Wednesday, June 22, 2016

Fortigate 60D High Availability Configuration Steps

Fortigate 60D has been used to do HA examples in this post.

The back of Fortigate 60D:


The configuration steps for Fortigate High Availability is the easiest one comparing other firewall vendors. Fortigate cookbook "High Availability with two FortiGates" has presented enough detailed steps for most situations. In this post, it records the steps I just recently did.

Topology:



WAN1 is connecting to External switch then connected to Internet.
LAN port 1 is connecting to Internal switch.

Both DMZ and WAN2 ports are used as HA heartbeat interface. Two regular Ethernet cables are connecting them together as show in the following photo:

 
After device powed on, the front panel looks like below:



Configuration steps:

1. Start with Primary which is running at standalone mode and has configured all interfaces and policy.

1. 1 Change the primary first from standalone to Active-passive mode.
1.2 Set the priority between 1 and 255. Since it is primary, I set it to 250.
1.3 type HAGroup1 as the HA group name and enter a password for this group.
1.4 Choose DMZ and WAN2 as Heartbeat Interfaces.

2. Add new Fortigate 60D as secondary device. 

Since it is new, you will not need to do any configuration. 
2.1 Change the secondary Fortigate 60D from standalone mode to Active-passive mode.
2.2 Set the priority between 1 and 255. Since it is secondary, I set it to 50.
2.3 type HAGroup1 as the HA group name and enter a password for this group.
2.4 Choose DMZ and WAN2 as Heartbeat Interfaces.

3. Verify

After the configuration completed, you should be able to see both Fortigate 60D in the list. One is master and another is slave.

All configuration will be synchronised from Primary to Secondary through Heartbeat interfaces. 



Notes: To make both devices HA configuration running well, you will need to make sure following requirements met;
  • Same hardware
  • Same FortiOS version
  • License for some special features
  • LAN Switch mode (Switch / Interface)


Manual Failover Test Command:
diagnose sys ha reset-uptime
Upgrade Procedures:
To upgrade the firmware without interrupting communication through the cluster, the cluster goes through a series of steps that involve first upgrading the firmware running on the subordinate units, then making one of the subordinate units the primary unit, and finally upgrading the firmware on the former primary unit. These steps are transparent to the user and the network, but depending upon your HA configuration may result in the cluster selecting a new primary unit.
From the FortiGate web‑based manager go to System > Dashboard > Status. In the System Information widget, the Firmware Version will show the updated version of FortiOS (or from the CLI enter get system status).


Reference:






No comments:

Post a Comment