Chapter 6. High Availability

6.1 High Availability

Learning Objectives

  • Configure HA (Active-Passive) between two firewalls
Scenario: In this lab, we are going to have two firewalls. One of them is Primary or Active and the other one is Secondary or Passive. We are going to have High Availability between these two firewalls and if we shut down one of them, the other one will be Primary.
High Availability main scenario
Figure 6.1: Main scenario
Table 6.1: Devices configuration
Device IP address Access
WebTerm1 192.168.1.2/24
WebTerm2 192.168.10.2/24
EthernetSwitch1
EthernetSwitch2
FG-Primary Port 1: 192.168.1.1/24

Port 5: 192.168.10.1/24

 ICMP-HTTP-HTTPS
FG-Secondary Port 1: 192.168.1.1/24

Port 5: 192.168.10.1/24

 ICMP-HTTP-HTTPS
  1. CLI Configuration for Primary and Secondary:

    FG-Primary

    FortiGate-VM64-KVM # config system global
    FortiGate-VM64-KVM (global) # set hostname FG-Primary
    FortiGate-VM64-KVM (global) # end

    FG-Primary # config system interface
    FG-Primary (interface) # edit port1
    FG-Primary (port1) # set mode static
    FG-Primary (port1) # set ip 192.168.1.1/24
    FG-Primary (port1) # set allowaccess http https ping
    FG-Primary (port1) # end
    FG-Primary # config system interface
    FG-Primary (interface) # edit port5
    FG-Primary (port5) # set ip 192.168.10.1/24
    FG-Primary (port5) # set allowaccess http https ping
    FG-Primary (port5) # end

    FG-Secondary

    FortiGate-VM64-KVM # config system global
    FortiGate-VM64-KVM (global) # set hostname FG-Secondary
    FortiGate-VM64-KVM (global) # end

    FG-Secondary # config system interface
    FG-Secondary(interface) # edit port1
    FG-Secondary (port1) # set mode static
    FG-Secondary (port1) # set ip 192.168.1.1/24
    FG-Secondary (port1) # set allowaccess http https ping
    FG-Secondary (port1) # end
    FG-Secondary # config system interface
    FG-Secondary (interface) # edit port5
    FG-Secondary (port5) # set ip 192.168.10.1/24
    FG-Secondary (port5) # set allowaccess http https ping
    FG-Secondary (port5) # end
  2. Go to System > HA in the FG-Primary:
    • Select the Mode: Active-Passive
    • Device Priority: 128 (The higher priority is primary)
    • Group Name: HRT (The Group name between Primary and Secondary should be the same)
    • Password: Set a password (The Password between Primary and Secondary should be the same)
    • Monitor Interface: Port 3
    • Heartbeat Interface: Port 4
    HA primary configuration
    Figure 6.2: HA primary configuration

    Do the same configuration in the FG-Secondary but set the Device priority to 50.

    HA secondary configuration
    Figure 6.3: HA secondary configuration
  3. After setting secondary device, no longer be able to access secondary device. Go to FG-Primary > System > HA and evaluate your result.
    HA status
    Figure 6.4: HA status

    Two devices will be synchronized after a while.

    HA Synchronized Status
    Figure 6.5: HA Synchronized status
  4. Now, connect other interfaces like Figure 6.6.
    main scenario
    Figure 6.6: Main scenario

    Try to Stop FG-Primary and go to WebTerm1. Can you reach the firewall?

    Stopping FG-Primary
    Figure 6.7: Stopping FG-Primary
    Verify connectivity to the firewall
    Figure 6.8: Verify connectivity to the firewall
    Verify firewall role after stopping FG-Primary
    Figure 6.9: Verify firewall role after stopping FG-Primary
  5. Go to Log & Report > Events > HA Events and download the log. Verify your result.
    HA Events
    Figure 6.10: HA Events

License

Icon for the Creative Commons Attribution 4.0 International License

FortiGate Firewall Copyright © 2023 by Hamid Talebi is licensed under a Creative Commons Attribution 4.0 International License, except where otherwise noted.

Share This Book