High Availability on Fortigate Firewall
"Today's topic is how to make a standalone Fortinet firewall redundant. Can I do it without any interruption? Our simple topology is below. I created the topology with Eve-Ng.
I can ping the Internet on Win-Client
Preliminary Checks:
Ensure both FortiGate devices are running the same firmware version.
Verify that both devices have similar hardware configurations.
Ensure both devices have the same VDOM configuration (if VDOMs are enabled).
All config is on Fortinet-2 Fw. There is no configuration on Fortinet-1. We will configure the HA-configuration on Fortinet-2. We will do nothing on Fortinet-1. The available configuration on Fortinet-2 is as follows:
I will prepare the configuration of HA on Fortinet-1 and Fortinet-2 as shown below. We can't change the priority on the secondary firewall.
Note: Each FortiGate unit in the HA cluster can be assigned a priority value. The priority value is a number between 0 and 255, where a higher number means a higher priority. The device with the highest priority number becomes the primary unit (the one handling traffic and performing active tasks).
After that. it seems as below and we haven't seen any interruption on win client while doing this operation.
The following logs appear on the console;
login: secondary's external files are not in sync with the pri)
secondary's external files are not in sync with the primary's, sequence:1. (typ)
secondary's external files are not in sync with the primary's, sequence:2. (typ)
secondary's external files are not in sync with the primary's, sequence:3. (type CERT_LOCAL)
secondary's external files are not in sync with the primary's, sequence:4. (type CERT_LOCAL)
secondary succeeded to sync external files with primary
secondary's configuration is not in sync with the primary's, sequence:0
secondary's configuration is not in sync with the primary's, sequence:1
secondary's configuration is not in sync with the primary's, sequence:2
secondary's configuration is not in sync with the primary's, sequence:3
secondary's configuration is not in sync with the primary's, sequence:4
secondary starts to sync with primary
logout all admin users
Both devices are synced.
Now I will check the configuration on Fortinet-1 whether is syn or not.
# show firewall policy | grep -f port1
config firewall policy
edit 1
set name "Internet-Allow"
set uuid b6a03f12-58a4-51ef-1329-96976991fafe
set srcintf "port2"
set dstintf "port1" <---
set action accept
set srcaddr "all"
set dstaddr "all"
set schedule "always"
set service "HTTP" "HTTPS" "DNS" "PING"
set logtraffic all
set nat enable
next
end
I saw the policy is synchronized. To test the system's redundancy, I will shut the primary firewall and wait for the traffic back to the secondary firewall. Our primary firewall is Fortinet-2.
You can see the following video;
We lost only one ping while backing into the secondary firewall. Would we say it is no interruption? In my opinion, it is great.
Thanks for Reading.
Resources: Fortinet HA
Comments