Chapter 6 – High Availability

6-1 High Availability

HA (Active – Passive)

Learning Objectives

  • Configure HA (Active-Passive) between two firewalls
Scenario:  In this lab, we are going to have two firewalls. One of them is Master or Active and the other one is Slave or Passive. We are going to have High Availability between these two firewalls and if we shut down one of them, the other one will be Primary.

 

High Availability main scenario
Figure 6-1: main scenario
Table 6-1: Devices configuration
Device IP address Access
WebTerm1 192.168.1.2/24
WebTerm2 192.168.10.2/24
EthernetSwitch1
EthernetSwitch2
FG-Master Port 1: 192.168.1.1/24

Port 5: 192.168.10.1/24

 ICMP-HTTP-HTTPS
FG-Slave Port 1: 192.168.1.1/24

Port 5: 192.168.10.1/24

 ICMP-HTTP-HTTPS

Step 1- CLI Configuration for Master and Slave

FG-Master

FortiGate-VM64-KVM # config system global
FortiGate-VM64-KVM (global) # set hostname FG-Master
FortiGate-VM64-KVM (global) # end

FG-Master # config system interface
FG-Master (interface) # edit port1
FG-Master (port1) # set mode static
FG-Master (port1) # set ip 192.168.1.1/24
FG-Master (port1) # set allowaccess http https ping
FG-Master (port1) # end
FG-Master # config system interface
FG-Master (interface) # edit port5
FG-Master (port5) # set ip 192.168.10.1/24
FG-Master (port5) # set allowaccess http https ping
FG-Master (port5) # end

FG-Slave

FortiGate-VM64-KVM # config system global
FortiGate-VM64-KVM (global) # set hostname FG-Slave
FortiGate-VM64-KVM (global) # end

FG-Slave# config system interface
FG-Slave(interface) # edit port1
FG-Slave(port1) # set mode static
FG-Slave(port1) # set ip 192.168.1.1/24
FG-Slave(port1) # set allowaccess http https ping
FG-Slave(port1) # end
FG-Slave# config system interface
FG-Slave(interface) # edit port5
FG-Slave(port5) # set ip 192.168.10.1/24
FG-Slave(port5) # set allowaccess http https ping
FG-Slave(port5) # end

Step 2

Go to System > HA in the FG-Master

    • Select the Mode: Active -Passive
    • Device Priority: 128 (The higher priority is master)
    • Group Name: HRT (The Group name between Master and Slave should be the same)
    • Password: Set a password (The Password between Master and Slave should be the same)
    • Monitor Interface: Port 3
    • Heartbeat Interface: Port 4
HA master configuration
Figure 6-2: HA master configuration

Do the same configuration in the FG-Slave but set the Device priority to 50.

HA slave configuration
Figure 6-3: HA slave configuration

Step 3

After setting slave device, no longer be able to access slave device. Go to FG-Master > System> HA and evaluate your result

HA status
Figure 6-4: HA status

Two devices will be synchronized after a while.

HA Synchronized Status
Figure 6-5: HA Synchronized Status

Step 4

Now, connect other interfaces like Figure 6-6.

main scenario
Figure 6-6: main scenario

Try to Stop FG-Master and go to WebTerm1. Can you reach the firewall?

Stopping FG-Master
Figure 6-7: Stopping FG-Master
Verify connectivity to the firewall
Figure 6-8: Verify connectivity to the firewall
Verify firewall role after stopping FG-Master
Figure 6-9: Verify firewall role after stopping FG-Master

Step 5

Go to Log & Report> Events> HA Events and download the log. Verify your result.

HA Events
Figure 6-10: HA Events

 

 

License

Icon for the Creative Commons Attribution 4.0 International License

FortiGate Firewall: Practical Guidance and Hands-On Labs by Hamid Talebi is licensed under a Creative Commons Attribution 4.0 International License, except where otherwise noted.

Share This Book