HA FortiGate Redundant ISP Design and Walk Through
HTML-код
- Опубликовано: 26 май 2019
- What is necessary from a high level to configure HA FortiGates? What is necessary at a deeper level to configure redundant ISPs on these HA FortiGates?
www.fortinetguru.com
Buy Hardware: bit.ly/2QZVeqh
Get Consulting: bit.ly/36FinSU
My Other Projects:
Office Of The CISO: bit.ly/3HGMH1o
Packet Llama: bit.ly/3SEX3H4
###### SOCIAL LINKS ######
Twitter: bit.ly/2WXiRAv
Facebook: bit.ly/3eigz4D
Instagram: bit.ly/3cZneAz
######################
another interesting video. it is very useful to have practical cases. a good complement to fortinet's technical files.
Excuse me for my english. I am from France
Thanks Cedric
Thanks for taking the time to do all of those pretty good videos! Question: are the cluster's members need to be the exact same model? I heard that for using HA must be the same models...?
Same hardware model
Thanks!
hi. Thanks for this. If i have a site-to-site vpn in which the other side use wan1 public ip as peer, what happens if wan1 is down? Will the other side recognize my wan2 and establish connection there?
Glad I found this video as it is a close match to what we have.
I have a question though. WAN1 and WAN2 use different IP address/range. If WAN 1 goes down (which is also our range of public IPs) how can external users access our websites, we can inform our service provider to advertise the WAN1 addresses via WAN2 but if WAN1 is down they can no longer get to WAN1 as the link is down/can they get to it via WAN2, is it possible for traffic coming into WAN2 to access the addresses on WAN1? Hope I am making sense ?
It will use the external IP of the interface. If you need public IPs to persists then you would use BGP with a public space you own. If you want publicly accessible stuff to be available you would use some level of dynamic or DNS failover to change records when the primary link goes down)
So strange, I just setup my first HA pair last week. I also have a Splunk shirt that reads "Because Ninjas Are Too Busy". It's good to know that the HA pair was setup correctly. Have you messed around with the automation feature in 6.2? I tried making a "Conserve Mode Emergency Reboot" event that runs a CLI script that does an "exe reboot" followed by a "y", but it doesn't seem to be working. Any thoughts on what I am missing? Thanks for sharing your knowledge!
I haven't dove as deep into 6.2 as I would like to just yet. I love Splunk!
I have two ISP configured and one of my isp goes down and second isp becomes active and my backup isp is not passing data. so what can be the reasons behind it.
Can I configure Fortigate lan ports to wan ports for more than 2 isp connection?
If we have the two firewalls seperated by distance (still running active/passive) (our IPS come in different buildings) running a link to each ISP from each FW could be challenging. Is it acceptable to have only a single link from each FW to each ISP link?
You would have two different ISPs per firewall in the same pair? So the primary would be connected ONLY to ISP1, and the secondary (which is in a different building) connected to ONLY ISP2? If that's the case, it is possible; however, you would not be able to monitor the ISPs because from the cluster perspective, one ISP would always be in a down state (only a physical connection to one ISP). If it's OK to only monitor the LAN, then it would probably work, but you'd lose that WAN up/down monitoring so it may not be useful. I see your comment is a year old, were you able to get this working? Curious to see your solution.
One question here is since there is only one link between the two firewalls is this the only link responsible for sharing Heartbeat, Link down info, session table information and config changes replication? don't we use two links as we do with the Palo Alto Control link and Data links?
You can utilize two links. Higher end models have to ports specifically labeled as such. You are free to use any port on the device for it as you see fit though.
Can WAN1 ports on both firewalls have the same IP address? Can you elaborate on the IP assignment on the 2 firewall and WAN router
Fortigates do HA via layer 2. Virtual MAC owns the IP and it floats between the two depending on who is master.
@@FortinetGuru thanks for sharing your knowledge
Are Fortigates on NAT mode or transparent mode in this configuration? If I would like to use them in NAT mode, it seems I cannot avoid double NAT. Will IPSec dialup VPN and SSL VPN be affected if double NAT is involved? How about only connecting 1 ISP to 1 FortiGate to avoid double NAT or transparent mode?
You can run fortigates just fine like this. You would want public IPs to pass down to the interface though. That will depend on the ISP
in an interview, i was asked when ISP1 fails the traffic doesn't move to ISP2. it needs a refresh. so, why do we need a refresh to move the traffic to ISP2???
If you have link monitors on the failing links then sessions should fail over fine.
maybe GARP?