High Availability (HA) Configuration on FortiGate - FGCP | Lab GNS3 - From Scratch!

Video Statistics and Information

Video
Captions Word Cloud
Reddit Comments
Captions
[Music] foreign [Music] foreign [Music] [Music] foreign [Music] foreign [Music] thank you foreign [Music] hey what's up guys how you doing I hope you are all well welcome to this new life for today Sunday August 27 and it's uh 3 30 my time pretty much so we are very late on our schedule we supposed to be live I'm supposed to be live at 2PM no 12 p.m New York time so that's 2 p.m my time but today I had to deal with a bunch of things including me not be able to stream on Facebook but now I'm I think I'm able to do it let me get my headset so I can make sure you have beautiful audio over there so I think everything is good thank you so much for joining and today we're going to do H A or high availability on a 40 gate or using 240 Gates that's what we're gonna do today and um I have my design on my topology next to me so this is what we're going to do and I don't want to start everything from scratch with you guys so what I'm going to do is just explain exactly this apology that I have and how we're going to work on it to make sure that we have high availability on this side here so welcome everybody in the chat Frederick RMG um bedtime in France okay from Ireland it's bedtime in Ireland yeah sorry about that so next time I will be pretty much two hours early so it's supposed to start um at uh 2PM New York time or no I think 12 p.m your time or 2 p.m my time so but thank you for sticking around so today I'm gonna be we can be very quick with this lab here because it won't take much I'm just going to explain exactly what the topology and how we're going to configure ha so this is can I write on the screen here it doesn't seem like it works just a moment I feel like my pen okay my pen was not enabled all right that's why okay I'm enabling my pain now so I can write on the screen for you guys but thank you so much yes it's recorded it's going to be available on the YouTube channel anytime so you can go ahead and find it there later on so if you really really have a sleep you should go sleeping is important thank you so much Frederick um all right so I want to use this topology here and I'm going to explain to you what all of this means so I have a site this is a site it might be a bank it might be a restaurant it might be anything and this site here doesn't want to have a single point of failure if we use a single 40 gate that can be a problem because when that 40 get fails you are pretty much down until you have another Portage afford to get in place so what you can do is use high availability and combine two four tickets together in your topology or in your on your site so what we're going to do here is that we have 240gate the first one I'm going to call it 48p as in primary or you know what let me just change it I want to call it 40 gate one as in the first 40 gauge so the second one I'm going to call it 40 gate 2. so we have one and two that are on this side here and the goal is that those these two are going to work in high availability AP mode or active and passive mode which means that one of them is going to be active every single time and unless that active 40-gate is absent in the network for some reasons maybe the link failed or we have some issues and the device lost power or the device is fried by a thunderstorm for example so if this device is unavailable the second device the 40-git number two is going to take over and it's going to be the primary for the site and the goal is that the user or the end users right here the pc1 and the PC2 will not notice any uh any problem with the network because the traffic can switch back and forth between the two without the the the the end user knowing so it's gonna happen really quickly in the order of milliseconds and the 240 gates are going to be synchronized all the time they're going to have the very same configuration so that the switchover is really seamless so to do that what we're going to do is to make sure this 40 gate is fully configured and it's able to carry the traffic from this network outside as you can can see the router one is actually our router connecting us to the internet to the outside world and it's configured to make sure that nut is happening over here so we configured that in our last lab I showed you how to do it if you don't know how to do it then maybe it's time for you to go join my CCNA course on kbtrends.com so I have a course that's available for you at this I at this address here oh no I don't want that I don't want that okay sorry about that so um this is the the IP I mean the website capitans.com that's where you can find my CCNA course you're going to learn everything you need to know about networking security Cloud on whatever in the CCNA and you'll be good and you will probably or you will definitely get me and understand whatever I'm talking about here so the goal here is to make sure that the the not is happening over here and all the 40 I mean both the 40 gates are using this router one to go outside to the internet and there are each other's backups so the synchronization is happening between the configuration and everything that's that's what we're gonna do it's very critical in many environments I worked for an ISP or MSP here in Denver and we were supporting multiple restaurants with multiple sites across the US so they might have five thousand or ten thousand sites and in those kind of environment for a restaurant with fast food for example you don't want your service to go down anytime so you won't need to be up every day a and some of them are open 24 hours really important for a home network it might not be that important but for a business or critical business use this is a design that you're going to find most of the time it's sometimes even the switch can also be in a in ha mode where you have multiple switch two or even three switches that are redundant being used in a network so that if there is a if one of them fails the service will not be interrupted for a long time so that's what we're going to do today so I'm going to start by showing you what I have I will start by the by the router one here let's go into router one I'm going to show you the the configurations we have in router 1 let me increase the font here I think you can see it well now so if I do show IP in the first brief in router 1 you can see that oh God rather one lost its configuration I thought it was configured but that's fine you can do it really quickly wow okay I reported it but it lost okay no you know what never mind so configure terminal we're going to go in the interface00 which is inside this one here so I'm going to give it the IP address of 192. 168 that 0.1 24 um okay I'm going to do ipnat inside because it's inside and then interface or no shot as well interface gig one zero this is the outside one going to my home network IP address DHCP that is coming from my DHCP server internally and IP not outside um okay and no shots all right so now I need to do the what is it the access list for the nuts I will do IP access list standard I'll call it list and I'm going to permit the network number 192 that once you see it that's 0.0 with the Wild Card mask of 0.0 that 0.255 I think it should be fine okay and then I'm going to exit here and do IP not inside source um Source list interface gigabit one zero overload all right so for this router we are done you know what I didn't do uh I didn't save my configuration last time copy run start this will save my configuration so next time if I reload it it will still be there so from here I should be able to Ping Google without any problem yep I'm pinging outside so um now let's go back to the 40 gate so what we're going to do is that we are going to mainly focus on the forget number one this is where we're going to do all our configuration the 40 get number two is factory reset so it has no configuration whatsoever but with what we're going to do on the 40 get number one we're going to we are going to copy the same config on the number two um directly so let's go ahead and uh open the four to get number one and see what is the IP address we have on there so when I um that's for management so I want to access the GUI so they forget number one has been reset and we do admin without password and I need to create a new password and then repeat the same password I don't know if it went through but I feel like okay it went through all right so um I can find what are what are the IP addresses on this by doing diagnose IP address list this will tell me that I use one uh 10.35.0.199 for the port number one which is the management management Port so I can go in the GUI I'm just gonna open um browser and uh let me bring it over here see hi someone knows if we can get a forget image or gns on dns3 free yes the four to get image is free I explained it in the first lab if you go there you're going to see how you can go and create an account and also download the VM that you can use for gns3 for free so um go on the channel and find that video so this is the IP address for the four gig number one we should be able to have access to it yes we do so I will do admin with my new password and I am inside it's asking me to scan the file system I will do it later so now I can do some basic configuration for this device here and I'm going to call it 40 gate 1. and I will keep the dashboard optimal all right thank you to everybody on Facebook and YouTube uh please don't forget to like the video and also share it um on online that'll be very helpful thank you so much [Music] um yeah and subscribe to the channel if you are not subscribed okay so I am going to dismiss that so I am in the forget number one so what I'm going to do is just some Len and when configuration if I go on the the interface I can see that the port 10 has no configuration the port one is the only one with configuration here so I need to go here and remove the retrieve default get away from server because I don't want it to use this link to go to the internet I wanted to send the traffic to the router that I have here so I'm going to remove that option and I can I can name this port MGMT as in Management Port it's undefined and the dedicated management oh you know what there is an option right here uh and I don't have to add all of this you ask me for a trusted device and so on that's fine all right so I will hit okay that is all for the management Network or the management port and the port that goes outside is the port number 10. I'm going to configure it right now port number 10 goes outside the name is when and the role is also when and I'm going to give you the IP of 192 168 that's 0.2 with the subnet mask of Slash 24 okay and I should be able to Ping it at least and uh that's it I'm going to hit OK so that is for the WAN ports I'm going to also configure the port number two it's going to be our Lan Port going to the switch inside the lane sorry this is Lan port and uh I'm going to give it an IP address manually of 10.0.0.1 with a slash 24 and I should be able to Ping it and I also need to activate the DHCP server on it and uh you record yourself with obs all right um is that the question for me okay all right um no I don't think so okay so we have at the DHCP server enabled here I'm going to hit OK so I have the Lan Port the one port and the Management Port so the port number three and number four are going to be used for heartbeat and what we are doing today is following because I don't always like to bring you uh just the labs I also want to bring you where you can get those labs where you can get the configurations if you ever have to do anything like this in production so everything should be on on the Ford Gates website so I have a link here that I can also put on the chat on both YouTube and uh and Facebook so there's a link there that's going to explain exactly what we're doing today it might be a different version of of how to filter web bro web filter you can do web filter but you will have to you need to have the license for it so I will do it next next time next Sunday I'm going to show you how I will do web filtering so I hope everything is good on this chat here in on Facebook hi Alvin I hope everything is good all right so we have Lan configured we have one configured management is configured so from our device here let's go on pc1 let's see if he has an IP so if I do show IP it probably has no it doesn't have an IP so I will do ipd ICP here I should be able to get an IP from the 48 Dora yes discover offer request acknowledgment I have an IP so I should be able to Ping 10.0.0.1 yes without any problem I should not be able to Ping the internet because I don't have a I don't have a policy allowing me to go out to the internet yet so it's failing now so what I have to do is go on the 4 to get and make sure I can ping the internet let's start on the forget number one don't like this um um I think there is a command configure system timeout something like that oh no configure global um let me just do this in ago it's much easier I mean the go here I just want to go under system administrators or settings yes it should be on the system settings I'm going to increase this to 480. yeah that's what I wanted to do okay so um we are good there and from the 40 gate can we go outside exact ping 8888 probably not because some things are missing if we do gets get route or router info uh writing table all you can see that we don't have a default gateway there's nothing for undefined traffic so what I'm going to do is go ahead under Network I need to set a static route that is going to allow me to go out to the Internet so I will create a new static route uh it should go to the 192 168.01 it goes out port number 10 and that's it I will hit OK so this will give me uh static default route yep we do have it here so from here if I want to Ping Google I should be able to Ping it um yeah this is succeeding so we we have respond so it's definitely going out and if I go on the router number one I can see by doing show IP not translation I can see what are the translations that are created for the router okay let's come back here let's come back here so we can now we need to make sure the pc1 can go out to the internet let's go back in the GUI and create a policy I'm going to create a new firewall policy and create new I am going to call it Lan to when and it's going to in it's going to be incoming from the interface number the report number two outgoing the wine interface The Source I will just grab all at this point but you in production you need to be more specific you need to have IP objects for all your subnets services all right and then that's it I have not enabled and everything so I'll hit OK so this will allow my pc1 to be able to access the internet through the 40 gate so if I come here and I kill it again and I'll restart it's not going through even a single one let's see why sometimes the virtual environment can be a little tricky ipdhcp on the number two I should get an IP okay this one should be 10.3 okay so I can ping 10.0.0.1 I can also pin Google uh ping888 yes it's paying a Google even though it's failing a lot that's just the adventure environment thing but it should be able to pin Google yes see that's my Google all right so um I wasn't talking to it actually so we can ping outside but it's failing a lot we may need to investigate why but all I know is that it's going through this link here if I do and uh if I do some packet capture on this link I'm pretty sure we're going to see those RCMP going through and I can filter just for icmp and yep these are the icmp going out and coming in we actually have even number going out and coming in so we are good there our 40 gate number one is configured and it's able to handle the traffic from the network to going to the outside so now what we have to do is take care of the 40 gate number two we need to make sure the 40 gate number two is ready to be in high availability relationship with the 48 number one but we need to go back in the forget number one and go under uh system and high availability this is where we're going to create our high availability configuration and we have different modes that we can pick from here we have let's see I'm trying to I'm trying to show you the zoom zoomed version of it here so we have the active active mode we have the active passive mode or the Standalone mode we're going to do the active passive mode right here and we can give it the same priority or we can increase the priority on one of the devices that we want to always be the primary and it can override the other device so this one can give it 150 as the priority and then I need to give a name to the cluster I'm trying to create so it's going to be [Music] um just just a random name cluster number one I can have more than one clusters if I if I enable if I do I use Virtual crusters but here I just gonna I'm just gonna use the physical one so it's gonna be cluster number one the password I will change it to password just for some level of security um did you buy these images on 48 no I didn't buy them the images are available on the 40 gate website if you create an account you go there um actually watch one of my previous lives I was presenting you or showing you how I downloaded the images and uh how I put them on the on the 48 I mean on the js3 without any problem okay so cluster number one we have the password set it just says password and I need to I don't need a monitor interface but I need heartbeat interfaces so I'm going to do to add three and four as heartbeat interfaces on this uh topology here and what does that mean that means that our 40 Gates need to be connected to each other using these two ports so we have the port 3 and the port four they go directly from one photo get to the other this is where the 40 gate are going to send information and also sense the presence of each other they're going to use lay to broadcast to make sure that the other is still there and uh why do we use that's the question I have in the earlier earlier in the lab so why do we use two ports I think we may be able to use one I can try that in the lab to see what happens but we use two Port I think for redundancy as well so if one of these links is down the other one should be able to take care of everything without any problem so these are going to be called the heartbeat heartbeat ports so they're going to send layer 2 traffic between the two devices we can even launch a packet capture and I can show you how that works but let's finish with the configuration first so I'm using three and four as heartbeat Port I'm going to give the them fifty percent uh 50 as a priority to both of them so there will be both used and then that's it I will hit OK this is going to start our high availability function on this 48 here and it may also change some of its configurations like the IP might also change that's what I've noticed in my labs we're going to make sure that we go back to the GUI and see if there's any change so if we go back to 40 get number one we don't have any message being sent so far but if we do get system high availability status we can have more detail on how our ha on our ha configuration so this device is selected as the primary because it's the only member and we have these two ports that are configured for heartbeat this is what we get directly from the 40 gate and if I check the IP addresses that I have to see if it changed yes it actually changed this this happens a lot when I do this um I might be explaining it uh for [Music] you know what uh yes I was trying to explain this it's the device is going to renew its IP it's probably due to the fact that um it's um it's going to you know what let's go ahead to the second one first and I'm gonna I can get back to this but every time I do the ha my device changes its DHCP IP it requests a new one from the server for my JTV server so maybe my server has this IP address uh served somewhere uh from recent leases and it sees this and uh always give the 181 to the 48 so that's what happens so make sure that when you do that you still maintain your same IPS you can also go around this by having manual IP set up on that Port but mine is DHCP that's maybe why it's changing so if I go back to the GUI with this one here I'm not able to get to the device anymore I need to use the 181 the new IP so now I can access the device and I am in this is still the 40 gate number one and I can go under system high availability it's going to show me that this is synchronized and it's the only member of this cluster so now let's go to the 40 gate number two I'm going to go and configure forgot number two at least to have GUI access to it or browser access and then we are going to activate High availability so here it's admin without password of course and I'm going to create the new password okay so I am going to find the IP address by doing diagnose IP list it's showing me that 191 is the IP on this interface I'm going to come to my browser and open 191 I am on that 40 gate so this is the second four to get of our topology and I am doing some basic configuration I'm going to call it for to get number two it's going to be the secondary but it can also become a primary if the primary is not available go under ha and make sure it's in active passive mode I'm going to leave the priority the same as before as the the default and I'm also going to call it cluster 1 and we'll change the password to password okay and then I am going to add the heartbeat interfaces notice something um on this here even though 3 and 4 are configured as heartbeat interfaces you don't see the heartbeat showing let me let me zoom in when it comes on it takes some time to check everything and we'll give you the state of our ha cluster and in the link that I put in a chat you can see the documentation about the the cluster we use fgcp or the 40 gate clustering protocol to make this happen the beautiful protocol that also fails over really quickly and on that link you can also see what are the circumstances when you would probably need to failover usually when a link fails when the device is not available when the memory is high on one of the device it can also send some sessions of failover to the other device so this is taking too long um will the video be available later yes it's going to be available on the channel you can find it there to watch it again I'm trying to refresh the ha stats status on this 48 but it's taking longer than usual let's go back to the GUI and see what we find if I come here and I do get a Chase status Yep this is what we should see there in the GUI but um yeah it's just taking forever you know what let's let's go ahead and finish the configuration here so hot beats I'm going I'm going to set the port three and four to be my heartbeat port and I'll give them the same priority of 50 50. and uh oops okay 50 50 and this is it I am going to hit OK and it's going to add this new device to the cluster so let's go back to the GUI and observe the changes if I do get status here you can see that the second device is already added the second device is already added but it's not doing anything specific yet I'm going back so I can have everything in one line so the second device is here and its configuration is showing out of sync so if you look at this the first one is in sync the second one is out of sync and right now it should start syncing the files and the configurations and I think if we go on the 40-gate number two that's when we can have more detail as you can see here it's showing that secondary files are not in sync so which means we are still detecting differences between our files and the files in the primary on this cloud in this cluster so then it will start the synchronization this one still doesn't show me the state of the ha Let me refresh this page again oh this is actually the first one now this will not come up because it will grab the the IP from here all right so this is the the primary that we have you can see that the primary is showing us that the secondary is not synchronized yet it's going to be it may take a while it may take two five minutes but just the time for for them to synchronize everything so we have the secondary that is not synchronized and the primary has been up for 43 minutes and everything so if I refresh here we may see different results Let me refresh now it's still out of sync and if I go in the 40 gate number two here we can confirm that he was able to synchronize external files with the primary and then it should synchronize the config as well and during that process I was logged out I can log back in or I can just wait for it to finish everything so let's go back to the GUI here and refresh still out of sync okay secondary configuration is not in sync with the primary this is very normal during the process of synchronization and we are going to wait for it to finish that process uh thank you so much for watching don't forget to like the video and also share it and if you are not subscribed make sure you subscribe to the channel and uh yeah thank you everybody on YouTube as well as well so send message I mean I meant to say on on Facebook the same message came back again um it's still doing the same thing but uh pretty soon we're going to have uh synchronized configurations between the two devices let's see here and refresh again still out of sync all right not a problem as I said it's maytech maybe up to five minutes before everything is lined up okay it's uh secondary start to sing with primary okay log out all admin users so I am logged out and that's because the synchronization was happening so if you if I go on the four to get number one and do the same thing get system h a status now you can see that it looks no it's still look out of sync okay yeah it starts to config but it's not complete yet so it's still going to give it some moment so this device selected as primary because it uptime is low is larger than pure member so because we have these two devices the one I'm on now is the primary because it was turned on earlier than the other one okay so let's give it some time okay so now the synchronization is complete as you can see we are in seeing on both devices and down here it's showing us that the 40 gate the primary is the 40 gate number one and the secondary is the 40 gate number two so these 240 gate right now have the exact same configuration and they are in ha active passive if I refresh here you can see synchronized synchronized and everything is working fine and also some fun thing that I noticed is that if you look at the Port here the port 3 and the port 4 you can see the little heartbeat showing there it's showing us that these are used as heartbeat for for our ha configuration that is great so what you can we can confirm here is just to make sure that our devices are still connected to the internet this one is failing why is it failing this number two let's see if we can ping Google yes we can ping at least it's failing but uh that's just gns3 messing with me here but it should be able to be consistently going through on the pc1 it shouldn't be failing too let's see oh you know what I can even just test it by pinging the default gateway yes so the default gateway is being pinged without any problem and it's constant I can do the same thing on the PC number two we are pinging the default gateway so this is what I'm going to do here oh I realized that you were not able to see the full screen but yeah so what I'm going to do is go ahead and shut down the 40-git number one and we are going to see if those pings are going to fail because right now the number one is the primary in the cluster I am going to right click and just stop it right away and let's see what happens to the Ping we missed two pings and then we are back online we missed two things here and we are back online and what are we using now we are using the forget number two as the primary let's go in there and check the status of the get system h a status as you can see the primary is now the forget number two it's the only member in the cluster because the only the other one just disappear and even if we go in the GUI here we were able to connect to the the forget number one but if I log in we're going to see that it's going to actually be the number two right now I'm in the four to get number two so that's that's the change we are we just switched over to the other 40 git actually you can come here and add a widget for high availability just do h a and I can add this one here and close this is going to show us the ha status in our Network we are an active passive mode right now we are the primary because the other one is gone and our devices are connected and the opinion the default gateway without any problem and what I can do now is bring the 40 gate number one back online and we're going to see what it does so it's not going to take over directly it's not going to to become the primary because by default the override is disabled which means that when a 40 gate goes down it's it's going to be the primary if it comes back online in the ha again so we don't want to be going back and forth between the two depending on the availability that's why the set override is usually disabled I'm going to enable it here and you're going to see how the footage is going to take over so let's get the 40 get one back online and we're going to to see how it reacts so the number one is booting up so I think it's up admin okay get system h a status okay the the primary is still the 40 gate number two the number one even though it has a higher priority it didn't take over because we don't have the override enabled so what I can do is from here I can configure system ha show this is these are the commands that we have under higher availability configuration even though we have a 150 but we are not the primary I'm going to change this to enable so I'll do set override enable once I do that look at this so h a status once I do that I am now the primary because I took over because I don't want to wait so that's what you can do if you are if you have a preference between two devices and you want one of them to always be the primary you need to do the set override so that it's going to override every time it comes online all right guys that's primarily what I want to show you and it became the primary let's see the state of our pings on these devices here we didn't actually lose anything you know what yeah the pings are still going on pinging the same IP as if nothing happened this is the beauty of fgcp the 40 gate clustering protocol we were able to fail over between our 40 gate without an issue that's all thank you guys for watching if you liked the video don't forget to like it on YouTube and make sure you also subscribe to the channel if you are not and um if you are not following us on YouTube I mean on Facebook uh look up for look for Gabby training on Facebook you're going to see us and follow us there as well if you have any questions you can leave it in a comment I'll watch it later so I go live every Sunday at 2 p.m New York time oh Denver time or 12 p.m New York time I am live and uh thank you for watching I will see you in the next Lab which might be sometime this week or next Monday or next Sunday thank you and take care bye
Info
Channel: KBTrainings
Views: 2,468
Rating: undefined out of 5
Keywords: kbtrainings, kb trainings, kb training, cisco, ccna, ccnp, ccie, networking, security, routing, switching, nas, qnap, vpn, site to site, configuration, fortios, ha, high availability, fgcp
Id: KM9IGjVZbc0
Channel Id: undefined
Length: 46min 23sec (2783 seconds)
Published: Mon Aug 28 2023
Related Videos
Firewall Policies and NAT (Policy vs Central NAT, SNAT, DNAT... ) on FortiGate | GNS3 Lab
KBTrainings
3.1K
How To Create Cisco And Fortinet Devices on GNS3 | Useful Tricks and Simple Lab with FortiGate
KBTrainings
4.5K
Fortinet: Configuring HA on FortiGate firewalls
ToThePoint Fortinet
18K
Site to Site VPN Configuration on FortiGate | Lab GNS3
KBTrainings
4.9K
Google Cloud Platform Full Course | Google Cloud Platform Tutorial | Cloud Computing | Simplilearn
Simplilearn
603K
Fortinet's New NSE Certification Levels, No More NSE# | FGT Web-Filtering Lab | GNS3 #cybersecurity
KBTrainings
5.3K
FortiGate 60F HA Cluster Build
Fortinet Guru
42K
Fortigate Firewall | Fortigate Administration Full Course | 2022
Knowledge Power
35K
How Fortigate SDWAN works
Rakshit Vidyarthi
6.4K
Company Network Design & Implementation Using Cisco Packet Tracer | Enterprise Network Project #6
Gurutech Networking Training
109K
Layer 2 Switching & VLANs | Cisco CCNA 200-301
Keith Barker - The OG of IT
155K
InterVlan routing on Fortigate Firewall | Lecture#5
Doctor Networks
36K
My Experience Taking The Fortinet NSE4 Exam Online | Tips And Study Plan | Q&A
KBTrainings
2.5K
Fortigate HA configuration
TAN Kirivann
22K
Day-12 | How to Configure HA in Fortigate Firewall | Fortigate firewall Full Course
TechNet Guide
8.6K
Fortinet: FortiGate Comprehensive Getting Started Guide
ToThePoint Fortinet
10K
Note
Please note that this website is currently a work in progress! Lots of interesting data and statistics to come.