Fortinet: Configuring HA on FortiGate firewalls
Summary
TLDRThis video tutorial explains how to configure Active-Passive High Availability (HA) on FortiGate firewalls. It covers the purpose of HA, which allows one firewall to take over if the active unit fails, and how both firewalls share identical configurations. The video walks through steps to configure the firewalls, including upgrading firmware, monitoring interfaces, and setting up heartbeat communication. The tutorial also demonstrates how to test the HA setup by simulating a failure, showing how the passive firewall becomes active, and discusses how to set a specific firewall as the primary. Detailed documentation on HA override is also mentioned.
Takeaways
- ๐ Active/Passive HA ensures failover between two FortiGate firewalls in case one fails, ensuring continuous network availability.
- ๐ The active firewall handles traffic flow, while the passive firewall takes over when the active one encounters issues like hardware failure or link problems.
- ๐ Both firewalls have the same IP addresses configured on their monitored interfaces, with the passive firewall only claiming those IPs when needed.
- ๐ Communication between the two firewalls happens through a heartbeat interface, which helps detect failures and trigger failover.
- ๐ Firmware versions on both firewalls should match to ensure compatibility; this tutorial covered upgrading to the same version.
- ๐ Both firewalls should be fully configured before connecting the heartbeat cable, ensuring they are synchronized in their setup.
- ๐ The active firewall is selected based on criteria like failed monitored interfaces or the uptime of the units in the HA cluster.
- ๐ In case of equal uptime, the firewall with the lower cluster uptime will become the active unit, which can be managed using CLI commands.
- ๐ The configuration of HA can be tested by simulating a failure (e.g., shutting down the primary firewall) to verify the failover process works as expected.
- ๐ A manual override option exists if you need to force a specific firewall to always be the master in the HA setup.
- ๐ It's crucial to back up configurations before making any changes, and any firmware upgrades should be done during maintenance periods.
Q & A
What is the purpose of configuring HA in an active-passive scenario on FortiGate firewalls?
-The purpose of HA in an active-passive scenario is to ensure continuous traffic flow in case one of the firewalls fails. If the active firewall encounters issues, the passive firewall takes over, maintaining the network's functionality.
How does the active firewall and passive firewall communicate in an HA configuration?
-The active and passive firewalls communicate via a heartbeat interface. This communication ensures the firewalls can detect if the active firewall is down, and if it is, the passive firewall can take over.
What happens when the active firewall experiences a failure in an HA setup?
-When the active firewall fails, the passive firewall takes over by becoming the active unit. It sends a gratuitous ARP to update the MAC address table of connected switches, redirecting traffic through the new active firewall.
What is the significance of the heartbeat interface in the HA configuration?
-The heartbeat interface is crucial because it allows the firewalls to monitor each other's status. If the active firewall cannot communicate with the passive firewall, it indicates a failure, prompting the passive firewall to become active.
How do the firewalls decide which one becomes the active unit in the HA cluster?
-The active unit is selected based on two main conditions: the failure of monitored interfaces and the age of the units in the cluster. The firewall with fewer failed interfaces or a lower uptime will typically become the active unit.
What are the primary interfaces monitored in the HA setup?
-In this HA configuration, Port 1 and Port 3 are monitored on both firewalls. These interfaces are crucial for determining the health and functionality of the firewalls.
How do you configure FortiGate firewalls for HA?
-To configure HA, you need to set the mode to 'active-passive', choose a common group name and password, select the interfaces to monitor (Port 1 and Port 3), and designate the heartbeat interface (Port 2). The configuration should be identical on both firewalls, except for some minor settings like hostnames.
What is the recommended action before upgrading FortiGate firmware for HA?
-Before upgrading the firmware, it is recommended to back up the configuration of both firewalls and ensure that the firmware versions are compatible. Upgrading should also be done during a maintenance window to avoid disrupting services.
Why is it important to have the same firmware version on both FortiGate units in an HA configuration?
-Having the same firmware version ensures compatibility between the two firewalls, preventing potential issues and ensuring smooth synchronization between the active and passive units.
What happens when you disconnect the active firewall during a HA test?
-When the active firewall is disconnected, the passive firewall takes over, continuing to route traffic without disruption. This is verified by a successful continuous ping from the client to the destination IP, confirming that the passive unit is now active.
Outlines
This section is available to paid users only. Please upgrade to access this part.
Upgrade NowMindmap
This section is available to paid users only. Please upgrade to access this part.
Upgrade NowKeywords
This section is available to paid users only. Please upgrade to access this part.
Upgrade NowHighlights
This section is available to paid users only. Please upgrade to access this part.
Upgrade NowTranscripts
This section is available to paid users only. Please upgrade to access this part.
Upgrade NowBrowse More Related Video
FortiGate 60F HA Cluster Build
What is a cluster in Netapp storage
How To Setup NFS Shared Storage In Proxmox
Uji Kompetensi Keahlian TKJ Paket 4 - Cara Sharing File Menggunakan Kabel UTP (Peer to Peer)
IMPERSONAL PASSIVE VOICE Advanced English Grammar
Cara Setting OLT GPON Tanpa VLAN Langsung Plug n Play ONT ke Mikrotik
5.0 / 5 (0 votes)
