Fortinet: Configuring HA on FortiGate firewalls

แชร์
ฝัง
  • เผยแพร่เมื่อ 18 พ.ย. 2024

ความคิดเห็น • 21

  • @khonde_99
    @khonde_99 7 หลายเดือนก่อน +1

    Thank you for your great tutorial, one question.. did you make the configuration for 2nd fortigate same from master FG before configure HA? or the configuration will be automatically synchronize after HA connected.

  • @kmcgaughmohr
    @kmcgaughmohr ปีที่แล้ว

    Thanks for this. Studying NSE4. Very frustrating how a vendor overcomplicates its technology.

  • @ajeeshca7929
    @ajeeshca7929 6 หลายเดือนก่อน

    HI priority of both firewalls is showing 128 default. So how these firewalls become primary and secondary???

  • @rockinron5113
    @rockinron5113 ปีที่แล้ว +2

    Nice one. Thanks.

  • @neel068119
    @neel068119 5 หลายเดือนก่อน

    can i use different /30 subnets in port1 and port3 of active & passive firewall? and if i configure eBGP neighbor using port1 and port3, then what attribute will differentiate routes published from active & passive firewalls?

  • @Sebastian-z6d3f
    @Sebastian-z6d3f 9 หลายเดือนก่อน

    How you connect HA ports? Directly HA to HA or you connected it via switch? What cable are you used?

    • @tothepointfortinet3823
      @tothepointfortinet3823  9 หลายเดือนก่อน

      Direct is most ideal(ie. I can't think of why we'd want to introduce a switch unless it's necessary such as if both firewalls are physically located further from each other) . A switch can be used too though (just gotta make sure the frames get forwarded by the switch).

  • @danif1359
    @danif1359 ปีที่แล้ว

    I am confused on how IPsec works on active-passive? Do I have two independent tunnels? Do both members of the cluster send keepalives?

    • @tothepointfortinet3823
      @tothepointfortinet3823  ปีที่แล้ว +1

      The first minute and a half of the video covers this, just try to relate it to IPsec to answer your question. So for IPsec, both firewalls have the identical configuration for each VPN, the passive firewall will only actually use its config (and the IPs bound to the physical interfaces that the IPsec interface is associated with) when a failover event occurs.
      The purpose of HA is to essentially have a carbon copy of the exact same firewall config, there isn't extra logic/behavior on the passive firewall for different features(there are some exceptions to this)

  • @alastaircupples
    @alastaircupples ปีที่แล้ว

    Did you need to create an aggregate interface to connect the FortiGates to the lan switch? When i setup this in my environment it doesn't like that I have the 2 gates connected to the same switch

    • @tothepointfortinet3823
      @tothepointfortinet3823  ปีที่แล้ว

      aggregate interface is not a requirement. I'd say call into TAC for troubleshooting assistance.

  • @lazzybug007
    @lazzybug007 9 หลายเดือนก่อน

    Im confused how to connect the switch to fortigate and how to write a policy for this ? Can you help me with details on this connection.. i have two fortigate 121g and two switches 424E-FPOE ..im new to networking.. i dont know how to implement HA in this.. kindly help my job is on the line 🙏

    • @tothepointfortinet3823
      @tothepointfortinet3823  9 หลายเดือนก่อน

      Here's a link on what appears to be the topology you are trying to setup:
      docs.fortinet.com/document/fortiswitch/7.0.8/devices-managed-by-fortios/801190/ha-mode-fortigate-units-managing-a-stack-of-several-fortiswitch-units

  • @mattashfield2567
    @mattashfield2567 7 หลายเดือนก่อน

    Should FG2 start out with zero polices/networks/vlan/other-configuration, other than a public IP address?

    • @tothepointfortinet3823
      @tothepointfortinet3823  7 หลายเดือนก่อน

      Yes no config needed on fg2, just need to be able to access it so even pub ip not actually needed

  • @mattashfield2567
    @mattashfield2567 7 หลายเดือนก่อน

    After HA gets sycnrhonized, will FG2 change it's primary/external IP address or keep the separate one that it started with?

    • @mattashfield2567
      @mattashfield2567 7 หลายเดือนก่อน

      The reason i ask is realted to IPSEC Tunnels

    • @tothepointfortinet3823
      @tothepointfortinet3823  7 หลายเดือนก่อน

      Yes fg2 will change its external ip to be the same one as fg1. Although fg2 won't actually 'claim' the fg1 ip from a networking perspective until fg1 goes down

  • @thebocop
    @thebocop ปีที่แล้ว

    Super confused on the way you have these hooked up to the switches.

    • @tothepointfortinet3823
      @tothepointfortinet3823  ปีที่แล้ว +1

      How so? Let me know if you have a question so I can help answer it.
      Using my example, the switch could be a dumb switch, it's purpose is to place both fortigate interfaces on the same broadcast domain and to facilitate GARP updates