FGSP CLI command name changed

FGSP CLI command name changed

The FortiOS 5.2 command config system session-sync has been changed in FortiOS 5.4 to config system cluster-sync. Otherwise the command syntax is the same and the config system ha commands used for FGSP settings have not changed.

Having trouble configuring your Fortinet hardware or have some questions you need answered? Check Out The Fortinet Guru Youtube Channel! Want someone else to deal with it for you? Get some consulting from Fortinet GURU!

HA heartbeat traffic set to the same priority level as data traffic

Leave a reply

HA heartbeat traffic set to the same priority level as data traffic

Local out traffic, including HA heartbeat traffic, is now set to high priority to make sure it is processed at the same priority level as data traffic. This change has been made because HA heartbeat traffic can be processed by NP6 processors that are also processing data traffic. When HA heartbeat traffic was set to a lower priority it may have be delayed or dropped by very busy NP6 processors resulting in HA failovers.

Firewall local-in policies are supported for the dedicated HA management interface

Leave a reply

Firewall local-in policies are supported for the dedicated HA management interface

To add local in polices for the dedicated management interface, enable ha-mgmt-inft-only and set intf to any. Enabling ha-mgmt-intf-only means the local-in policy applies only to the VDOM that contains the dedicated HA management interface.

config firewall local-in-policy

edit 0

set ha-mgmt-intf-only enable

set intf any

etc…

end

VOIP application control sessions are no longer blocked after an HA failover

Leave a reply

If you were one of those people, like me, that would have application control sessions blocked after a failover on HA then 5.4 may be beneficial for you! See below!

VOIP application control sessions are no longer blocked after an HA failover (273544)

After an HA failover, VoIP sessions that are being scanned by application control will now continue with only a minor interruption, if any. To support this feature, IPS UDP expectation tables are now synchronized between cluster units

FRUP is not supported by FortiOS 5.4

Leave a reply

FRUP is not supported by FortiOS 5.4

With the changes to switch mode, FRUP is no longer available on the FortiGate-100D

FGCP Supports BFD Enabled BGP Graceful Restart After an HA Failover

Leave a reply

FGCP supports BFD enabled BGP graceful restart after an HA failover

If an HA cluster is part of a Border Gateway Protocol (BGP) bidirectional forwarding detection (BFD) configuration where both the cluster and the BGP static neighbor are configured for graceful restart, after an HA failover BGP enters graceful restart mode and both the cluster and the BGP neighbor keep their BGP routes.

To support HA and BFD enabled BGP graceful:

From the cluster, configure the BFD enabled BGP neighbor as a static BFD neighbor using the config router bfd command.Set the BGP auto-start timer to 5 seconds so that after an HA failover BGP on the new primary unit waits for 5 seconds before connect to its BFD neighbors, and then registers BFD requests after establishing the connections. With static BFD neighbors, BFD requests and sessions can be created as soon as possible after the failover.The command get router info bfd requests shows the BFD peer requests.
The BFD session created for a static BFD neighbor/peer request initializes its state as INIT instead of DOWN and its detection time as bfd-required-min-rx * bfd-detect-mult msecs.
When a BFD control packet with a nonzero Your Discriminator (your_discr) value is received, if no session can be found to match the your_discr, instead of discarding the packet, other fields in the packet, such as addressing information, are used to choose one session that was just initialized, with zero as its remote discriminator.
When a BFD session in the UP state receives a control packet with zero as Your Discriminator and DOWN as State, the session changes its state to DOWN but will not notify this DOWN event to BGP and/or other registered clients.

DMZ Setup On FortiGate 92D

Leave a reply

So I went through my FortiGate and created a guest wireless for my PC Troubleshooting little side business. The last thing I want is their malware infested machines giving my home or work computers the crud. I also took this time to jump in and get my DMZ setup for my webserver that I am going to host off my business line.

Those of you that remember, I have 2 internet connections coming into my FortiGate 92D. I have a charter personal line that gives me 135/5 (man I wish they could get that upload up) and a business line with static IP through charter as well that gives me 100/7 (again, I need more upload ugh).

Either way, things are going swimmingly. I’m going to make some videos to help get my home network more up to par and to explain and show what I am doing. I figured you would like something like that.

I just wanted to provide that little tid bit of information. I will eventually provide a VISIO of my network at the house (sanitized of course).

High Availability FortiOS 5.4 Before You Begin

3 Replies

So, a lot of people are starting to deploy HA clusters of Fortinet hardware which is awesome. There are however some things you will want to consider before doing so. Here is a drill down from the Fortinet HA for FortiOS 5.4 Administration document.

Before you begin

Before you begin using this guide, take a moment to note the following:

If you enable virtual domains (VDOMs), HA is configured globally for the entire FortiGate unit and the configuration is called virtual clustering.
This HA guide is based on the assumption that you are a FortiGate administrator. It is not intended for others who may also use the FortiGate unit, such as FortiClient administrators or end users.
The configuration examples show steps for both the web-based manager (GUI) and the CLI. At this stage, the following installation and configuration conditions are assumed:
You have two or more FortiGate units of the same model available for configuring and connecting to form an HA cluster. You have a copy of the QuickStart Guide for the FortiGate units.
You have administrative access to the web-based manager and CLI.

Many of the configuration examples in this document begin FortiGates unit configured with the factory default configuration. This is optional, but may make the examples easier to follow. As well, you do not need to have installed the FortiGate units on your network before using the examples in this document.

Before you set up a cluster

Before you set up a cluster ask yourself the following questions about the FortiGate units that you are planning to use to create a cluster. Do all the FortiGate units have the same hardware configuration? Including the same hard disk configuration and the same optional components installed in the same slots?

1. Do all FortiGate units have the same firmware build?

2. Are all FortiGate units set to the same operating mode (NAT or Transparent)?

3. Are all the FortiGate units operating in the same VDOM mode?

4. If the FortiGate units are operating in multiple VDOM mode do they all have the same VDOM configuration?