I have a fortigate cluster on 7.4.2 which is being managed by a Fortimanager. I have noticed that whenever i create a static route it only gets copied to Primay Member and the secondary routing table doesnt change. Is it expected behavior ? do i have to separately create routes in Standby Member with its own next hop ??
The same behavior i noticed in the GRE tunnel configuration.. everytime the unit fails over i have to change the local-gw IP to make the tunnel active from the switch over member.
Any assistance is appreaciated..
Thanks
Nominating a forum post submits a request to create a new Knowledge Article based on the forum post topic. Please ensure your nomination includes a solution within the reply.
With a-p HA FTGs, the FMG can save/change config on the primary device only. When you push a new static route from the FMG, it's pushed to the primary device then as long as they're in sync the same static route should be copied to the secondary based on HA config sync between those devices. Not from the FMG.
When you get in the secondary FGT through console or "exe ha manage [0 or 1] <username>" from the primary, you can see the static route is copied in "config router static" then "show". However, since all interfaces to outside on the secondary FGT are down, you wouldn't be able to see the actual route in "get router info routing-t [all or static]".
You don't see the static route you added in the secondary FGT?
Toshi
Thanks for the reply..to add more clarity ..the cluster is hosted on AWS with primary member in AZ1 and secondary in AZ2.. the next hop for subnets of both Firewalls is different.
so when i added 10 routes in Primary with next hop 192.168.1.7 (subnet 192.168.1.0/27) they werent reflected in Secondary Member with next hop 192.168.1.39 (subnet 192.168.1.32/27).
When i failed over the devices manually my network went down and i had to manually add all 10 routes on the new Primary member with next hop 192.168.1.39..only then the network connectivity restored and everything started working..
i even checked in the config router static ..then show on the members but the routes werent reflecting..i had to manually add them to get it working
I had also checked get sys ha status and the HA status seems OK and no errors were observed
there is no alarm in cluster showing it as non sync
routes are added towards internal interface.
coz of different subnets the Firewall members have different next hops for each interface..so how will route replication work ?
All routing configuration, including static routes, are replicated to the secondary node, except (I suppose) the routes related to management interface when it is "HA Reserved".
ok ..this is really strange in that case then..cause there are no errors in HA Sync..policy is getting synced but not routing
Can you share the output:
show router static
Show only the affected routes please.
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1714 | |
1093 | |
752 | |
447 | |
232 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.