Help
FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
ciordan
Staff
Staff

Created on ‎11-12-2019 01:38 AM

Article Id 197794

Technical Tip: Cluster is not forming if heartbeat interfaces have sniffer mode enabled

Description
If an existing device will be part of a cluster, make sure the heartbeat interface does not have sniffer mode enabled. Add the interface in the HA config is possible but that won’t be used to form a cluster.

Solution
If a port was used in a firewall sniffer config and later added as a heartbeat for an HA solution, that will not send HA control packets.

Example:
#config system ha
    set group-name "fortinet_cluster"
    set mode a-p
    set password test
    set hbdev "port4" 50
    set override enable
end
Below is the status of the cluster. The slave is not discovered:
#get sys ha status
HA Health Status:
    WARNING: FGT3HD*********1 has hbdev down;
Model: FortiGate-300D
Mode: HA A-P
Group: 0
Debug: 0
Cluster Uptime: 0 days 0:1:19
Cluster state change time: 2019-11-07 06:38:25
Master selected using:
    <2019/11/07 06:38:25> FGT3HD*********1                                  <----- is selected as the master because it's the only member in the cluster.
ses_pickup: disable
override: enable
System Usage stats:
    FGT3HD*********1(updated 4 seconds ago):
        sessions=0, average-cpu-user/nice/system/idle=0%/0%/0%/99%, memory=26%
HBDEV stats:
    FGT3HD*********1(updated 4 seconds ago):
        port4: physical/00, down, rx-bytes/packets/dropped/errors=0/0/0/0, tx=0/0/0/0
Master: FGT3HD*********1, FGT3HD*********1, cluster index = 0
number of vcluster: 1
vcluster 1: work 169.***.*.1
Master: FGT3HD*********1, operating cluster index = 0

The config of port4. Notice the ips-sniffer-mode enable setting:
#show sys int port4
    config system interface
     edit "port4"
         set vdom "root"
         set ips-sniffer-mode enable
         set type physical
         set snmp-index 6
     next
 end
Trying to disable will get the following error:
#conf sys interfacee
    edit port4
    set ips-sniffer-mode disable
Cannot change sniff mode when the interface is used by a policy or a zone.
attribute set operator error, -1, discard the setting
Command fail. Return code -1.

Check the firewall sniffer config:
#show firewall sniffer
    edit 1
        set logtraffic all
        set ipv6 enable
        set non-ip enable
        set interface "port4"
        set application-list-status enable
        set application-list "sniffer-profile"
        set ips-sensor-status enable
        set ips-sensor "sniffer-profile"
        set av-profile-status enable
        set av-profile "sniffer-profile"
        set webfilter-profile-status enable
        set webfilter-profile "sniffer-profile"
    next
Delete the entry which contains the heartbeat port:
#config firewall sniffer
    delete 1
Check the HA status again. The cluster is formed:
#get sys ha status
HA Health Status: OK
Model: FortiGate-300D
Mode: HA A-P
Group: 0
Debug: 0
Cluster Uptime: 0 days 0:15:11
Cluster state change time: 2019-11-07 06:40:01
Master selected using:
    <2019/11/07 06:40:01>FGT3HD*********0                                                      <-----is selected as the master because it has the largest value of override priority.
    <2019/11/07 06:25:02>FGT3HD*********0                                                      <-----is selected as the master because it's the only member in the cluster.
ses_pickup: disable
override: enable
Configuration Status:
    FGT3HD*********0(updated 0 seconds ago): in-sync
    FGT3HD*********1(updated 7 seconds ago): in-sync
System Usage stats:
    FGT3HD*********0(updated 0 seconds ago):
        sessions=0, average-cpu-user/nice/system/idle=0%/0%/0%/99%, memory=26%
    FGT3HD*********1(updated 7 seconds ago):
        sessions=0, average-cpu-user/nice/system/idle=0%/0%/0%/100%, memory=26%
HBDEV stats:
    FGT3HD*********0(updated 0 seconds ago):
        port4: physical/1000full, up, rx-bytes/packets/dropped/errors=139366/1566/0/0, tx=3922815/2758/0/0
    FGT3HD*********1(updated 7 seconds ago):
        port4: physical/1000full, up, rx-bytes/packets/dropped/errors=75331/187/0/0, tx=11725/53/0/0
Master: FGT3HD*********0, FGT3HD*********0, cluster index = 0
Slave : FGT3HD*********1, FGT3HD*********1, cluster index = 1
number of vcluster: 1
vcluster 1: work 169.254.0.1
Master: FGT3HD*********0, operating cluster index = 0
Slave : FGT3HD*********1, operating cluster index = 1

10474
0 Kudos
Suggest New Article
Article Feedback
Contributors
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2024 Fortinet, Inc. All Rights Reserved.