FortiGate 60F HA Cluster Build

Fortinet Guru

13 Dec 202122:25

Summary

TLDRIn this video, Mike from Fortinet Guru walks viewers through the process of setting up an HA (High Availability) cluster with Fortigate devices. He explains the importance of redundancy, failover, and maintaining uptime for businesses. Mike demonstrates the setup of a Fortigate 60F and 124F in an active-passive configuration, emphasizing the simplicity and benefits of HA clusters. He covers key technical aspects like interface configurations, synchronization, and failover mechanisms. Throughout, Mike highlights the pros of HA, such as firmware updates during production, and the peace of mind it provides against hardware failures.

Takeaways

😀 Redundant hardware ensures uptime and minimizes business disruptions in the event of a firewall failure.
😀 An HA (High Availability) cluster provides failover capability, ensuring continued operation even if the primary device fails.
😀 Using HA clusters reduces maintenance window impact, as firmware updates can be applied to the backup unit first, minimizing downtime.
😀 Mike prefers active-passive configurations for Fortigate devices, as it guarantees full traffic support during failovers without the need for over-provisioning.
😀 Fortigate devices use a unique approach for HA with MAC address assignment at layer 2, unlike other vendors who rely on IP failover.
😀 HA clusters help lighten the load during firmware upgrades, allowing these updates to occur during production hours with minimal impact on the network.
😀 Active-passive configurations are easier to manage and scale, especially in smaller environments or where high throughput isn't critical.
😀 The Fortigate 60F's powerful chip and the 124F switches used in the setup are more than adequate for most businesses' needs.
😀 When setting up HA, naming conventions and time zone settings are important for clear identification and management.
😀 The Fortigate HA cluster setup offers straightforward configuration and cabling, ensuring redundancy through port aggregation and inter-switch links.

Q & A

Why is it necessary to set up a High Availability (HA) cluster with Fortigate devices?
-Setting up an HA cluster with Fortigate devices ensures redundancy, fault tolerance, and high availability of your network security appliances. In the event of a device failure, the secondary unit takes over, minimizing downtime and ensuring continuous service.
What is the difference between an active-passive and an active-active HA configuration?
-In an active-passive configuration, one Fortigate device is active and handles traffic, while the other acts as a backup. In contrast, an active-active configuration has both devices handling traffic simultaneously, offering load balancing and better resource utilization but is more complex to manage.
How does an HA cluster improve uptime during maintenance or firmware updates?
-An HA cluster allows the backup unit to take over the traffic during firmware updates or maintenance. The primary device is updated first, and once the update is complete, the backup unit can switch back to become the active unit, reducing downtime and service disruption.
What role does the heartbeat interface play in an HA configuration?
-The heartbeat interface is used to synchronize the Fortigate devices in an HA cluster. It monitors the health of the devices and ensures the devices are in sync, allowing the backup unit to take over if the primary unit fails.
What is a virtual MAC address in an HA cluster, and why is it important?
-A virtual MAC address is assigned to the HA cluster, allowing both devices to appear as a single unit to external networks. It is crucial for seamless failover, as the virtual MAC address ensures that the backup unit can take over traffic without disrupting the network.
What steps are involved in the configuration of the Fortigate HA cluster?
-The configuration steps include resetting both Fortigate devices to factory settings, assigning IP addresses, configuring one device as primary and the other as secondary, setting up the heartbeat interface, and defining the priority of the devices.
Why is it important to assign higher priority to the primary unit in an HA cluster?
-Assigning a higher priority to the primary unit ensures that it remains the active unit in the HA cluster, allowing it to handle traffic while the backup unit stays on standby. The backup unit will only take over if the primary unit fails.
How does the HA cluster handle Layer 2 traffic and why does it use MAC addresses?
-The HA cluster operates at Layer 2, which means it handles Ethernet frames, and the virtual MAC address allows both devices in the cluster to appear as a single entity to external networks. This is essential for seamless traffic forwarding and failover.
What should you do if you lose access to a Fortigate device in an HA cluster after it has synchronized?
-If you lose access, you may need to update the IP address in your DHCP server or access the secondary unit directly using the `exec aha manage` command from the primary device to troubleshoot and manage the cluster.
What is the process for creating zones and setting up policies after configuring an HA cluster?
-Once the HA cluster is set up, zones can be created to segment traffic, and policies are configured to manage traffic flow between these zones. For basic operation, an inside-to-outside policy is commonly created to enable internet access.