FortiGate 60F HA Cluster Build
HTML-код
- Опубликовано: 9 июл 2024
- Let's try this again. This is a video about how to build an HA Cluster out of two FortiGate 60F's and 2 FortiSwitch 124F's.
Buy Hardware: bit.ly/2QZVeqh
Get Consulting: bit.ly/36FinSU
My Other Projects:
Office Of The CISO: bit.ly/3HGMH1o
Packet Llama: bit.ly/3SEX3H4
###### SOCIAL LINKS ######
Twitter: bit.ly/2WXiRAv
Facebook: bit.ly/3eigz4D
Instagram: bit.ly/3cZneAz
######################
The GOAT of FortiGate tutorials
Sounds like you have just been through a rough day. Cheer up Mike, we do like your videos. 😉
Great to see that you are back at last. 😊
Missed your videos. Looking forward to more in the near future.
Great as always!
Wicked Video Mike, I did a HA setup too with my 61e's & pair of Cisco 24 port Switches :) Keep these videos coming !
I have a pair of 500D and 300D FortiGate firewalls. Each pair are in HA. Definitely nice to have in the enterprise! I'm planning on introducing a pair of 1024D's and hopefully utilize MC-LAG
Thanks for this, Mike! Been very curious about the process for this for some time, but haven't had two forti's to do this with or had anyone to watch do this.
you can do it forite vm
@@MBNhub I hadn't looked into the vms for Forti, can you do them for free/evaluation for a lab setup?
I have a pair of 601E at data center and corporate office. Both using HA setup. Although I am not using two Fortinet switches as HA. They're configured with a group of 4 ports VLANs to handle the WAN, LAN, VOIP and DMZ. It's not ideal but it makes moving the physical cables from one switch to another easy if one should die. I also have a third switch as a cold spare in the rack. I did the same thing with the WatchGuards before we moved to Fortinet products. Some ISP providers will give you two WAN drops for your HA setup.
I agree on using active and passive in the HA cluster so you don't get into a pinch about performance if you need to do maintenance or one should die. There is one thing I did like about the WatchGuard's license policy for active / passive setup is that you only need live security on both devices. IPS and other licensed services are only required on the active device.
I love Fortigate because is extremely simple and extremely clear (best GUI) vs Palo Alto, SRX and so on. Team from Fortinet does good work.
Excellent tank you :)................
Recently configured two Fortigates 200Fin HA and two Fortiswitch 524D as core with MCLAG ICL, then a buch of 148Fs hanging from the latter for edge switching
Tight! Tight!! TY
gracias Genio!!!
Could you do a video on transitioning from static routing to dynamic routing like OSPF? I'm sure lots of people start out on entirely static routes then reach a scale where it becomes a pain to manage. I'm interested in the specifics on how the static routing will interact with the dynamic routes during the transition. Asking for a friend. 😉
Great
Would like to make a request: Can you do a video setting up two AP's as a bridge, connecting two FSW together with fortilink and multiple vlan operation? This configuration is stumping the fortinet engineers!
thanks well legend
1 - What options should we enable on the CLI to have a smooth failover?
2 - Can you do a video on using a firewall as layer 2, and maybe touch on how this works in a cluster?
You can reset the HA timer, that will make it do a seamless failover.
Thanks for doing those Videos, they are very good. i have a question about "port channel"
can we create port channel two cables between the FortiGate1 going one cable to the Fortiswitch1 and the other fortiSwitch2: doing the same with FortiGate2?
I find your content very helpful, the only thing that would help is if you could speak a bit more loudly or add a bit more volume to the audio for sometimes it's difficult to understand clearly what you are saying. Thanks and keep them coming.👍
Gave you credit with corporate armor for the whole new network I just bought. I'd love to get another 601 so I could do ha but the budget just isn't there unfortunately
A while back I added MCLAG and you mentioned it, any plans to make a video on that. Also have a NAC deployment and was wondering if you had plans to make a video for pointers, maybe I missed something, maybe I missed a lot.
Good video! Could you please make a video of a deep dive into the HA options such as monitoring ports and manual failover and failback? Maybe you could show HA status in the cli too. You could show how an firmware update works with HA.
Sometimes is happens that your cluster isn’t in sync through the gui. The following command through cli can help you with that check “diag sys ha checksum cluster”. This way you are certain that the cluster is ok. You can setup more HB interfaces and perhapse a dedicated one for the tcp sessions to failover. Then you have that group id which I highly recommend to change if the customer has multiple Fortigate clusters. At last the command “set override enable” and “set override-wait-time 300” so the cluster will automatically fallback to the primary device after a failover. Not going into details like changing the ether packets. 👍
@@mrStarcKbe You are 110% right! Every HA cluster should have "set group-id XY" configured. I had a situation in the past where WAN1 was constantly flapping due to another Fortigate HA cluster on the WAN subnet! It was like crazy! Once I have configured group-id pain went away and HA is running rock solid for the past 3 years on 6.2.x release.
Hello, can you explain more why the frotigate is degraded when primary/slave failed in active-active setup?
The only firewall I know is Sophos XG and now XGS. I configured HA for a client that is a 24/7 company with 7 warehouses and it was easy and it worked as expected. I have always been intrigued by FortiGate. Which is better?
Well it all look easy for you... I never did a irl setup so far ..hope I will be successful 🤞.. being a fresher in this field without any support..it feels so difficult 😭
13:03 i was wondering, if there isn't a DHCP, how they are going to get a new management IP? and can we do it through cli?
Hi Mike, new to fortigate fw I recently watched your video about firmware upgrades and your three rules.. I Would really like to use video content filtering but its only included in V7 and not V6.4.6
So I guess my question is for new out of the box setup is it save/advisable to upgrade to newer firmware's and when do you bite the bullet to do upgrades in production?
EXAMPLE: GA minus 2 versions
Thanks
Hey...have a doubt here....
Did you get a chance to check the CAM LAN switch where the secondary ports sre connected?
They do not populate physical mac address of the Fortigate nic.... wanted to understand the concept
How about fortigate vs multiple switches session? Thanks.
That mac address story remind me of that day when I installed Fortigate cluster in a data center where another client had already another Fortigate cluster. We were both connected to the same datacenter internet provider switch and obviously spoofing the same mac address...
Yeah. The key around that is to change the HA group ID to a different number.
@@FortinetGuru true
same story here ... always set group-id for a HA cluster.
13:03 from where did u bring floating IP
Would have been good to discuss session pickup more, what types of sessions can and can't be failed over and other ideas like that. I would also like to know more about active active, any chance of ajother HA video mate?
can someone explain how to do the process mentioned in 12:40 ?
Guru, I'm having a really hard time finding a way to build a whitelist in fortiOS 7.0.2, could you make a video talking about white and blacklist rules? how to build it properly? I've been researching reddit and forti cookbock but I just can't figure out what I'm doing wrong. love your videos I learned a lot from you keep it up !!
Need a Help: I need to allow port 3306 from outside company one particular IP address?
Hi, I like you lectures.
Unfortunately I have problem you did not review - passing the multicast traffic from the provider to STB.
Can I contact you to guide me about this?
Hellow, please make review about new version fortios 7.2!
Good video, I do have a question. Can you HA an existing firewall? I have a 201F and bought a backup unit.
Sure can
@@FortinetGuru I am assuming the same process just make the primary firewall the master first?
Do you consider to set monitor port in HA settings? if the port down, the failover will happen right away.
That is correct. You would configure monitoring of the port for physical outages. Link monitors will assist if the upstream link is "green" but not passing traffic.
I see you did not select the "Monitor Interface" option under HA. Curious to know how will FWs detect failover scenario.
Once this foetigate cluster is installed on location I will pick the monitored interfaces based on need. 99% chance I will use the fortilink aggregate and the wan1 port.
Set this up about 6 months ago with 101F Frotigates and 124F FortiSwitches. Opted for the FortiLink Split interfaces. Probably more of a pain than I needed to go through. Had one switch drop offline and needed a hard reboot to get it going again. Never did find the root cause.
Yeah, I've had that happen as well.
@@FortinetGuru Any clue why it happened? Or is that a bug in 7.0 code?
My experience, is that HA makes the maintenance window longer because the delay after one reboots we need to wait for them to Sync again. Depending on the customer some connections to the Internet will break during HA so for some customer its more outages than less, I am not advocating against redundancy, it's def. nice to have. But a single reboot for upgrade. Maybe Fortinet could improve the way they upgrade. Also I noticed that this on Active/Passive. Active/Active is not really a fact, I have tried to work with Fortinet Support and they have said that it doesn't really work to avoid outages.
True on the A-A part, but not completely true the HA part. You can set it to override disable so it won’t switch back to the primary unit. This way you can initiate it your self. The first failover will always be faster then a single unit. 👍
I like the sound of your keyboard and mouse, what do you use?
8:30
hi. I am looking at buying two 60f, can I use unifi switch to set up ha
You can.
Can we test the HA Cluster on EVE-NG ? Did any one try it ?
Hey Mike, good time for you to make a video on how to block Log4J on Fortigate FW.
Use IPS signatures and use them as they should be used on “severity” level. So use the IPS filter to block medium,high and critical severity levels. Put them on ALL policy’s! Also on internal once so a breached client can’t use that a signature (medium,high or cricital). For traffic coming from internet use that same IPS filter. And for servers where you can use SSL Server protection put that on too so you can inspect https traffic too.
how can i deploy Fortigate FW HA active-active on AWS in muli AZ environment with autoscalling?
Hmmm, good question.
Hello from Russia.
btw recently i configured Fortigate 200 mode with HA mode in prodaction.
Hi, do you usually do Central NAT?
Is your preference Flow-based inspection?
Majority of my firewalls are done with UTM Profile mode and standard NAT. I have started doing more and more with NGFW Policy mode and Central NAT (especially conversions from PAN devices)
From a working mode or faster traffic Flow mode is better , But in flow mode some the features are not allowed as the in flow mode connection is not terminated on Fortigate. But If you want deep inspection then Proxy mode is better.
Hope your doing alright Chuck its been a few months. Can you show us how to configure a FortiSwitch 224E in Stand alone mode? I've been having issues getting mine to work correctly with the management vlan.
I am alive, but in the famous words of Big Hero 6....I am not fast.... haha
Do you have any interest or experience in configuring FortiWeb?
HI Fortinet Guru I have a question. I have a setup that is in HA Cluster (Active-Active). The problem when I update the firmware both Firewalls will loose connection and restart. I was expecting that the Primary will be updated first, then the backup will be next. Can you give me any advise what I am doing wrong. Thanks
Normally you login on the primary device so the upgrade command is send to the primary device. Then it checks the checksum and if it’s good it will send the update to the secondary device. It them will start updating. In an active/active the load balancing is turned of so all traffic will be route towards primary device.
Hello Fortinet Guru
just one question please
I have fortigate which i made web filter on it
but some user uses VPN to passthrow web filter
how I can fix this, what the method to solve this
thank you
Block vpn access at the application level.
hey, fortinet Guru, do you have any videos for VDOMs?
What kind of videos you need For Vdoms ..
@@rosatechnocrat2206 What are Vdoms for start, what are the use cases when Vdoms can be useful and how the traffic flows in Vdoms.
What equipment are you running your self this days?
Still cruising on an 80e-poe at the house
@@FortinetGuru using Forti AP's with it as well?
Confused on how you have this hooked up to the switches...
In what way? A of each FortiGate goes to each Switch and B of each FortiGate does the same. Split link on the Fortilink makes it full mesh. Other options are A of each FortiGate to switch 1 and B of each FortiGate to switch 2 with split-fortilink off.
@@FortinetGuru I found out I had to delete a few interfaces to make them available for the HA ports on the 60F.... (4 and 5)
deus do fortinet
The part about the device priority is wrong. The lower the number, the higher the priority.
No. In HA higher priority wins. In routing, lower priority wins.
1:35 Fortigates use HSRP? Don't use Cisco trash... VRRP, etc.
.
bla bla bla ...
I have to two fortigate firwall 201 f and want to configure cluster HA. And Also have to Wan connection. I need a little help with that. Can you please share your email address so we can discuss it sir.