top of page
Search
Celal

High Availability on Fortigate Firewall

"Today's topic is how to make a standalone Fortinet firewall redundant. Can I do it without any interruption? Our simple topology is below. I created the topology with Eve-Ng.


I can ping the Internet on Win-Client

Preliminary Checks:

  • Ensure both FortiGate devices are running the same firmware version.

  • Verify that both devices have similar hardware configurations.

  • Ensure both devices have the same VDOM configuration (if VDOMs are enabled).


All config is on Fortinet-2 Fw. There is no configuration on Fortinet-1. We will configure the HA-configuration on Fortinet-2. We will do nothing on Fortinet-1. The available configuration on Fortinet-2 is as follows:




I will prepare the configuration of HA on Fortinet-1 and Fortinet-2 as shown below. We can't change the priority on the secondary firewall.


Note: Each FortiGate unit in the HA cluster can be assigned a priority value. The priority value is a number between 0 and 255, where a higher number means a higher priority. The device with the highest priority number becomes the primary unit (the one handling traffic and performing active tasks).

After that. it seems as below and we haven't seen any interruption on win client while doing this operation.


The following logs appear on the console;


login: secondary's external files are not in sync with the pri)

secondary's external files are not in sync with the primary's, sequence:1. (typ)

secondary's external files are not in sync with the primary's, sequence:2. (typ)

secondary's external files are not in sync with the primary's, sequence:3. (type CERT_LOCAL)

secondary's external files are not in sync with the primary's, sequence:4. (type CERT_LOCAL)

secondary succeeded to sync external files with primary

secondary's configuration is not in sync with the primary's, sequence:0

secondary's configuration is not in sync with the primary's, sequence:1

secondary's configuration is not in sync with the primary's, sequence:2

secondary's configuration is not in sync with the primary's, sequence:3

secondary's configuration is not in sync with the primary's, sequence:4

secondary starts to sync with primary

logout all admin users


Both devices are synced.

HA-Test

Now I will check the configuration on Fortinet-1 whether is syn or not.


# show firewall policy | grep -f port1

config firewall policy

edit 1

set name "Internet-Allow"

set uuid b6a03f12-58a4-51ef-1329-96976991fafe

set srcintf "port2"

set dstintf "port1" <---

set action accept

set srcaddr "all"

set dstaddr "all"

set schedule "always"

set service "HTTP" "HTTPS" "DNS" "PING"

set logtraffic all

set nat enable

next

end


I saw the policy is synchronized. To test the system's redundancy, I will shut the primary firewall and wait for the traffic back to the secondary firewall. Our primary firewall is Fortinet-2.

You can see the following video;





We lost only one ping while backing into the secondary firewall. Would we say it is no interruption? In my opinion, it is great.



Thanks for Reading.


Resources: Fortinet HA




26 views0 comments

Comments


bottom of page