Fortigate failover configuration

Fortigate failover configuration

This is a quick post on Fortigate failover configuration:

Primary firewall configuration

CERTVIDEOS-FORTI-PRI-~ (global) # show system ha
config system ha
set group-id 1
set mode a-p
set hbdev “port1” 50 “port2” 50
set session-pickup enable
set override enable
set priority 255
set monitor “port3” “port4”
end

Secondary firewall configuration

CERTVIDEOS-FORTI-SEC-~ (global) # show system ha
config system ha
set group-id 1
set mode a-p
set hbdev “port1” 50 “port2” 50
set session-pickup enable
set priority 127
set override enable
set monitor “port3” “port4”
end

The config system ha command takes you into the failover (high availability) configuration mode. Use set group-id command to give the failover group a unique id. The set mode command identifies the kind of failover: active/passive – where the standby device takes over when the active fails, or standalone – where each device operates individually.

Use the set hbdev command to specify the heartbeat interface – the one on which keepalives are exchanged. The set session-pickup enable command prevents active TCP and IPsec VPN sessions from being dropped when a failover occurs. This is similar to stateful failover on Cisco ASA.

The set priority command is the one that identifies the master and slave of a cluster. On Fortigate firewall clusters, the one that has a higher priority (larger value) is the master. In the above configuration, CERTVIDEOS-FORTI-PRI has a priority of 255 while CERTVIDEOS-FORTI-SEC has a priority of 127, hence the first one is the master, and the latter is the slave.

The set override enable command is required if priority is to be used as a factor for determining the master. If this is disabled, the firewall with the higher uptime would be considered as the master.

The set monitor command as the name suggests monitors the functioning of the interface. If there’s a problem with the monitored interface, a failover would occur.

Once failover is configured, here’s the output:

CERTVIDEOS-FORTI-PRI-~ (global) # get system ha status
Model: 3810
Mode: a-p
Group: 1
Debug: 0
ses_pickup: enable
Master:255 CERTVIDEOS-FORTI-PRI FG3J1A6120611642 0
Slave   :127 CERTVIDEOS-FORTI-SEC FG3J1A6120611693 1
number of vcluster: 1
vcluster 1: work 169.254.0.1
Master:0 FG3J1A6120611642
Slave   :1 FG3J1A6120611693

Tip of the day: From the CLI of one firewall, use execute ha manage index to manage the peer.

To learn how to cause a manual failover, go here: www.certvideos.com/failover-fortigate-firewall/

One Comment

Add a Comment

Your email address will not be published. Required fields are marked *