120 and as we can see looks like we're accessing a different firewall entirely here which it is there we go now we're accessing 48 number two but it's interesting too is that's confirming again that all the configuration is replicated to this firewall because if you recall from before this firewall had um it had a different background color and now it's actually following the green background color like fortigate number one had it so this kind of just confirms that our aha um configuration was able to compensate for an issue on the 40g firewall number one and as expected we only see one firewall that's currently in the h a cluster okay now as another test i'm gonna boot back up forty gate one all right and now after a couple minutes we can see that forty gate one is booted back up but you know as we notice fortigate 2 still remains the primary firewall and the active in in this cluster so your next question might be okay what if we want to hard code a specific firewall to to be the master all the time um if that is something that you'd like to set up uh take a look at fortinet's documentation on h.a override and how to enable that alright so that covers this tutorial uh thanks for viewing and we'll see you in the next video
Info
Channel: ToThePoint Fortinet
Views: 22,148
Rating: undefined out of 5
Keywords: FortiGate, FortiGate how to, Fortinet how to, FortiGate tutorial, Fortinet tutorial, Security, HA, High Availability, redundancy, failover, active passive, active active
Id: l9fsOXYFWgU
Channel Id: undefined
Length: 10min 46sec (646 seconds)
Published: Thu May 05 2022
Related Videos
Note
Please note that this website is currently a work in progress! Lots of interesting data and statistics to come.