Currently i have 2 Firewalls (1500D) in HA running in Active-Passive mode.
2 interfaces are of heartbeat & 2 are Monitored interfaces.
Basic HA is configured in which Primary firewall has 130 priority & secondary firewall has 125 priority. In a current scenario if Primary firewall goes down & Secondary comes up traffic start moving from Secondary & after some time when primary firewall comes active,still traffic passes from Secondary firewall.
I just want to perform a setup in which, if fail over happens & secondary becomes active, as soon as the Primary firewall comes in its active state, traffic should start to pass from Primary firewall not from the secondary.
What configuration shall i perform in primary firewall in order to achieve the above mentioned tasks.
If you absolutely want to have always one specific unit be the primary unit, you need to set HA override in addition to settings this unit's priority higher than any other unit's priority.
This can only be done in the CLI:
config system ha
set override enable
Be aware that with this setting the cluster will renegotiate more often which may cause disruptions.
And with bad luck, you may lose configuration changes: if the primary fails, the secondary will become the new primary. If you now change anything in the config, then when the old primary comes online again and assumes primary, it will detect a sync failure and resynchronize his configuration over that of the secondary!
The workaround is to not change the config while HA override is in effect. If you have changes which you want to keep, set the active unit to prio=255 (the highest) and bring the ex-primary online. Even if the ex-primary has override enabled, it should not become the new primary. Let the cluster sync, and then reduce the priority again, causing a failover.
I'm just getting started with Fortinet but I'd say the defaults must be changed because this type of setup is usually not advisable.
If you have HA you should be setting it up assuming both boxes are equivalent in performance, and in fact you probably want equal wear-and-tear that comes with acting as the primary firewall for long periods of time (as opposed to less work when acting as secondary).
Also, during a failover, if you have things set to switch back to the original primary when it comes back online, what happens if the usual Primary is constantly going up and down? You'll end up with traffic being lost as every time the primary comes back momentarily it switches over, then it goes down and you have to switch back.
I actually like the idea that when the primary fails the other unit is the primary, and in the end I don't have any preference for either box as they should both have all the same connections and be equally capable of acting as the primary.
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.