FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
msanjaypadma
Staff
Staff
Article Id 355710
Description

 

This article describes configuring VRRP between two devices using the FortiGate Firewall.

 

Scope

 

FortiGate.

 

Solution

 

In a typical Virtual Router Redundancy Protocol (VRRP) configuration, two devices are connected within the same broadcast domain, facilitated by a Layer 2 switch.

This article outlines the process of leveraging an existing Layer 3 device, specifically a FortiGate Firewall, to function as a Layer 2 device for transmitting VRRP packets.

 

Network Diagram - vrrp.PNG

 

Configuration :

 

FortiGate-A and FortiGate-B could be any other L3 device. Here in the current scenario, FortiGate Firewall and configured VRRP between them are used.

 

Fortigate1 is a transit device between two VRRP devices (FortiGate-A and FortiGate-B).

 

Fortigate1: 

 

config system interface
    edit "port1"
        set vdom "root"
        set type physical
        set snmp-index 1
    next
end

config system interface
    edit "port3"
        set vdom "root"
        set type physical
        set snmp-index 3
    next
end

 

To enable VRRP packet transmission through the firewall, configure the software-switch or switch-interface accordingly.

Note: Ensure that the software switch interface member does not have an IP address assigned. Otherwise, the interface will not be able to be added to the switch-interface.

 

config system switch-interface
    edit "test"
        set vdom "root"
        set member "port1" "port3"
    next
end

 

config system interface
    edit "test"
        set vdom "root"
        set ip 192.168.1.1 255.255.255.0
        set type switch
        set device-identification enable
        set lldp-transmission enable
        set role lan
        set snmp-index 15
    next
end

Configure the VRRP on FortiGate-A and FortiGate-B.

 

FortiGate-A : 

 

The 'wan' interface of FortiGate-A is connected to port1 of FortiGate1.

 

config system interface
    edit "wan"
        set vdom "root"
        set ip 192.168.1.3 255.255.255.0
        set allowaccess ping https ssh http telnet fgfm
        set type physical
        set vrrp-virtual-mac enable
            config vrrp
                edit 1
                    set vrgrp 10
                    set vrip 192.168.1.100
                    set priority 128
                next
            end
        set role wan
        set snmp-index 1
    next
end

 

FortiGate-B :

The 'wan' interface of FortiGate-B is connected to port3 of FortiGate1.

 

config system interface
    edit "wan"
        set vdom "root"
        set ip 192.168.1.2 255.255.255.0
        set allowaccess ping https ssh http telnet fgfm
        set type physical
        set vrrp-virtual-mac enable
            config vrrp
                edit 1
                    set vrgrp 10
                    set vrip 192.168.1.100
                next
            end
        set role wan
        set snmp-index 1
    next
end

 

Verification : 

 

FortiGate-A # get router info vrrp
Interface: wan, primary IP address: 192.168.1.3
UseVMAC: 1, SoftSW: 0, BrPortIdx: 0, PromiscCount: 1
HA mode: master (0:0:1) VRRP master number: 1
VRID: 1 verion: 2
vrip: 192.168.1.100, priority: 128 (128,0), state: MASTER
adv_interval: 1, preempt: 1, ignore_dft: 0 start_time: 3
master_adv_interval: 100, accept: 1
vrmac: 00:00:5e:00:01:01
vrdst:
vrgrp: 10


FortiGate-B # get router info vrrp
Interface: wan, primary IP address: 192.168.1.2
UseVMAC: 1, SoftSW: 0, BrPortIdx: 0, PromiscCount: 0
HA mode: master (0:0:1) VRRP master number: 0
VRID: 1 verion: 2
vrip: 192.168.1.100, priority: 100 (100,0), state: BACKUP
adv_interval: 1, preempt: 1, ignore_dft: 0 start_time: 3
master_adv_interval: 100, accept: 1
vrmac: 00:00:5e:00:01:01
vrdst:
vrgrp: 10