Академический Документы
Профессиональный Документы
Культура Документы
© FORTINET
Lab 7: High Availability (HA)
In this lab, you will set up a FortiGate Clustering Protocol (FGCP) high availability (HA) cluster of FortiGate
devices. You will explore active-active HA mode and observe FortiGate HA behavior. You will also perform an HA
failover and use diagnostic commands to observe the election of a new primary in the cluster.
Finally, you will configure management port(s) on each FortiGate to reach each FortiGate individually for
management purposes.
Objectives
l Set up an HA cluster using FortiGate devices.
l Observe HA synchronization and interpret diagnostic output.
l Perform an HA failover.
l Manage individual cluster members by configuring a reserved management interface.
Time to Complete
Estimated: 45 minutes
Lab HA Topology
After you upload the required configurations to each FortiGate, the logical topology will change to the following:
Prerequisites
Before beginning this lab, you must restore a configuration file to each FortiGate.
© FORTINET
Use the procedure that follows to restore the correct configuration to each FortiGate.
Failure to restore the correct configuration to each FortiGate will prevent you from
doing the lab exercise.
© FORTINET
3. Click Local PC, and then click Upload.
4. Click Desktop > Resources > FortiGate-Infrastructure > HA > remote-ha.conf, and then click Open.
5. Click OK.
6. Click OK to reboot.
FortiGate High Availability (HA) uses the FortiGate Clustering Protocol (FGCP), which uses a heartbeat link for
HA-related communications to discover other FortiGate devices in same HA group, elect a primary device,
synchronize configuration, and detect failed devices in an HA cluster.
In this exercise, you will configure HA settings on both FortiGate devices. You will observe the HA synchronize
status, and verify the configuration is in sync on both FortiGate devices using the diagnose commands.
Now, you will configure HA-related settings using the Local-FortiGate GUI.
Field Value
Mode Active-Active
Password Fortinet
© FORTINET
3. Click OK.
Now, you will configure HA-related settings on Remote-FortiGate using the console.
config system ha
set group-name Training
set mode a-a
set password Fortinet
set hbdev port2 0
set session-pickup enable
set override disable
set priority 100
end
Now that you have configured HA on both FortiGate devices, you will verify that HA has been established and the
configurations are fully synchronized.
© FORTINET
The checksums for all cluster members must match, in order for the FortiGate devices to be in a synchronized
state.
3. When prompted, log back in to the Remote-FortiGate console as admin and password password..
4. To check the HA synchronize status, run the following command: .
9. Alternatively, you can run the following command on the console of any FortiGate in the cluster, to view the
checksums of all cluster members:
After the checksums of both FortiGate devices match, you will verify the cluster member roles to confirm the
primary and secondary devices.
© FORTINET
In this configuration, the FortiGate device that is named Local-FortiGate is the master
in the HA cluster because override is disabled and monitored ports are not configured.
Next, the cluster checks for priority—Local-FortiGate, which has a priority of 200, has
greater priority than Remote-FortiGate, which has a priority of 100.
The primary FortiGate will have more sessions than the secondary FortiGate. This is
because all management traffic is with the primary; all non-TCP traffic is also handled
by the primary. By default, only TCP sessions that require a security profiles inspection
are load balanced between the primary and secondary FortiGate devices.
You have set up an HA cluster. Now, you will trigger an HA failover and observe the renegotiation among devices
to elect a new primary device and redistribute the sessions.
You will reboot the primary FortiGate in the cluster to trigger failover.
After you have performed these steps, seeVerify the HA Failover and FortiGate Roles on page 117.
http://www.dailymotion.com
ping 4.2.2.2 -t
4. To trigger a failover, on the Local-FortiGate console, run the following command to reboot the Local-FortiGate.
execute reboot
© FORTINET
Verify the HA Failover and FortiGate Roles
Now, you will verify the HA failover, and check the roles of FortiGate in an HA cluster.
2. To verify that Remote-FortiGate is acting as the primary device in the HA cluster, on the Remote-FortiGate
console, run the following command:
3. To see the status of all cluster members, run the following command on any FortiGate in the cluster:
You should see that Local-FortiGate rejoins the cluster as a secondary. It has lost its role of primary:
© FORTINET
Trigger an HA Failover by Resetting the HA Uptime
Now, you will trigger a failover by resetting the HA uptime on the current primary FortiGate—which should be
Remote-FortiGate—and verifying FortiGate's role in the HA cluster.
By resetting the HA uptime, you are forcing the cluster to use the next parameter to
determine which FortiGate has more priority for becoming the primary. As per the
configuration, Local-FortiGate has a priority of 200, and Remote-FortiGate has a
priority of 100. Local-FortiGate will become the primary device in the cluster.
2. Remote-FortiGate now has the backup role in the cluster. On the Remote-FortiGate console, run the following
command to verify it:
The HA synchronization process is responsible for FGCP packets that communicate cluster status and build the
cluster. You will use real-time diagnostic commands to observe this process.
3. On the Remote-FortiGate console, run the following command to reboot the Remote-FortiGate:
execute reboot
© FORTINET
The output will show that the current primary FortiGate is sending heartbeat packets and trying to
synchronize its configuration with the secondary FortiGate’s configuration.
6. To stop the debug output on Local-FortiGate, press the Up Arrow key twice, select the second-last command (in
this case, diagnose debug application hasync 0), and then press the Enter key.
7. Return to Local-Windows VM and close the command prompt to stop the continuous ping.
8. Close the browser.
In this exercise, you will configure a spare interface in the cluster to be a nonsynchronizing management
interface. This will allow both FortiGate devices to be reachable only for SNMP and management purposes.
If a management interface is not configured, you will have access to the GUI of only the primary FortiGate in the
cluster. However, you can connect to the secondary FortiGate only through the primary FortiGate's CLI or through
the console connection.
You can also configure an in-band HA management interface, which is an alternative to the reserved HA
management interface feature and does not require reserving an interface that is only for management access.
You will connect to the secondary FortiGate through the CLI of the primary FortiGate.
5. Run the following command to get the status of the secondary FortiGate:
© FORTINET
get system status
7. To return to the CLI of Local-FortiGate, run the following command to return to the primary:
exit
You will use an unused interface on the FortiGate devices in an HA cluster to configure a management interface.
This allows you to configure a different IP address for this interface for each FortiGate in the HA cluster.
4. Enable Management Interface Reservation, and in the Interface field, select port7.
5. Click OK.
Configure and Access the Primary FortiGate Using the Management Interface
You will configure and verify access to the primary FortiGate using the management interface.
© FORTINET
To configure and verify access to the primary FortiGate using the management interface
1. From the VM List, on the Local-FortiGate console, log in as admin and password password.
2. Run the following commands to configure port7:
Even though this address overlaps with port3, and would not usually be allowed
(FortiGate does not allow overlapping subnets), it is allowed here because the
interface now has a special purpose, and is excluded from the routing table.
3. Return to the Local-Windows VM, open a browser and log in to the Local-FortiGate GUI at 10.0.1.253 (note
the IP address) as admin and password password.
This will verify connectivity to port7.
You will configure and verify access to the secondary FortiGate using the management interface.
l Verify that port7 has no configuration, and then configure the port7 IP/Netmask as
10.0.1.252/24 with the same allowaccess configured for Local-FortiGate port7.
2. On the Local-Windows VM, log in to the Remote-FortiGate GUI (admin/password) using the port7 IP
address to verify connectivity.
If you require assistance, or to verify your work, use the step-by-step instructions that follow.
After the configuration is ready, see Disconnect FortiGate From the Cluster on page 123.
To configure and verify access to the secondary FortiGate using the management interface
1. From the VM List, on the Remote-FortiGate console, log in as admin and password password.
2. Verify that the non synchronizing interface settings have been synced to the secondary:
show system ha
© FORTINET
Look for ha-mgmt-status and ha-mgmt-interface. These should be set.
4. Configure port7:
Each device in the cluster now has its own management IP address for monitoring purposes.
You will disconnect Remote-FortiGate from the cluster. FortiGate will prompt you to configure an IP address on
any port on FortiGate so that you can access it after disconnecting.
© FORTINET
Field Value
Interface port3
IP/Netmask 10.0.1.251/24
5. Click OK.
This removes FortiGate from the HA cluster.
Now, you will restore the Remote-FortiGate configuration so that you can use the Remote-FortiGate in the next
labs.
Failure to perform these steps will prevent you from doing the next exercise.
© FORTINET
2. On the Local-Windows VM, open a browser and log in to the Remote-FortiGate GUI at 10.0.1.251 with the
user name admin and password password.
3. In the upper-right corner of the screen, click admin, and then click Configuration > Restore.
Failure to perform these steps will prevent you from doing the next exercises.