How to failover fortigate firewall

How to failover fortigate firewall

Recently I was on a troubleshooting call where the customer was changing some switch configuration, following which he wanted to test traffic through the primary and the secondary fortigate firewall. I had to do a quite a lot of searching before I figured out how to failover.

So here’s a post to show you how to failover fortigate firewall.

If you’d like to know how to set up failover on Fortigate firewalls, go here: www.certvideos.com/fortigate-failover-configuration/

So here’s a sample Fortigate failover configuration:

Primary firewall configuration

CERTVIDEOS-FORTI-PRI-~ (global) # show system ha
config system ha
set group-id 1
set mode a-p
set hbdev “port1” 50 “port2” 50
set session-pickup enable
set override enable
set priority 255
set monitor “port3” “port4”
end

Secondary firewall configuration

CERTVIDEOS-FORTI-SEC-~ (global) # show system ha
config system ha
set group-id 1
set mode a-p
set hbdev “port1” 50 “port2” 50
set session-pickup enable
set priority 127
set override enable
set monitor “port3” “port4”
end

Cluster status

CERTVIDEOS-FORTI-PRI-~ (global) # get system ha status
Model: 3810
Mode: a-p
Group: 1
Debug: 0
ses_pickup: enable
Master:255 CERTVIDEOS-FORTI-PRI FG3J1A6120611642 0
Slave   :127 CERTVIDEOS-FORTI-SEC FG3J1A6120611693 1
number of vcluster: 1
vcluster 1: work 169.254.0.1
Master:0 FG3J1A6120611642
Slave   :1 FG3J1A6120611693

With the above configuration, CERTVIDEOS-FORTI-PRI is currently the active firewall. Reason – it has a priority of 255 which is higher than that of the other firewall – 127.

So, to failover to the standby firewall, you need to lower the priority on the active to a value less than that configured on the standby.

CERTVIDEOS-FORTI-PRI-~ (global) # config system ha
CERTVIDEOS-FORTI-PRI-~ (ha) # set priority 126
CERTVIDEOS-FORTI-PRI-~ (ha) # end

To do this from GUI, navigate to Config > HA, click the edit icon and change the firewall priority.

Once the priority is changed, the one with the higher value would take over as the active firewall.

Add a Comment

Your email address will not be published. Required fields are marked *