Thank you for your great tutorial, one question.. did you make the configuration for 2nd fortigate same from master FG before configure HA? or the configuration will be automatically synchronize after HA connected.
Direct is most ideal(ie. I can't think of why we'd want to introduce a switch unless it's necessary such as if both firewalls are physically located further from each other) . A switch can be used too though (just gotta make sure the frames get forwarded by the switch).
can i use different /30 subnets in port1 and port3 of active & passive firewall? and if i configure eBGP neighbor using port1 and port3, then what attribute will differentiate routes published from active & passive firewalls?
Im confused how to connect the switch to fortigate and how to write a policy for this ? Can you help me with details on this connection.. i have two fortigate 121g and two switches 424E-FPOE ..im new to networking.. i dont know how to implement HA in this.. kindly help my job is on the line 🙏
Here's a link on what appears to be the topology you are trying to setup: docs.fortinet.com/document/fortiswitch/7.0.8/devices-managed-by-fortios/801190/ha-mode-fortigate-units-managing-a-stack-of-several-fortiswitch-units
Yes fg2 will change its external ip to be the same one as fg1. Although fg2 won't actually 'claim' the fg1 ip from a networking perspective until fg1 goes down
Did you need to create an aggregate interface to connect the FortiGates to the lan switch? When i setup this in my environment it doesn't like that I have the 2 gates connected to the same switch
The first minute and a half of the video covers this, just try to relate it to IPsec to answer your question. So for IPsec, both firewalls have the identical configuration for each VPN, the passive firewall will only actually use its config (and the IPs bound to the physical interfaces that the IPsec interface is associated with) when a failover event occurs. The purpose of HA is to essentially have a carbon copy of the exact same firewall config, there isn't extra logic/behavior on the passive firewall for different features(there are some exceptions to this)
How so? Let me know if you have a question so I can help answer it. Using my example, the switch could be a dumb switch, it's purpose is to place both fortigate interfaces on the same broadcast domain and to facilitate GARP updates
Thank you for your great tutorial, one question.. did you make the configuration for 2nd fortigate same from master FG before configure HA? or the configuration will be automatically synchronize after HA connected.
Hi, config will auto sync after HA is established
How you connect HA ports? Directly HA to HA or you connected it via switch? What cable are you used?
Direct is most ideal(ie. I can't think of why we'd want to introduce a switch unless it's necessary such as if both firewalls are physically located further from each other) . A switch can be used too though (just gotta make sure the frames get forwarded by the switch).
HI priority of both firewalls is showing 128 default. So how these firewalls become primary and secondary???
can i use different /30 subnets in port1 and port3 of active & passive firewall? and if i configure eBGP neighbor using port1 and port3, then what attribute will differentiate routes published from active & passive firewalls?
Im confused how to connect the switch to fortigate and how to write a policy for this ? Can you help me with details on this connection.. i have two fortigate 121g and two switches 424E-FPOE ..im new to networking.. i dont know how to implement HA in this.. kindly help my job is on the line 🙏
Here's a link on what appears to be the topology you are trying to setup:
docs.fortinet.com/document/fortiswitch/7.0.8/devices-managed-by-fortios/801190/ha-mode-fortigate-units-managing-a-stack-of-several-fortiswitch-units
Thanks for this. Studying NSE4. Very frustrating how a vendor overcomplicates its technology.
After HA gets sycnrhonized, will FG2 change it's primary/external IP address or keep the separate one that it started with?
The reason i ask is realted to IPSEC Tunnels
Yes fg2 will change its external ip to be the same one as fg1. Although fg2 won't actually 'claim' the fg1 ip from a networking perspective until fg1 goes down
Did you need to create an aggregate interface to connect the FortiGates to the lan switch? When i setup this in my environment it doesn't like that I have the 2 gates connected to the same switch
aggregate interface is not a requirement. I'd say call into TAC for troubleshooting assistance.
I am confused on how IPsec works on active-passive? Do I have two independent tunnels? Do both members of the cluster send keepalives?
The first minute and a half of the video covers this, just try to relate it to IPsec to answer your question. So for IPsec, both firewalls have the identical configuration for each VPN, the passive firewall will only actually use its config (and the IPs bound to the physical interfaces that the IPsec interface is associated with) when a failover event occurs.
The purpose of HA is to essentially have a carbon copy of the exact same firewall config, there isn't extra logic/behavior on the passive firewall for different features(there are some exceptions to this)
Should FG2 start out with zero polices/networks/vlan/other-configuration, other than a public IP address?
Yes no config needed on fg2, just need to be able to access it so even pub ip not actually needed
Nice one. Thanks.
Super confused on the way you have these hooked up to the switches.
How so? Let me know if you have a question so I can help answer it.
Using my example, the switch could be a dumb switch, it's purpose is to place both fortigate interfaces on the same broadcast domain and to facilitate GARP updates