This document discusses configuring and testing high availability on FortiGate devices. It describes configuring HA settings on two FortiGate devices so they form an active-passive cluster, then verifying the synchronization and roles of each device. It also covers triggering a failover by rebooting the primary device and verifying the new roles.
This document discusses configuring and testing high availability on FortiGate devices. It describes configuring HA settings on two FortiGate devices so they form an active-passive cluster, then verifying the synchronization and roles of each device. It also covers triggering a failover by rebooting the primary device and verifying the new roles.
This document discusses configuring and testing high availability on FortiGate devices. It describes configuring HA settings on two FortiGate devices so they form an active-passive cluster, then verifying the synchronization and roles of each device. It also covers triggering a failover by rebooting the primary device and verifying the new roles.
This document discusses configuring and testing high availability on FortiGate devices. It describes configuring HA settings on two FortiGate devices so they form an active-passive cluster, then verifying the synchronization and roles of each device. It also covers triggering a failover by rebooting the primary device and verifying the new roles.
Download as DOCX, PDF, TXT or read online from Scribd
Download as docx, pdf, or txt
You are on page 1/ 20
Exercise 1: Configuring HA
FortiGate HA uses FGCP, which uses a heartbeat link for HA-related communications to discover other FortiGate devices in the same HA group, elect a primary device, synchronize configuration, and detect failed devices in an HA cluster.
In this exercise, you will examine how to configure HA settings on both FortiGate devices. You will observe the HA synchronization status, and use diagnose commands to verify that the configuration is in sync on both FortiGate devices.
Unless instructed otherwise, always use the console connection of Local-FortiGate and Remote-FortiGate to access the CLI. This ensures that you can access the CLI of the device regardless of the HA role.
Configure HA Settings on Local-FortiGate
You will configure HA-related settings using the Local-FortiGate GUI.
To configure HA settings on Local-FortiGate
1. Connect to the Local-FortiGate GUI, and then log in with the username admin and password password.
2. Click System > HA, and then configure the following HA settings:
Field Value
Mode Active-Passive
Device 200 priority
Group ID 5
Group Training name Field Value
Password Fortinet
Tip: Click Change,
and then type the password.
Session <enable> pickup
Monitor Click X to remove
interfaces any ports that are selected.
Heartbeat Click X to remove
interfaces port4, and then select port2.
The configuration should look like the following example:
3. Click OK.
Configure HA Settings on Remote-FortiGate
You will configure HA-related settings on Remote-FortiGate, using the console.
To configure HA settings on Remote-FortiGate
1. Connect to the Remote-FortiGate CLI, and then log in with the username admin and password password.
2. Enter the following commands:
config system ha
set mode a-p
set group-name Training
set group-id 5
set password Fortinet
set hbdev port2 0
set session-pickup enable
set override disable
set priority 100
end
Observe and Verify the HA Synchronization
Status Now that you have configured HA on both FortiGate devices, you will verify that HA is established and that the configurations are fully synchronized.
The checksums for all cluster members must match for the FortiGate devices to be synchronized.
To observe and verify the HA synchronization status
1. On the Remote-FortiGate CLI, notice the debug messages about the HA synchronization process.
These messages sometimes display useful status change information.
2. Wait 4–5 minutes for the FortiGate devices to synchronize.
After the FortiGate devices are synchronized, the Remote-FortiGate device logs out all admin users.
secondary succeeded to sync external files with primary
secondary starts to sync with primary
logout all admin users
3. When prompted, log back in to the Remote-FortiGate CLI with the
username admin and password password.
4. Enter the following command to check the HA synchronization status:
diagnose sys ha checksum show
5. On the Local-FortiGate CLI, enter the following command to check the HA synchronization status:
diagnose sys ha checksum show
6. Compare the output from both FortiGate devices.
If both FortiGate devices are synchronized, the checksums match.
7. Alternatively, you can run the following CLI command on any member to view the checksums of all members:
diagnose sys ha checksum cluster
Verify FortiGate Roles in an HA Cluster
After the checksums of both FortiGate devices match, you will verify the cluster member roles to confirm the primary and secondary devices.
To verify FortiGate roles in an HA cluster
1. On both the Local-FortiGate CLI and Remote-FortiGate CLI, enter the following command to verify that the HA cluster is established:
get system status
2. On both FortiGate devices, view the Current HA mode line, and then write down the device serial number (Serial-Number).
Notice that Local-FortiGate is a-p primary and Remote-FortiGate is a-p secondary.
Stop and think!
Why was Local-FortiGate
elected as the primary?
In the primary election process,
FGCP first checks the number of connected monitored ports. Because you didn't configure monitored ports, FGCP then checks the next criterion.
As the override setting is
disabled, FGCP checks the HA uptime next. Because you enabled HA on both devices about the same time, the HA uptime difference is less than 5 minutes.
Therefore, FGCP checks the
next criterion, which is priority.
Local-FortiGate has a priority of
200, which is greater than Remote-FortiGate, which has a priority of 100. The result is that FGCP elects Local-FortiGate as the primary.
3. On the Local-FortiGate CLI , enter the following command to confirm the reason for the primary election:
get system ha status
4. In the output, look for the Primary selected using section to identify the reason for the latest primary election event.
Your output should look similar to the following example:
The output confirms
that FGCP elected Local-FortiGate as the primary because of its higher priority.
If you see that the
election reason is a higher uptime, then that is probably because you rebooted one of the members, and as a result, the HA uptime of that device was reset. The reboot then caused the HA uptime difference to be more than 5 minutes.
Exercise 2: Triggering an HA Failover
You set up an HA cluster. In this exercise, you will examine how to trigger an HA failover, and observe the renegotiation among devices to elect a new primary device.
Unless instructed otherwise, always use the console connection of Local-FortiGate and Remote- FortiGate to access the CLI. This ensures that you can access the device CLI regardless of the HA role.
Trigger a Failover by Rebooting the Primary
FortiGate You will reboot the primary FortiGate in the cluster to trigger a failover.
Take the Expert
Challenge! 1. On the Local-Client VM, complete the following:
Play a long video (more
than 5 minutes long) on https://www.youtube.c om. Run a continuous ping to IP address 4.2.2.2.
2. On the Local-FortiGate CLI, reboot Local- FortiGate.
If you require assistance, or to
verify your work, use the step-by- step instructions that follow.
After you have performed these
steps, see Verify the HA Failover and FortiGate Roles on page 1.
To trigger a failover by rebooting the primary FortiGate
1. On the Local-Client VM, open a browser, and then visit the following URL:
https://www.youtube.com
2. Play a long video (more than 5 minutes long).
3. While the video is playing, open a terminal, and then enter the following command to run a continuous ping to a public IP address:
ping 4.2.2.2
4. On the Local-FortiGate CLI, enter the following command to reboot Local-FortiGate
and trigger a failover:
execute reboot
5. Press Y to confirm that you want to reboot Local-FortiGate.
Verify the HA Failover and FortiGate Roles
You will verify the HA failover, and check the roles of FortiGate in an HA cluster.
To verify the HA failover and FortiGate roles
1. On the Local-Client VM, check the video and terminal that you started earlier.
Because of the failover, Remote-FortiGate is now the primary processor of traffic. Your ping and video should still be running. 2. Close the browser tab with the video.
3. Return to the terminal, and then press Ctrl+C to stop the ping.
4. On the Remote-FortiGate CLI, enter the following command to verify that Remote- FortiGate is acting as the primary device in the HA cluster :
get system status
Stop and think!
When Local-FortiGate finishes
rebooting and rejoins the cluster, does it rejoin as the secondary device, or resume its initial role of the primary device?
5. On any FortiGate in the cluster, enter the following command to see the status of all cluster members:
get system ha status
You should see that Local-FortiGate rejoins the cluster as a secondary device. It lost its role as the primary device.
Local-FortiGate becomes the secondary device in the cluster because it has a lower HA uptime than Remote- FortiGate. In addition, the HA uptime difference between the members is more than 5 minutes.
Also, the override
setting is disabled, so priority does not take precedence over uptime.
Trigger an HA Failover by Resetting the HA
Uptime You will trigger a failover by resetting the HA uptime on the current primary FortiGate— which should be Remote-FortiGate—and then you will verify the role of Remote-FortiGate in the HA cluster.
To trigger an HA failover by resetting the HA uptime on FortiGate
1. On the Remote-FortiGate CLI console, enter the following command:
diagnose sys ha reset-uptime
After you reset the
HA uptime on Remote-FortiGate, Local-FortiGate becomes the member with the highest HA uptime. Because the HA uptime difference between the members is more than 5 minutes, Local- FortiGate is elected as the new primary.
Remote-FortiGate now has the secondary role in the cluster.
2. On the Remote-FortiGate CLI, enter the following command to verify this:
get system status
Observe HA Leave and Join Messages Using Diagnostic Commands The HA synchronization process is responsible for FGCP packets that communicate cluster status and build the cluster. You will use real-time diagnostic commands to observe this process.
To observe HA failover using diagnostic commands
1. On the Local-FortiGate CLI, enter the following commands:
diagnose debug enable
diagnose debug application hatalk 0
diagnose debug application hatalk 255
The diagnose debug application hatalk 0 command stops the debug. You will use this command later.
2. On the Remote-FortiGate CLI, enter the following command to reboot Remote-
FortiGate:
execute reboot
3. Press Y to confirm that you want to reboot Remote-FortiGate.
4. On the Local-FortiGate CLI, view the output while the secondary device reboots and starts communicating with the cluster. The sanitized output shows that the current primary FortiGate is sending heartbeat packets and trying to synchronize its configuration with the configuration of the secondary FortiGate.
5. Press the up arrow key twice, select the second-last command (in this case, diagnose debug application hatalk 0 ), and then press Enter to stop the debug output on Local-FortiGate.
Exercise 3: Configuring the HA
Management Interface In this exercise, you will examine how to configure a spare interface in the cluster as a reserved HA management interface. This allows both FortiGate devices to be reachable for management purposes regardless of the member role.
If you don't configure a reserved HA management interface, the primary FortiGate handles your cluster management connections. However, you can access the CLI of the secondary FortiGate from the primary FortiGate CLI, or by using the console connection of the secondary FortiGate.
You can also configure an in-band HA management interface, which is an alternative to the reserved HA management interface, and does not require reserving an interface that is only for management access.
Unless instructed otherwise, always use the console connection of Local-FortiGate and Remote- FortiGate to access the CLI. This ensures that you can access the device CLI regardless of the HA role.
Access the Secondary FortiGate CLI Through the
Primary FortiGate CLI You will connect to the secondary FortiGate CLI through the primary FortiGate CLI.
To access the secondary FortiGate CLI through the primary FortiGate CLI
1. On the Local-FortiGate CLI, log in with the username admin and
password password.
2. Enter the following command to access the secondary FortiGate CLI through the primary FortiGate heartbeat interface:
execute ha manage <id> admin
Use ? to list the
values for <id>.
3. When prompted, enter the password password to log in to Remote-FortiGate.
4. Enter the following command to get the status of the secondary FortiGate:
get system status
5. View the Current HA mode line.
You will notice that Remote-FortiGate is a-p secondary.
6. Enter the following command to return to the Local-FortiGate CLI:
exit
Set Up a Reserved HA Management Interface
You will use an unused interface on the FortiGate devices in an HA cluster to configure a reserved HA management interface and a unique IP address for each member. This way, you can access each member directly, regardless of its role.
To set up a reserved HA management interface
1. On the Local-Client VM, open a browser, and then log in to the Local-FortiGate GUI at 10.0.1.254 with the username admin and password password.
2. Click System > HA.
3. Right-click Local-FortiGate, and then click Edit.
4. Enable Management Interface Reservation, and then in the Interface field,
select port7.
5. Click OK. port7 connects to the same LAN segment as port3.
Configure and Access the Primary FortiGate
Using the Reserved HA Management Interface You will configure and verify access to the primary FortiGate using the reserved HA management interface.
To configure and verify access to the primary FortiGate using the reserved HA management interface
1. On the Local-FortiGate CLI, log in with the username admin and
password password.
2. Enter the following commands to configure port7:
config system interface
edit port7
set ip 10.0.1.253/24
set allowaccess ping ssh snmp http https
end
Even though this
address overlaps with port3, which is not allowed by default (FortiGate does not allow overlapped subnets by default), it is allowed here because the routing entries for the reserved HA management interface are excluded from the routing table. 3. On the Local-Client VM, open a browser, and then log in to the Local-FortiGate GUI at 10.0.1.253 (note the IP address) with the username admin and password password.
This verifies connectivity to port7.
Configure and Access the Secondary FortiGate
Using the Reserved HA Management Interface You will configure and verify access to the secondary FortiGate using the reserved HA management interface.
Take the Expert
Challenge! 1. On the Remote- FortiGate CLI, complete the following:
Verify that the
reserved HA management interface is synchronized with the secondary device.
show system ha
Verify that port7 has
no configuration, and then configure port7 IP/Netmask as 10.0.1 .252/24 with the same allowaccess conf igured for Local- FortiGate port7.
2. On the Local-Client VM, log in to the Remote-FortiGate GUI (admin/password) using the port7 IP address to verify connectivity.
If you require assistance, or to
verify your work, use the step- by-step instructions that follow.
After the configuration is
ready, see Disconnect Remote- FortiGate From the Cluster on page 1.
To configure and verify access to the secondary FortiGate using the
management interface
1. On the Remote-FortiGate CLI, enter the following command to verify that the reserved HA management interface is synchronized with the secondary device:
show system ha
Look for ha-mgmt-status and config ha-mgmt-interfaces. These should already be set.
2. Enter the following command to verify that port7 has no configuration:
show system interface port7
3. Configure port7, using the following commands:
config system interface
edit port7
set ip 10.0.1.252/24
set allowaccess ping ssh snmp http https
next
end
4. On the Local-Client VM, open a browser, and then log in to the Remote-FortiGate GUI at 10.0.1.252 (note the IP address) with the username admin and password password.
This will verify connectivity to port7.
Each device in the cluster now has its own management IP address for monitoring purposes.
Disconnect Remote-FortiGate From the Cluster
You will disconnect Remote-FortiGate from the cluster. Remote-FortiGate will prompt you to configure an IP address on any port on Remote-FortiGate so that you can access it after the disconnection.
To disconnect Remote-FortiGate from the cluster
1. On the Local-Client VM, open a browser, and then log in to the Local-FortiGate GUI at 10.0.1.254 with the username admin and password password.
2. Click System > HA.
3. Right-click Remote-FortiGate, and then click Remove device from HA cluster.
4. When prompted, configure the following settings:
Field Value
Interface port3
IP/Netmask 10.0.1.251/24
5. Click OK.
This removes the FortiGate from the HA cluster.
Restore the Remote-FortiGate Configuration
You will restore the Remote-FortiGate configuration, so that you can use Remote-FortiGate in the next labs.
Failure to perform these steps will prevent you from doing the next exercises.
To restore the Remote-FortiGate configuration file
1. On the Local-Client VM, open a browser, and then log in to the Remote-FortiGate GUI at 10.0.1.251 with the username admin and password password.
2. In the upper-right corner, click admin, and then click Configuration > Revisions.
3. Click + to expand the list.
4. Select the configuration with the comment initial, and then click Revert.
5. Click OK to reboot. Failure to perform these steps will prevent you from doing the next exercises.
