1) Configure primary FW and factory restart secondary firewall. Configure HA and let them sync.
2) Configure primary and secondary FW separately with same configure. Change the HA priority.
Which method is better?
Solved! Go to Solution.
Although the GUI screens are a little old (probably 6.4), the KB I provided above includes the GUI example.
When a-p HA is formed between a primary and secondary(-ries), all config except those I listed need to be identical. For interfaces, only dedicated-to management interface(s) can have different IPs like I showed.
You can of cource configure wan1 and wan2 with different IPs and connect a primary circuit to wan1 on FGT1 and a secondary circuit to wan2 on FGT2, you still have to configure a way to failover, or choose one circuit over another (down) circuit. It's better to use a switch to terminate both circuits and deliver both to both FGTs' wan1 and wan2. Then configure a way to fail-over, like setting different admin distances for two static default routes, or same distance but different priorities (a higher number priority has a lower priority).
It's described in your version of admin guide.
Toshi
3) save the config of the primary and modify unique part of the secondary, like hostname, dedicated management interfaces, HA config, then upload it to the secondary. Then wait it to sync after connecting heartbeat connection(s).
3) would be the fastest.
PS. If you want to learn/see how the full config sync progresses through the console port on the secondary, 1) would be the best option.
Toshi
Please explain the dedicated management interface to me.
What happens if I am using both MGMT1 for management for both FW Pri and FW Sec?
So 3th way will be the best for efficiency?
Created on 10-16-2023 07:51 AM Edited on 10-16-2023 07:52 AM
If you're using MGMT1 for management access to individual unit in HA, you need to have a common GW as a part of HA config like below:
config system ha
config ha-mgmt-interfaces
edit 1
set interface "mgmt1"
set gateway x.x.x.1
next
end
end
Then mgmt1 interface config at each unit would look like below:
config system interface
edit "mgmt1"
set ip x.x.x.2 255.255.255.248 <- another HA member would have like x.x.x.3
set allowaccess ping https ssh fgfm
set type physical
set dedicated-to management
set defaultgw disable
next
end
I wouldn't do 2) unless the entire config is almost the default config. If it's in production and MGMT1 is already connected, I would do 3). But occasionally when HA sync process is having a problem or two, I would do 1). Of course I always have local or remote console access to both units to see and troubleshoot.
Toshi
Above is assuming the GW is directly connected. There is a KB for this:
https://community.fortinet.com/t5/FortiGate/Technical-Tip-HA-Reserved-Management-Interface/ta-p/1901...
I think I get it. But I don't want change original design.
Can it be done using gui and not cli?
Another question. I need to use wan1 in fw pri and wan2 in fw sec after ha synchronisation
OR
wan1 in fw pri and wan1 in fw sec
Although the GUI screens are a little old (probably 6.4), the KB I provided above includes the GUI example.
When a-p HA is formed between a primary and secondary(-ries), all config except those I listed need to be identical. For interfaces, only dedicated-to management interface(s) can have different IPs like I showed.
You can of cource configure wan1 and wan2 with different IPs and connect a primary circuit to wan1 on FGT1 and a secondary circuit to wan2 on FGT2, you still have to configure a way to failover, or choose one circuit over another (down) circuit. It's better to use a switch to terminate both circuits and deliver both to both FGTs' wan1 and wan2. Then configure a way to fail-over, like setting different admin distances for two static default routes, or same distance but different priorities (a higher number priority has a lower priority).
It's described in your version of admin guide.
Toshi
What is "your version of admin guide"?
You never told us what version you're running on your FGTs. If it's 7.2.5, below is the admin guide.
https://docs.fortinet.com/document/fortigate/7.2.5/administration-guide/954635/getting-started
You can find other versions' at the same document library.
Toshi
My problem is resolved. Thanks.
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1740 | |
1108 | |
752 | |
447 | |
240 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.