Below is the procedure followed for Fortiweb
VA/Physical firewall without VDOM:
Interface creation on Primary FW:
config system interface
edit "port1"
set ip 192.168.16.209/24
set allowaccess https ping ssh snmp http telnet
end
config router static
edit 1
set gateway 198.168.16.254
set device port1
next
end
Interface creation on Secondary FW:
config system interface
edit "port1"
set ip 192.168.16.210/24
set allowaccess https ping ssh snmp http telnet
end
config router static
edit 1
set gateway 198.168.16.254
set device port1
next
end
HA Configuration:
How HA works on FortiWeb
FortiWeb HA is only Active-Passive, each unit must be configured separately, each with its own IP. Once we configure HA, the Secondary unit will become a slave to the Main unit, it will lose the config you gave it including IP, so it can only be managed directly from the Main unit.
If using FortiWeb-VM, the license must be paid; trial licenses will not function.
System—Config—HA
Configured HA Mode: Active-Passive
Group Name:AUTO-HA (Type a name to identify the HA pair).
Device Priority:Type the priority of the appliance when electing the primary appliance in the HA pair (0-9).The smaller the number, the higher the priority.
Group ID:Both the members of the HA pair must have same group ID (0-63).
Heartbeat Interface:Select which port(s) on this appliance that the main and standby appliances will use to send heartbeat signals and synchronization data between each other (i.e. the HA heartbeat link).
At least one heartbeat interface must be selected on each appliance in the HA cluster.
If enough ports are available, we can select both a primary heartbeat interface and a secondary heartbeat interface on each appliance in the HA pair to provide heartbeat link redundancy.
Click Apply.
Important Note:
Below parameter needs to be enabled in VMware :
- Enable promiscuous mode.
- Accept forged transmits.
- Accept MAC Address Changes.
How HA chooses the active appliance:
Note : If Override is enabled, and if the Device Priority setting of the returning appliance is higher, it will be elected as the active appliance in the HA cluster.
If Override is disabled, HA considers (in order)
1. The most available ports
For example, if two FortiWeb appliances, FWB1 and FWB2, were configured to monitor two ports each, and FWB2 has just one port currently available according to Port Monitor, FWB1 would become the active appliance, regardless of uptime or priority. But if both had 2 available ports, this factor alone would not be able to determine which appliance should be active, and the HA cluster would proceed to the next consideration.
2. The highest uptime value
Uptime is reset to zero if an appliance fails, or the status of any monitored port (per Port Monitor) changes.
3. The smallest Device Priority number (that is, 0 has the highest priority)
4. The highest-sorting serial number
If Override is enabled, HA considers (in order)
1. The most available ports
2. The smallest Device Priority number (that is, 0 has the highest priority)
3. The highest uptime value
4. The highest-sorting serial number
Links for Reference:
No comments:
Post a Comment