FGCP configuration examples and troubleshooting

FGCP configuration examples and troubleshooting

This chapter contains general procedures and descriptions as well as detailed configuration examples that describe how to configure FortiGate HA clusters.

The examples in this chapter include example values only. In most cases you will substitute your own values. The examples in this chapter also do not contain detailed descriptions of configuration parameter

 

About the examples in this chapter

The procedures in this chapter describe some of many possible sequences of steps for configuring HA clustering. As you become more experienced with FortiOS HA you may choose to use a different sequence of configuration steps.

For simplicity, many of these procedures assume that you are starting with new FortiGate units set to the factory default configuration. However, starting from the default configuration is not a requirement for a successful HA deployment. FortiGate HA is flexible enough to support a successful configuration from many different starting points.

 

How to set up FGCP clustering (recommended steps)

This example describes how to enhance the reliability of a network protected by a FortiGate unit by adding a second FortiGate unit to create a FortiGate Clustering Protocol (FGCP) High Availability cluster.

The FortiGate already on the network will be configured to become the primary unit by increasing its device priority and enabling override. The new FortiGate will be prepared by setting it to factory defaults to wipe any configuration changes. Then it will be licensed, configured for HA, and then connected to the FortiGate already on the network. The new FortiGate becomes the backup unit and its configuration is overwritten by the primary unit.

The recipe contains instructions for both the GUI and the CLI, with some parts of the configuration requiring use of the CLI.

Before you start the FortiGates should be running the same FortiOS firmware version and interfaces should not be configured to get their addresses from DHCP or PPPoE.

1. Configuring the primary FortiGate

If the FortiGates in the cluster will be running FortiOS Carrier, apply the FortiOS Carrier license before con- figuring the cluster (and before applying other licenses). Applying the FortiOS Carrier license sets the con- figuration to factory defaults, requiring you to repeat steps performed before applying the license.

Connect to the primary FortiGate and go to Sys– tem > Dashboard > Status and locate the Sys– tem Information widget. Change the unit’s

Host Name to identify it as the primary

FortiGate.

You can also enter this CLI command:                    config system global

set hostname Primary_FortiGate end

If you have not already done so, register the primary FortiGate and apply licenses to it before setting up the cluster. This includes FortiCloud activation, FortiClient and FortiToken licensing, and entering a license key if you purchased more than 10 Virtual Domains (VDOMs). You can also install any third-party cer- tificates on the primary FortiGate before forming the cluster. Once the cluster is formed third-party cer- tificates are synchronized to the backup FortiGate.

Enter this CLI command to set the HA mode to active-passive, set a group name and password, increase the device priority to a higher value (for example, 250) and enable override.

Enabling override and increasing the device pri- ority means this unit should always become the primary unit.

This command also selects ha1 and ha2 to be the heartbeat interfaces and sets their priorities to 50.

You can also use the GUI to configure most of these settings.

config system ha set mode a-p

set group-name My-HA-Cluster set password

set priority 250

set override enable

set hbdev ha1 50 ha2 50 end

Override can only be enabled from the CLI.            config system ha

set override enable end

 

The FortiGate unit negotiates to establish an HA cluster. When you select OK you may temporarily lose con- nectivity with the FortiGate unit as FGCP negotiation takes place and the MAC addresses of the FortiGate unit are changed to HA virtual MAC addresses. These virtual MAC addresses are used for failover. The actual virtual MAC address assigned to each FortiGate interface depends on the HA group ID. Since this example does not involved changing the HA group ID, the FortiGate unit’s interfaces will have the following MAC addresses: 00:09:0f:09:00:00, 00:09:0f:09:00:01, 00:09:0f:09:00:02 and so on.

To reconnect sooner, you can update the ARP table of your management PC by deleting the ARP table entry for the FortiGate unit (or just deleting all arp table entries). You can usually delete the arp table from a com- mand prompt using a command similar to arp -d.

To confirm these MAC address changes, you can use the get hardware nic (or diagnose hardware deviceinfo nic) command to view the virtual MAC address of any FortiGate unit interface. Depending on the FortiGate model, the output from this command could include lines similar to the following:

Current_HWaddr: 00:09:0f:09:00:00

Permanent_HWaddr 02:09:0f:78:18:c9

2. Configuring the backup FortiGate

Enter this command to reset the new FortiGate to factory default settings.

execute factoryreset

You can skip this step if the new FortiGate is fresh from the factory. But if its configuration has been changed at all it is recommended to set it back to factory defaults to reduce the chance of synchronization problems.

Change the firmware running on the new FortiGate to be the same version as is running on the primary unit. Register the backup FortiGate and apply licenses to it before adding it to the cluster. This includes FortiCloud activation, FortiClient and FortiToken licensing, and entering a license key if you purchased more than 10 Virtual Domains (VDOMs).

Go to System > Dashboard > Status and change the unit’s Host Name to identify it as the backup FortiGate.

You can also enter this CLI command:                    config system global

set hostname Backup_FortiGate

end

 

Duplicate the primary unit HA settings, except set the device priority to a lower value and do not enable override.

You can configure all of these settings from the GUI.

You can also enter this CLI command:                    config system ha set mode a-p

set group-name My-HA-Cluster set password

set priority 50

set hbdev ha1 50 ha2 50

end

3. Connecting the cluster

Connect the HA cluster as shown in the initial diagram. Making these connections will disrupt network traffic as you disconnect and re-connect cables.

When connected the primary and backup FortiGates find each other and negotiate to form an HA cluster.

The Primary unit synchronizes its configuration with the backup FortiGate. Forming the cluster happens auto- matically with minimal or no disruption to network traffic.

4. Checking cluster operation and disabling override

Check the cluster synchronization status to make sure the primary and backup units have the same con- figuration. Log into the primary unit CLI and enter this command:

diag sys ha cluster-csum

The CLI lists all members’ checksums. If both cluster units have identical checksums you can be sure that their configurations are synchronized. If the checksums are different wait a short while and enter the com- mand again. Repeat until the checksums are identical. It may take a while for some parts of the configuration to be synchronized. If the checksums never become identical contact Fortinet support to help troubleshoot the problem.

Disable override on the primary unit (recommended).

config system ha

set override disable

end

The HA cluster dynamically responds to network conditions. If you keep override enabled the same FortiGate will always be the primary FortiGate. Because of this, however; the cluster may negotiate more often poten- tially disrupting traffic.

If you disable override it is more likely that the new FortiGate unit could become the primary unit. Disabling override is recommended unless its important that the same FortiGate remains the primary unit.

Connect to the primary FortiGate GUI and go to System > HA to view the cluster information.

Select View HA Statistics for more information on how the cluster is operating and processing traffic.

  1. 5. Results

Normally, traffic should now be flowing through the primary FortiGate. However, if the primary FortiGate is unavailable, traffic should failover and the backup FortiGate will be used. Failover will also cause the primary and backup FortiGates to reverse roles, even when both FortiGates are available again.

To test this, ping the IP address 8.8.8.8 using a PC on the internal network. After a moment, power off the primary FortiGate.

You will see a momentary pause in the Ping res- ults, until traffic diverts to the backup FortiGate, allowing the Ping traffic to continue.

If you are using port monitoring, you can also unplug the primary FortiGate’s Internet-facing interface to test failover.


Having trouble configuring your Fortinet hardware or have some questions you need answered? Check Out The Fortinet Guru Youtube Channel! Want someone else to deal with it for you? Get some consulting from Fortinet GURU!

This entry was posted in FortiOS 5.4 Handbook and tagged , on by .

About Mike

Michael Pruett, CISSP has a wide range of cyber-security and network engineering expertise. The plethora of vendors that resell hardware but have zero engineering knowledge resulting in the wrong hardware or configuration being deployed is a major pet peeve of Michael's. This site was started in an effort to spread information while providing the option of quality consulting services at a much lower price than Fortinet Professional Services. Owns PacketLlama.Com (Fortinet Hardware Sales) and Office Of The CISO, LLC (Cybersecurity consulting firm).

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.