Scribd
Upload
11 views14 pages

Active-Active Lab

The document outlines the configuration of an Active-Active High Availability (HA) setup for FortiGate firewalls, detailing the IP schemas for primary and secondary units, interface configurations, and DHCP settings. It includes steps for setting up the primary and secondary firewalls, enabling HA, and verifying the configuration. Additionally, it describes failover verification procedures and how to manage the cluster's operational status.

Uploaded by

deephans325
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
11 views14 pages

Active-Active Lab

The document outlines the configuration of an Active-Active High Availability (HA) setup for FortiGate firewalls, detailing the IP schemas for primary and secondary units, interface configurations, and DHCP settings. It includes steps for setting up the primary and secondary firewalls, enabling HA, and verifying the configuration. Additionally, it describes failover verification procedures and how to manage the cluster's operational status.

Uploaded by

deephans325
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
You are on page 1/ 14

Active-Active Lab:

FG1 (Primary) IP Schema


Outside Layer 3 Interface Port1- 192.168.122.100/24
Inside Layer 3 Interface Port2 - 192.168.1.100/24
High availability (HA) 1 Port3 – Layer 2 no IP address
High availability (HA) 2 Backup Port4 – Layer 2 no IP address
FG2 (Secondary) IP Schema
Outside Layer 3 Interface Port1- 192.168.122.100/24
Inside Layer 3 Interface Port2 - 192.168.1.100/24
HA1 or Control Link Port3 – Layer 2 no IP address
HA1 or Control Link Backup Port4 – Layer 2 no IP address
LAN PC Details
LAN PC1 IP DHCP
LAN PC2 IP DHCP
LAN DHCP Range 192.168.1.1 – 192.168.1.99 /24
LAN PC DNS 8.8.8.8
Firewall Management IP subnet 192.168.122.0/24
Internet Gateway IP 192.168.122.2 /24
HA Details
Mode Active-Active
Device Priority Master 100
Device Priority Slave 50
Group Name HAG
Heartbeat Ports Port3 and Port4
Configure Primary Firewall:
Login:
First Console to Primary Firewall, find out the IP address to login.

Change Hostname:
Now, you should login to MASTER Firewall, I recommend changing the hostname before login,
this will improve the ability to identify the different FortiGate Unit Firewall.

Configure Interfaces:
Go to Network>Interfaces select port1 Click Edit. In Alias type WAN, change the Address Mode
to Manual type IP/Netmask 192.168.122.100/24, in Administrative access leave all the rest of
configuration default and press OK button. The firewall will be disconnected login with new
Management IP address which is the WAN IP address as well.
Go to Network>Interfaces select port2 Click Edit in Alias type LAN, change the Address Mode to
Manual type IP/Netmask 192.168.1.100/24, in Administrative access only checked PING leave
all the rest of configuration default & press OK.

Enable DHCP Server:


To add a DHCP server, go to Network > Interfaces. Edit the interface Port2 and select DHCP in
the addressing mode. Specify the DNS to 8.8.8.8.
Configure DNS:
Go to Network > DNS , click on Specify and enter in primary / secondary DNS servers. In Primary
DNS Server, type IP address of the primary DNS server 8.8.8.8. Click Apply to save changes.

Configure Default Route:


To create a new default route, go to Network > Static Routes and create a static route for ISP.
Set Destination to Subnet and leave the destination IP address set to 0.0.0.0/0.0.0.0. Set
Gateway to the IP address provided by your ISP and Interface to the Internet-facing interface in
my case 192.168.122.2 which my VM8 VMware Workstation Gateway. Set the Interface to the
WAN interface. Press OK to Save the changes.
LAN to WAN Policy:
To create a new policy, go to Policy & Objects > IPv4 Policy. Give the policy a Name that
indicates that the policy will be for traffic to the Internet in my case it is Allow-LAN2WAN. Set
the Incoming Interface to LAN and the Outgoing Interface to WAN. Set Source, Destination
Address, Schedule, and Services, as required in this case All. Ensure the Action is set to ACCEPT.
Turn on NAT and select Use Outgoing Interface Address.
HA Active-Active Configuration:
Go to System > HA Select the Active-Active mode. Give Device Priority to MASTER Firewall a
bigger number than the slave one (100). Set a group name and password for the cluster. Enable
Session Pickup: Enable this option to sync master to backup machine. Check the interface you
want to monitor normally internet. Enable two heartbeat to create a stable HA.

Mode Select HA mode for cluster or return cluster to standalone.


Device Priority Set the Highest device priority usually becomes primary unit.
Group Name Enter name to identify cluster. group name must be same in all
Password Enter a password to identify the cluster. It must be same in all
Session Pickup Sessions are picked up by cluster unit that becomes primary.
Monitor Interfaces Select to enable or disable monitoring FortiGate interfaces.
Heartbeat Interfaces Select to enable or disable HA heartbeat communication.
Heartbeat Interface Priority Set the heartbeat interface priority
Management Interface The HA Reserved Management Interface provides a direct
Reservation management access to all cluster units by reserving a
management interface as part of the HA configuration.
Verification of Primary:
After HA configuration done, go to System > HA it will show below port1 is monitor port and
Port3 and Port4 is heartbeat interfaces.
Configure Slave Firewall:
After configure are of Primary Firewall is done, we will be setting up slave machine. Console to
Slave Firewall get the IP address and login.

Change Hostname:
Now, you should login to SLAVE Firewall, I recommend changing the hostname before login,
this will improve the ability to identify the different FortiGate Unit Firewall.

HA Active-Active Configuration:
Same as master, Go to System > HA Select the Active-Active mode. Give Device Priority to
SLAVE Firewall a lower number than the Master one (50). Set the same group name and same
password for the cluster which already set on MASTER Firewall. Enable Session Pickup: Enable
this option to sync master to backup machine. Check the interface you want to monitor
normally internet. Enable two heartbeat to create a stable HA.
Verification:
Check the status of cluster group make sure master and slave machine are correct. Go to
Primary Firewall go to System > HA you will find both firewall setting here. The HA status page
shows both FortiGate in the cluster. It also shows that Primary is the primary (master) and the
page also shows that Backup is the primary (master) FortiGate.
Go to Dashboard > Status, The HA Status dashboard widget also shows synchronization status.

LAN PCs Configuration:


Right click on both PC1 and PC2 to enable DHCP configuration to get IP from LAN interface.
Go to Security Fabric > Physical Topology If the cluster is part of a Security Fabric, the FortiView
Physical and Logical Topology views show information about the cluster status.

Failover Verification:
Let’s put continue ping from any LAN PC.

Let’s powered off the primary Firewall you will be logging into the backup FortiGate.
You will see a momentary pause in the ping results, until traffic diverts to the backup FortiGate,
allowing the ping traffic to continue.

Check the host name to verify the FortiGate that you have logged into. The FortiGate continues
to operate in HA mode.
if restart the primary FortiGate, after a few minutes it should rejoin the cluster and operate as
the backup FortiGate. Traffic should not be disrupted when the restarted primary unit rejoins
the cluster. The Override behavior allows firewall with higher numerical value to resume as
Primary Firewall enable Override on Primary Firewall.
PrimaryFW # config system ha
PrimaryFW (ha) # set override enable
Change the hostname of the FortiGate
config system global
set hostname PrimaryFW
end
Configure HA on Primary Firewall
config system ha
set group-id 1
set group-name "HAG"
set mode a-p
set hbdev "port3" 200 "port4" 100
set override disable
set priority 100
set monitor "port1"
end
Configured a policy to allow traffic from LAN to WAN
config firewall policy
edit 1
set name "LAN2WAN"
set srcintf "port2"
set dstintf "port1"
set srcaddr "all"
set dstaddr "all"
set action accept
set schedule "always"
set service "ALL"
set logtraffic all
set logtraffic-start enable
end

Change the hostname of the FortiGate


config system global
set hostname SecondaryFW
end
config system ha
set group-id 1
set group-name "HAG"
set mode a-p
set hbdev "port3" 200 "port4" 100
set override disable
set priority 100
set monitor "port1"
end

You might also like