In the last two posts, I explained How to register, configure management IP Address, license activation, version upgrade & internet connectivity of the Fortinet firewall.
Today we will cover the High
availability (HA) Configurations of the Fortinet firewall step by step.
Prior to practical implementation let
me write a short definition of High availability first.
What and Why HA:
- · High availability (HA) is used to avoid a single point of failure means if one firewall has some issue then the backup firewall will carry traffic without service affecting.
- · HA is working in active/active and active/standby deployment models.
- · Specific HA interfaces are used for state
update & configuration synchronization.
- · For both firewalls must be same model, OS
Version & type of interfaces, etc.
Note: High
availability in Fortinet is the clustering of a minimum of two & maximum of four
firewalls but in another vendor’s only two firewalls using in HA.
In our case, we have two FortiGate
101F, on both firewalls HA1 & HA2 ports connected.
Physically ports
connectivity HA1 & HA2 on both firewalls:
I have access first firewall you can
see both HA1 & HA2 are connected in green color, below screenshot for
reference.
By default, the management port IP
Address of both firewalls are the same 192.168.1.99 we can access
one firewall at a time, as to access both firewalls at a time configure
different IPs on any firewall port.
Now let's configure Port-1 as a
management port & configure IP Address as that port configuration I already
explained in the previous post. Below link for reference
https://www.readteknology.com/2023/08/how-to-connect-fortigate-firewall-with.html
Connect both firewalls port-1 &
laptop with a switch to access both firewalls at a time to check HA
configuration & verification.
The final topology will be like this
through switch
Both firewalls are accessible from the PC.
Let’s start HA
Configurations
Before starting configurations learn
the sequence of master selection rules in FortiGate firewall.
By default, election:
override disable
- · Override disabled mode means working like
preemption disabled
Election sequence:
override enabled
- The sequence of up-time & priority swapped.
Go-to system-à systemà HA
Select mode here I will choose
active-passive
Primary Firewall
HA Setting:
Below are the primary firewall setting
of HA, as the default Device priority is 128 but I changed it to 200,
For group ID I put 51, then group name
& set password.
HA1 & HA2 are heartbeat interfaces
Monitor interface: in our case no monitor interfaces.
Heartbeat interface priority by
default is 0 but I changed it to 50.
In the last management interface
reservation is optional I entered my management port-1 & gateway IP address
is the switch IP Address.
Secondary
Firewall HA Setting:
Below are the secondary firewall
configurations that set Device priority to 100 & same Group ID & name. Then
click ok
Wait for one or two minutes then check
from HA status now both are synchronized & primary/secondary selection is
also completed.
Finally
synchronized
Here the selection is decided on priority
bases as monitor interfaces are empty same on both firewalls.
Above is the practical implementation
of High availability on 101F FortiGate firewalls, if you have any interesting
points regarding HA, please share with us in the comments.
Interview
Questions:
- · What is High availability (HA) in firewalls
- · Minimum & maximum number of firewalls in
HA of FortiGate?
- · Primary/master election in FortiGate
- · How many deployment modes of HA
configuration in firewalls?
- if both HA ports are down then what will happen to Firewalls?
0 Comments