None
HA at digidraft.net

HA

2017-08-10

Introduction

    In most cases network security components are very critical points of failure, since all traffic passes through it. A high availability (HA) feature provides redundancy solution for two or many network devices. FortiOS can eliminate vulnerability of standalone point  by number of protocols:

  • FortiGate Cluster Protocol (FGCP) - allows to create a cluster of two to four FortiGates which appears to function as a single unit
  • FortiGate Session Life Support Protocol (FGSP) - allows to create peers which processes already balanced traffic and synchronize sessions and part of configuration
  • Session-Aware Load Balancing Clustering (SLBC) - consist of one or more FortiControllers acting as load balancers and FortiGate-5000s and operating as workers all installed in one or two FortiGate-5000 series chassis
  • Enhanced Load Balanced Clustering (ELBC) - uses FortiSwitch-5000 series load balancers to load balance traffic to FortiGate-5000 workers installed in a FortiGate-5000 chassis
  • Content Clustering - employs FortiSwitch-5203Bs or FortiController-5902Ds to load balance content sessions to FortiGate-5000 workers
  • VRRP - industry standard

FGCP with multi vdom enabled

    The diagram below shows two network segments with a router and a fortigate1200D on each.

ha_1

    Each fortigate have 4 vdom two of which are used for separate different groups of users (vdom1, vdom2). A root vdom used for management purposes, to aggregate incoming user traffic and for inter-unit configuration and sessions synchronization through heartbit interfaces. A transparent vdom used for aggregate outgoing user traffic.

    Here you can find how to configure inter vdom relation inside one unit. The main difference in relation to this case is inter-vdom links. If a transparent vdom used to pass traffic through one or many VLANs you have to create a unique non-NP inter-vdom links. That provision caused by impossibility to set different mac-addresses to different vdoms that connected through NP inter-vdom links. A FortiOS can not do that.

    Ports on fortigate were selected due to ASIC appurtenance groups. To display the FortiGate-1200D NP6 configuration use the following command.

FG-s1 (global) # get hardware npu np6 port-list

     A forwarding domain can be used to isolate traffic inside any transparent vdom. You can connect  a vlan to one site of inter-vdom links, thereby provide a bridge between them. An arp request, for instance, will be flooded to all interfaces inside a forwarding domain.

config global
        config system vdom-link
        edit vdom1-tperent-link
    end
config system interface
edit "vdom1-tperent-link0"
        set vdom "Transperent"
        set type vdom-link
        set forward-domain 2000
    next
edit "vdom1-tperent-link1"
        set vdom "Vdom1"
        set type vdom-link
        set ip 1.1.1.1 255.255.255.0
        set allowaccess ping
        set type vdom-link
        set forward-domain 2000
    next
    edit "VLAN2000"
        set vdom "Transperent"
        set forward-domain 2000
        set interface "OUTSIDE"
        set vlanid 2000
    next

    A HA configuration:

config system ha
    set group-id 10
    set group-name "ha_group1"
    set mode a-p
    set password ha_group_pass
    set hbdev "port8" 20 "port16" 10
    set session-pickup enable
    set session-pickup-delay enable
    set link-failed-signal enable
    set ha-mgmt-status enable
    set ha-mgmt-interface "mgmt1"
    set ha-mgmt-interface-gateway 10.100.3.78
    set override enable
    set priority 200
    set monitor "INSIDE" "OUTSIDE"
end

Where:

  • group-id - is identifies the cluster
  • group-name - is also identifies the cluster
  • mode a-p -  active-passive mode
  • hbdev - defines heartbeat interfaces and their priority (only one interface is active)
  • session-pickup enable - allows synchronize session information between clusters through heartbeat interfaces for fast failover
  • session-pickup-delay - synchronize only sessions which are longer than 30 seconds
  • link-failed-signal - to briefly shut down all monitored interfaces (except the heartbeat interfaces) after the failover occurs, it helps refresh TCAM of uplink switch
  • ha-mgmt-status, ha-mgmt-interface, ha-mgmt-interface-gateway - reserve interface mgmt1 for the cluster unit each fortigate will have a different mgmt1 interface IP address
  • override - make sure that the same cluster unit always operates as the primary unit
  • priority - set priority for each unit
  • monitor - monitor interfaces status in case of negotiation of primary unit selection
Leave a Comment: