Fortigate HA Configuration

                     Fortigate HA Configuration 💭

This article will tell you about the HA configuration in Fortinet. 

As you have visited many articles regarding HA configuration but didn't get the exact configuration which you want to do on your Fortinet firewall. 

This article will give you clear instructions regarding HA configuration. This is regarding HA active-passive cluster.HA uses FGCP.

We are using the following diagram as an example to configure HA in Fortinet.

Before going to the configuration I want to share some in-light how does it work.

High Availability is a FortiGate specific solution for providing redundancy. When you join your firewalls to a cluster they will sync their configurations and function as one device, providing failover and load balancing the traffic if needed. To join FortiGate units to a cluster, participants must have the same model, firmware, and hardware. Prior to the configuration, it’s necessary to properly connect your devices. If your firewall has dedicated HA heartbeat interfaces then of course use those. If not, you can use any unused interfaces. Power on both devices and they will automatically negotiate and chose the primary and secondary unit. Please change the hostname, so we can easily distinguish the units.

Firstly get the console access of Firewall-1

a) Change the hostname.

b) Put the mgmt IP on the firewall.

c) Get on the firewall HA configuration.

d) Connect the cable between Firewall-1 and Firewall-2.

Firstly get the console access of Firewall-2

a) Change the hostname.

b) Put the mgmt IP on the firewall.

Configuration Firewall-1

config system global

set hostname Firewall-1

end

config system interface

edit "mgmt"

set vdom "root"

set ip 192.168.107.2 255.255.255.0

set allowaccess ping https

set type physical

set dedicated-to management

set role lan

next

config system ha

set group-name "sidtalk" 

set mode a-p

set password ENC sidtalk1

set hbdev "portX" 50 "HA1" 50 

set session-pickup enable

set ha-mgmt-status enable

config ha-mgmt-interfaces

edit 1

set interface "mgmt"

set gateway 192.168.107.1

next

end

set override disable

set monitor "wan1"    <--> These are the interfaces that they Fortigate will monitor for failure. In this case, I put the WAN interface.

end

Configuration Firewall-2

config system interface

edit "mgmt"

set ip 192.168.107.3 255.255.255.0

set allowaccess ping https 

set type physical

set dedicated-to management

set role lan

next

Device Priority – This setting will tell the cluster which device will be the Master and which will be the slave. The higher the priority the higher probability of becoming ‘master’. Default is 128.

Group Name – Use the group name to identify the cluster. The group name must be the same for all cluster units before the cluster units can form a cluster.

Session Pickup – If Enable Session Pick-up is not selected, the Fortigates do not maintain an HA session table and most TCP sessions do not resume after a failover.

FGCP - The FortiGate clustering protocol (FGCP) that specifies how the FortiGate units in a cluster communicate to keep the cluster operating.

Regards,

Siddharth

HTH

  The pleasant morning wake up sounds get far if we don’t      conserve birds and trees.

Fortinet Torrent Block

                   Fortinet Torrent Block - URL Filter 💭

This article explains how to allow or block access to a website using the URL filter feature.

URL can be defined in three manners:-

1) Simple:- It matches the full context.

2) Wildcard:- It includes one or more URLs to a simple URL.

3) Regular Expressions:- It tries to match the pattern.

Configuring a URL filter:

1) Go to Security Profiles -> Web Filter.

2) Select a web filter to edit

3) Under Static URL Filter, enable URL Filter, and select Create New

4) Enter the URL, without the “HTTP”, for example: www. XYZ*.com

5) Select a Type: Simple, Regular Expression, or Wildcard. In this example, select Wildcard

6) Select the Action to take against matching URLs: Exempt, Block, Allow, or Monitor

7) Select Enable

8) Select OK

The Image which I have used to demonstrate the URL filter show's example for facebook.com. Below I have shared the config to block the torrent via CLI. 

The syntax in the CLI for configuring an entry is:

#config webfilter urlfilter

edit <ID>

config entries

edit 1

set url <url>

set referrer-host <url>

set type {simple | regex | wildcard}

set action {block | allow | monitor | exempt}

set status {enable | disable}

end

end

end

The below example shows how to block TORRENT via URL-Filter.

# config webfilter urlfilter 

(urlfilter) # show

config webfilter urlfilter

    edit 1

        set name "default"

        config entries

            edit 4

                set url "*torrent*"

                set type wildcard

                set action block

            next

            edit 2

                set url "*torrents*"

                set type wildcard

                set action block

            next

        end

    next

NOTE:- SSL/SSH deep/full inspection is mandatory for static URL filter working.

Regards,

Siddharth

HTH

The pleasant morning wake up sounds get far if we don’t conserve birds and trees.