HA FortiGate Redundant ISP Design and Walk Through

Video Statistics and Information

Video
Captions Word Cloud
Reddit Comments
Captions
hey guys Mike here from Fortinet guru yesterday we pumped out a video or two about having an active/passive hea for the gated cluster manage Aesthetica for two switches discuss some of the connectivity issues some folks were seeing which is what made that video come to be and I thought we did ok job you know pretty much discussing in the comments some people posted were can you tell us about using an H a 4 to get cluster with a redundant isp and truth is for them that has a pretty decent cookbook on this though they are moving their cookbooks at the end of June into the 4 Dannette documentation which i think is a mistake because the cookbook was a quick easy place for people to get good info I guess I'll have to just make more videos um anyways you have an active/passive FortiGate cluster that's hard green before gate 148 too and I'm drawing it like this to you know display that it is an HJ cluster and then we have is p1 and is p2 now they're red because they're in front of the secure device which is our firewall the fact that they have the same color does not mean that they are the same provider or anything like that it just has to do with where we haven't placed on them on the drawing is p1 we will say is Comcast for this video just so we have some differences between this and then is p2 we will say is AT&T or it's not very flush there so we have to Internet Service Providers we have our four gate for the sake of this video we're only going to have one for a switch but basically you know and it helps if I actually run right then this will be a force which then goes down to all of our users and that's our network diagram our two internet modems or gateway providers you know anything from the service provider our edge firewalls that are in H a that connect down to our single for to switch because I don't so the sake of this video we don't need to try out you know having a stack or multiple layers or anything down to our users so normally when you configure an H a four to get closer there's a couple things you need to do right need to have your H a port which is the port that connects the 240 days a lot of 40 gates have an actual court labeled H a sometimes you have to break internal port off of the internal Hardware switch or whatever and define that as your h8 port and in other situations there's no internal switch so you just pick a port and use it right so you have to define your H a port which for the sake of this one would just be H a that's how these two guys are connected that's how they're synchronizing their configurations right and those things like that next thing you have to do is you know set your cluster name and your cluster password that's to keep people from erroneously joining other devices to this or being able to knit the information etc I like to use session pickup just to help ease the transition during a fell over and then you know the most important part of this after the clusters Phil is monitored ports that's what's important for this particular video right this this scenario because you have let's say is p1 is our primary just to keep it lined up with the one so Comcast is our primary internet which means we probably have way and one of each FortiGate plugged in to that modem and I'll usually Internet service providers have modems that have four ports on them if you're in a situation where you don't you can put a dumb switch between there and when I say that I mean at least let it be manageable on some level because a really really cheap one sometimes have babies and then for the sake of the secondary Internet what is cable it up as such way into from each 48 going live now for the sake of this video we're going to treat it like all traffic goes over ISP one unless it fails in which case then it goes the ISP - you can get really really clever with SD when help link check monitors things like that but for the second this video and all that jazz is probably not really super important 7 when one of each FortiGate will use that as our primary internet leak going to the primary intersection internet service provider way into going to our secondary link we're assuming here that both devices have at least two ports on them that can be used for downstream connectivity and that's basically how you cable it up right so and then after that you know if it's DHCP or static that will determine how we do our routes and everything but let's assume that this is a business so each location has a static IP and what we would do here is our default gateway for is p1 will give it an administrative distance of 10 with a priority of 1014 that treats priority the same way cisco does cost so just there and then our secondary isp will give it an intiative distance of 10 but maybe a priority of 15 so by default all traffic is going to go out is p1 and then from there you just configure a link health monitor for a high-speed one basically what that does is a link check or a health check or link monitor or anything like that you choose a protocol and you tell it to keep trying to send traffic over that link if for instance you're using ping and you're trying to ping Google or something like that and it fills for X number of times you end up in a situation where it'll pull this static route leaving only ISP to traffic fails over accordingly for a monitoring report Stan one of you the month the ports that you want to monitor are going to be when one went to and of course your internal monitor ports what the FortiGate monitors from a physical connectivity standpoint to know if one of these devices needs to fell over and take priority for instance let's say this link is physically taken and you know things are not acting too great and so is this one maybe it's a cut or that particular device lose power for some reason this one then assumes priority and it keeps the same pass that's necessary so you know pretty straightforward other than my rambling but basically you just cable each photogate up and then run through this list which there's I'm actually about to run through on this for you on the string and you'll give us a little bit more to tell there so this is the cookbook that I was discussing this is not from an H a configuration standpoint the cabling is what we listed on the whiteboard but this is more so for you know how to set up that actual health check monitor and things like that so that you can run through so according this diagram which this is for 4000 s 5.6 this works exactly the same in every version affording 40 OS 5.6 and newer I think it even worse this way in 5/4 so basically primary RSV is secondary IP when one way into for the sake of this video we're gonna follow this actual guide so when one way into running through you're doing this thing primary internet secondary internet they configure we're done to firewall policies I personally like to use zones I create an outside zone that includes both when interfaces so that I can just have inside to outside etc I don't have to duplicate my policies right this is where they're creating the policies policy one for internet the way one policy two for internal to win two and like I said inside the outside with zones makes this a lot simpler the only time I can really think that it's worthwhile to use a separate interface for these as if the links aren't the same as far as speed or quality or cost right so obviously if you're if you're fell over link is a 4G LTE and if you send a whole your traffic through it all the time you're going to end up in a situation where maybe that cost skyrockets so and then they create the redundant routes which is what I mentioned on the whiteboard set them with an administrative distance in a priority as you can see when one has an administrative distance of 10 but a priority of 5 so it's going to get precedence over the fell over length that has 10 and 10 but they will both respond to traffic if they if your links have the same admin distance and a different priority they will both respond to traffic which means you could access the FortiGate from either way in if necessary and then this is where you actually configure the link monitor figure system like monitor edit and in the name that you want your link monitor to be named they chose when one here because they're monitoring the link on win one and then from there basically what they're doing is set the name they set the server that they're pinging this case they're pinging Google they're choosing ping as the protocol for testing the gateway IP is the IP upstream so if you had a static IP whatever your default route is that's what you would use there set your interval for font of your timeout for one and your felt time for five so it fills five times that you Yanks the route and then it has the same recovery time update cascade interface enable and update static route and able basically what this is going to do is it's going to pull the static route from the device if the link fills and then they did the same thing from when to because obviously if way into is in a Croma situation you don't want it being a part of the mix either and then from there whatever you unplug your win interface the pings start failing your back-up plan starts taking precedent and so it's pretty cool and if you actually look at your logs under system events you'll see that it'll actually update you whenever the route is being removed or reacted and the reason why so for instance removing the static route because we couldn't ping so we pulled it yeah and in protocol ping it's okay because it failed if you look at the actual route monitor whenever you or a routing table whenever you have both links live and everything's working as it should you'll see two default routes with one getting precedent because of priority and whenever you pull one of those it goes from having two routes for your default route to none so this cookbook is on for the Nets cookbook site specifically discussing one that they're moving which is trash but two it was posted back in February redundant internet basic fell over so hopefully the whiteboard session with how to label it and cable it and some of the things that go into it as well as a brief overview of for the Nets actual cookbook document will help provide the guidance necessary for you to configure your ha4 to get clustered to have we're done in ISP fell over and then from there you know thanks to all the sty and stuff that's coming down the pipe you get really really flexible when it comes to health checks and things like that to where you can push a certain traffic over certain links as long as they meet certain SLA s or quality standards so if you have any questions post them in blue I'll try to answer them or post a response video to help provide more guidance otherwise you guys have a wonderful Memorial Day give me a shot if anything thanks
Info
Channel: Fortinet Guru
Views: 8,382
Rating: undefined out of 5
Keywords: whiteboard session, fortinet, fortigate, ha cluster, redundant ISP
Id: tuP3znjLQm4
Channel Id: undefined
Length: 14min 31sec (871 seconds)
Published: Mon May 27 2019
Related Videos
What is SD-WAN and why do you need it? Quick Explainer Video
Dell
122K
FortiGate to FortiGate IPSEC Configuration (FortiOS 6.4.0)
Fortinet Guru
26K
FortiGate: Simple WAN Fail-Over
Fortinet Guru
17K
FortiGate : 5 Admin Access Security Hardening Tips
Fortinet Guru
11K
Fortigate HA configuration
TAN Kirivann
4.2K
Fortigate - Traffic Shaping Fundamentals (QoS)
InfoSec for Humans
5.1K
FortiOS 7 Features I Am Excited About
Fortinet Guru
9.3K
FortiGate SSL VPN Configuration (FortiOS 6.4.0 Basic)
Fortinet Guru
73K
Note
Please note that this website is currently a work in progress! Lots of interesting data and statistics to come.