{"id":204,"date":"2022-03-11T04:24:02","date_gmt":"2022-03-11T09:24:02","guid":{"rendered":"https:\/\/opentextbc.ca\/fortigatefirewall\/chapter\/high-availability\/"},"modified":"2023-08-29T16:27:05","modified_gmt":"2023-08-29T20:27:05","slug":"high-availability","status":"publish","type":"chapter","link":"https:\/\/opentextbc.ca\/fortigatefirewall\/chapter\/high-availability\/","title":{"raw":"6.1 High Availability","rendered":"6.1 High Availability"},"content":{"raw":"
\n

Learning Objectives<\/p>\n\n<\/header>\n

\n
    \n \t
  • Configure HA (Active-Passive) between two firewalls<\/li>\n<\/ul>\n<\/div>\n<\/div>\n
    Scenario<\/strong>: In this lab, we are going to have two firewalls. One of them is Primary or Active and the other one is Secondary or Passive. We are going to have High Availability between these two firewalls and if we shut down one of them, the other one will be Primary.<\/div>\n\n[caption id=\"attachment_194\" align=\"aligncenter\" width=\"1111\"]\"High Figure 6.1: Main scenario[\/caption]\n\n
    \n\n\n\n\n\n\n\n\n
    Table 6.1: Devices configuration<\/caption>\n
    Device<\/th>\nIP address<\/th>\nAccess<\/th>\n<\/tr>\n
    WebTerm1<\/td>\n192.168.1.2\/24<\/td>\n-<\/td>\n<\/tr>\n
    WebTerm2<\/td>\n192.168.10.2\/24<\/td>\n-<\/td>\n<\/tr>\n
    EthernetSwitch1<\/td>\n-<\/td>\n-<\/td>\n<\/tr>\n
    EthernetSwitch2<\/td>\n-<\/td>\n-<\/td>\n<\/tr>\n
    FG-Primary<\/td>\nPort 1: 192.168.1.1\/24\n\nPort 5: 192.168.10.1\/24<\/td>\nICMP-HTTP-HTTPS<\/td>\n<\/tr>\n
    FG-Secondary<\/td>\nPort 1: 192.168.1.1\/24\n\nPort 5: 192.168.10.1\/24<\/td>\nICMP-HTTP-HTTPS<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<\/div>\n
      \n \t
    1. CLI Configuration for Primary and Secondary:\n
      \n\nFG-Primary<\/strong>\n\nFortiGate-VM64-KVM # config system global<\/em>\nFortiGate-VM64-KVM (global) # set hostname FG-Primary<\/em>\nFortiGate-VM64-KVM (global) # end<\/em>\n
      <\/div>\n
      FG-Primary # config system interface<\/em><\/div>\n
      FG-Primary (interface) # edit port1<\/em><\/div>\n
      FG-Primary (port1) # set mode static<\/em><\/div>\n
      FG-Primary (port1) # set ip 192.168.1.1\/24<\/em><\/div>\n
      FG-Primary (port1) # set allowaccess http https ping<\/em><\/div>\n
      FG-Primary (port1) # end<\/em><\/div>\n
      <\/div>\n
      FG-Primary # config system interface<\/em><\/div>\n
      FG-Primary (interface) # edit port5<\/em><\/div>\n
      FG-Primary (port5) # set ip 192.168.10.1\/24<\/em><\/div>\n
      FG-Primary (port5) # set allowaccess http https ping<\/em><\/div>\n
      FG-Primary (port5) # end<\/em><\/div>\n<\/div>\n
      \n\nFG-Secondary<\/strong>\n\nFortiGate-VM64-KVM # config system global<\/em>\nFortiGate-VM64-KVM (global) # set hostname FG-Secondary<\/em>\nFortiGate-VM64-KVM (global) # end<\/em>\n
      <\/div>\n
      FG-Secondary # config system interface<\/em><\/div>\n
      FG-Secondary(interface) # edit port1<\/em><\/div>\n
      FG-Secondary (port1) # set mode static<\/em><\/div>\n
      FG-Secondary (port1) # set ip 192.168.1.1\/24<\/em><\/div>\n
      FG-Secondary (port1) # set allowaccess http https ping<\/em><\/div>\n
      FG-Secondary (port1) # end<\/em><\/div>\n
      <\/div>\n
      FG-Secondary # config system interface<\/em><\/div>\n
      FG-Secondary (interface) # edit port5<\/em><\/div>\n
      FG-Secondary (port5) # set ip 192.168.10.1\/24<\/em><\/div>\n
      FG-Secondary (port5) # set allowaccess http https ping<\/em><\/div>\n
      FG-Secondary (port5) # end<\/em><\/div>\n<\/div><\/li>\n \t
    2. Go to System > HA in the FG-Primary<\/strong>:\n
        \n \t
      • Select the Mode: Active-Passive<\/strong><\/li>\n \t
      • Device Priority: 128<\/strong> (The higher priority is primary)<\/li>\n \t
      • Group Name: HRT<\/strong> (The Group name between Primary and Secondary should be the same)<\/li>\n \t
      • Password: Set a password<\/strong> (The Password between Primary and Secondary should be the same)<\/li>\n \t
      • Monitor Interface: Port 3<\/strong><\/li>\n \t
      • Heartbeat Interface: Port 4<\/strong><\/li>\n<\/ul>\n[caption id=\"attachment_196\" align=\"aligncenter\" width=\"729\"]\"HA Figure 6.2: HA primary configuration[\/caption]\n\nDo the same configuration in the FG-Secondary but set the Device priority to 50.\n\n[caption id=\"attachment_196\" align=\"aligncenter\" width=\"729\"]\"HA Figure 6.3: HA secondary configuration[\/caption]<\/li>\n \t
      • After setting secondary device, no longer be able to access secondary device. Go to FG-Primary<\/strong> > System<\/strong> > HA<\/strong> and evaluate your result.\n\n[caption id=\"attachment_198\" align=\"aligncenter\" width=\"1010\"]\"HA Figure 6.4: HA status[\/caption]\n\nTwo devices will be synchronized after a while.\n\n[caption id=\"attachment_198\" align=\"aligncenter\" width=\"942\"]\"HA Figure 6.5: HA Synchronized status[\/caption]<\/li>\n \t
      • Now, connect other interfaces like Figure 6.6.\n\n[caption id=\"attachment_202\" align=\"aligncenter\" width=\"1149\"]\"main Figure 6.6: Main scenario[\/caption]\n\nTry to Stop FG-Primary and go to WebTerm1. Can you reach the firewall?\n\n[caption id=\"attachment_202\" align=\"aligncenter\" width=\"1100\"]\"Stopping Figure 6.7: Stopping FG-Primary[\/caption]\n\n[caption id=\"attachment_202\" align=\"aligncenter\" width=\"400\"]\"Verify Figure 6.8: Verify connectivity to the firewall[\/caption]\n\n[caption id=\"attachment_202\" align=\"aligncenter\" width=\"500\"]\"Verify Figure 6.9: Verify firewall role after stopping FG-Primary[\/caption]<\/li>\n \t
      • Go to Log & Report<\/strong> > Events<\/strong> > HA Events<\/strong> and download the log. Verify your result.\n\n[caption id=\"attachment_203\" align=\"aligncenter\" width=\"550\"]\"HA Figure 6.10: HA Events[\/caption]<\/li>\n<\/ol>","rendered":"
        \n
        \n

        Learning Objectives<\/p>\n<\/header>\n

        \n
          \n
        • Configure HA (Active-Passive) between two firewalls<\/li>\n<\/ul>\n<\/div>\n<\/div>\n
          Scenario<\/strong>: In this lab, we are going to have two firewalls. One of them is Primary or Active and the other one is Secondary or Passive. We are going to have High Availability between these two firewalls and if we shut down one of them, the other one will be Primary.<\/div>\n
          \"High
          Figure 6.1: Main scenario<\/figcaption><\/figure>\n
          \n\n\n\n\n\n\n\n\n\n
          Table 6.1: Devices configuration<\/caption>\n
          Device<\/th>\nIP address<\/th>\nAccess<\/th>\n<\/tr>\n
          WebTerm1<\/td>\n192.168.1.2\/24<\/td>\n–<\/td>\n<\/tr>\n
          WebTerm2<\/td>\n192.168.10.2\/24<\/td>\n–<\/td>\n<\/tr>\n
          EthernetSwitch1<\/td>\n–<\/td>\n–<\/td>\n<\/tr>\n
          EthernetSwitch2<\/td>\n–<\/td>\n–<\/td>\n<\/tr>\n
          FG-Primary<\/td>\nPort 1: 192.168.1.1\/24<\/p>\n

          Port 5: 192.168.10.1\/24<\/td>\n

          		ICMP-HTTP-HTTPS<\/td>\n<\/tr>\n
          FG-Secondary<\/td>\nPort 1: 192.168.1.1\/24<\/p>\n

          Port 5: 192.168.10.1\/24<\/td>\n

          		ICMP-HTTP-HTTPS<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<\/div>\n
            \n
          1. CLI Configuration for Primary and Secondary:\n
            \n

            FG-Primary<\/strong><\/p>\n

            FortiGate-VM64-KVM # config system global<\/em>
            \nFortiGate-VM64-KVM (global) # set hostname FG-Primary<\/em>
            \nFortiGate-VM64-KVM (global) # end<\/em><\/p>\n

            <\/div>\n
            FG-Primary # config system interface<\/em><\/div>\n
            FG-Primary (interface) # edit port1<\/em><\/div>\n
            FG-Primary (port1) # set mode static<\/em><\/div>\n
            FG-Primary (port1) # set ip 192.168.1.1\/24<\/em><\/div>\n
            FG-Primary (port1) # set allowaccess http https ping<\/em><\/div>\n
            FG-Primary (port1) # end<\/em><\/div>\n
            <\/div>\n
            FG-Primary # config system interface<\/em><\/div>\n
            FG-Primary (interface) # edit port5<\/em><\/div>\n
            FG-Primary (port5) # set ip 192.168.10.1\/24<\/em><\/div>\n
            FG-Primary (port5) # set allowaccess http https ping<\/em><\/div>\n
            FG-Primary (port5) # end<\/em><\/div>\n<\/div>\n
            \n

            FG-Secondary<\/strong><\/p>\n

            FortiGate-VM64-KVM # config system global<\/em>
            \nFortiGate-VM64-KVM (global) # set hostname FG-Secondary<\/em>
            \nFortiGate-VM64-KVM (global) # end<\/em><\/p>\n

            <\/div>\n
            FG-Secondary # config system interface<\/em><\/div>\n
            FG-Secondary(interface) # edit port1<\/em><\/div>\n
            FG-Secondary (port1) # set mode static<\/em><\/div>\n
            FG-Secondary (port1) # set ip 192.168.1.1\/24<\/em><\/div>\n
            FG-Secondary (port1) # set allowaccess http https ping<\/em><\/div>\n
            FG-Secondary (port1) # end<\/em><\/div>\n
            <\/div>\n
            FG-Secondary # config system interface<\/em><\/div>\n
            FG-Secondary (interface) # edit port5<\/em><\/div>\n
            FG-Secondary (port5) # set ip 192.168.10.1\/24<\/em><\/div>\n
            FG-Secondary (port5) # set allowaccess http https ping<\/em><\/div>\n
            FG-Secondary (port5) # end<\/em><\/div>\n<\/div>\n<\/li>\n
          2. Go to System > HA in the FG-Primary<\/strong>:\n
              \n
            • Select the Mode: Active-Passive<\/strong><\/li>\n
            • Device Priority: 128<\/strong> (The higher priority is primary)<\/li>\n
            • Group Name: HRT<\/strong> (The Group name between Primary and Secondary should be the same)<\/li>\n
            • Password: Set a password<\/strong> (The Password between Primary and Secondary should be the same)<\/li>\n
            • Monitor Interface: Port 3<\/strong><\/li>\n
            • Heartbeat Interface: Port 4<\/strong><\/li>\n<\/ul>\n
              \"HA
              Figure 6.2: HA primary configuration<\/figcaption><\/figure>\n

              Do the same configuration in the FG-Secondary but set the Device priority to 50.<\/p>\n

              \"HA
              Figure 6.3: HA secondary configuration<\/figcaption><\/figure>\n<\/li>\n
            • After setting secondary device, no longer be able to access secondary device. Go to FG-Primary<\/strong> > System<\/strong> > HA<\/strong> and evaluate your result.
              \n
              \"HA
              Figure 6.4: HA status<\/figcaption><\/figure>\n

              Two devices will be synchronized after a while.<\/p>\n

              \"HA
              Figure 6.5: HA Synchronized status<\/figcaption><\/figure>\n<\/li>\n
            • Now, connect other interfaces like Figure 6.6.
              \n
              \"main
              Figure 6.6: Main scenario<\/figcaption><\/figure>\n

              Try to Stop FG-Primary and go to WebTerm1. Can you reach the firewall?<\/p>\n

              \"Stopping
              Figure 6.7: Stopping FG-Primary<\/figcaption><\/figure>\n
              \"Verify
              Figure 6.8: Verify connectivity to the firewall<\/figcaption><\/figure>\n
              \"Verify
              Figure 6.9: Verify firewall role after stopping FG-Primary<\/figcaption><\/figure>\n<\/li>\n
            • Go to Log & Report<\/strong> > Events<\/strong> > HA Events<\/strong> and download the log. Verify your result.
              \n
              \"HA
              Figure 6.10: HA Events<\/figcaption><\/figure>\n<\/li>\n<\/ol>\n","protected":false},"author":124,"menu_order":3,"template":"","meta":{"pb_show_title":"on","pb_short_title":"","pb_subtitle":"","pb_authors":[],"pb_section_license":""},"chapter-type":[],"contributor":[],"license":[],"class_list":["post-204","chapter","type-chapter","status-publish","hentry"],"part":193,"_links":{"self":[{"href":"https:\/\/opentextbc.ca\/fortigatefirewall\/wp-json\/pressbooks\/v2\/chapters\/204","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/opentextbc.ca\/fortigatefirewall\/wp-json\/pressbooks\/v2\/chapters"}],"about":[{"href":"https:\/\/opentextbc.ca\/fortigatefirewall\/wp-json\/wp\/v2\/types\/chapter"}],"author":[{"embeddable":true,"href":"https:\/\/opentextbc.ca\/fortigatefirewall\/wp-json\/wp\/v2\/users\/124"}],"version-history":[{"count":1,"href":"https:\/\/opentextbc.ca\/fortigatefirewall\/wp-json\/pressbooks\/v2\/chapters\/204\/revisions"}],"predecessor-version":[{"id":205,"href":"https:\/\/opentextbc.ca\/fortigatefirewall\/wp-json\/pressbooks\/v2\/chapters\/204\/revisions\/205"}],"part":[{"href":"https:\/\/opentextbc.ca\/fortigatefirewall\/wp-json\/pressbooks\/v2\/parts\/193"}],"metadata":[{"href":"https:\/\/opentextbc.ca\/fortigatefirewall\/wp-json\/pressbooks\/v2\/chapters\/204\/metadata\/"}],"wp:attachment":[{"href":"https:\/\/opentextbc.ca\/fortigatefirewall\/wp-json\/wp\/v2\/media?parent=204"}],"wp:term":[{"taxonomy":"chapter-type","embeddable":true,"href":"https:\/\/opentextbc.ca\/fortigatefirewall\/wp-json\/pressbooks\/v2\/chapter-type?post=204"},{"taxonomy":"contributor","embeddable":true,"href":"https:\/\/opentextbc.ca\/fortigatefirewall\/wp-json\/wp\/v2\/contributor?post=204"},{"taxonomy":"license","embeddable":true,"href":"https:\/\/opentextbc.ca\/fortigatefirewall\/wp-json\/wp\/v2\/license?post=204"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}