Fortigate HA Configuration 💭
This article will tell you about the HA configuration in Fortinet.
As you have visited many articles regarding HA configuration but didn't get the exact configuration which you want to do on your Fortinet firewall.
This article will give you clear instructions regarding HA configuration. This is regarding HA active-passive cluster.HA uses FGCP.
We are using the following diagram as an example to configure HA in Fortinet.
Before going to the configuration I want to share some in-light how does it work.
High Availability is a FortiGate specific solution for providing redundancy. When you join your firewalls to a cluster they will sync their configurations and function as one device, providing failover and load balancing the traffic if needed. To join FortiGate units to a cluster, participants must have the same model, firmware, and hardware. Prior to the configuration, it’s necessary to properly connect your devices. If your firewall has dedicated HA heartbeat interfaces then of course use those. If not, you can use any unused interfaces. Power on both devices and they will automatically negotiate and chose the primary and secondary unit. Please change the hostname, so we can easily distinguish the units.
Firstly get the console access of Firewall-1
a) Change the hostname.
b) Put the mgmt IP on the firewall.
c) Get on the firewall HA configuration.
d) Connect the cable between Firewall-1 and Firewall-2.
Firstly get the console access of Firewall-2
a) Change the hostname.
b) Put the mgmt IP on the firewall.
Configuration Firewall-1
config system global
set hostname Firewall-1
end
config system interface
edit "mgmt"
set vdom "root"
set ip 192.168.107.2 255.255.255.0
set allowaccess ping https
set type physical
set dedicated-to management
set role lan
next
config system ha
set group-name "sidtalk"
set mode a-p
set password ENC sidtalk1
set hbdev "portX" 50 "HA1" 50
set session-pickup enable
set ha-mgmt-status enable
config ha-mgmt-interfaces
edit 1
set interface "mgmt"
set gateway 192.168.107.1
next
end
set override disable
set monitor "wan1" <--> These are the interfaces that they Fortigate will monitor for failure. In this case, I put the WAN interface.
end
Configuration Firewall-2
config system interface
edit "mgmt"
set ip 192.168.107.3 255.255.255.0
set allowaccess ping https
set type physical
set dedicated-to management
set role lan
next
Device Priority – This setting will tell the cluster which device will be the Master and which will be the slave. The higher the priority the higher probability of becoming ‘master’. Default is 128.
Group Name – Use the group name to identify the cluster. The group name must be the same for all cluster units before the cluster units can form a cluster.
Session Pickup – If Enable Session Pick-up is not selected, the Fortigates do not maintain an HA session table and most TCP sessions do not resume after a failover.
FGCP - The FortiGate clustering protocol (FGCP) that specifies how the FortiGate units in a cluster communicate to keep the cluster operating.
Regards,
Siddharth
HTH
The pleasant morning wake up sounds get far if we don’t conserve birds and trees.
No comments:
Post a Comment