Fortinet: Configuring HA on FortiGate firewalls

Поділитися
Вставка
  • Опубліковано 3 гру 2024

КОМЕНТАРІ • 21

  • @rockinron5113
    @rockinron5113 2 роки тому +2

    Nice one. Thanks.

  • @khonde_99
    @khonde_99 8 місяців тому +1

    Thank you for your great tutorial, one question.. did you make the configuration for 2nd fortigate same from master FG before configure HA? or the configuration will be automatically synchronize after HA connected.

  • @kmcgaughmohr
    @kmcgaughmohr Рік тому

    Thanks for this. Studying NSE4. Very frustrating how a vendor overcomplicates its technology.

  • @ajeeshca7929
    @ajeeshca7929 7 місяців тому

    HI priority of both firewalls is showing 128 default. So how these firewalls become primary and secondary???

  • @neel068119
    @neel068119 6 місяців тому

    can i use different /30 subnets in port1 and port3 of active & passive firewall? and if i configure eBGP neighbor using port1 and port3, then what attribute will differentiate routes published from active & passive firewalls?

  • @Sebastian-z6d3f
    @Sebastian-z6d3f 9 місяців тому

    How you connect HA ports? Directly HA to HA or you connected it via switch? What cable are you used?

    • @tothepointfortinet3823
      @tothepointfortinet3823  9 місяців тому

      Direct is most ideal(ie. I can't think of why we'd want to introduce a switch unless it's necessary such as if both firewalls are physically located further from each other) . A switch can be used too though (just gotta make sure the frames get forwarded by the switch).

  • @danif1359
    @danif1359 Рік тому

    I am confused on how IPsec works on active-passive? Do I have two independent tunnels? Do both members of the cluster send keepalives?

    • @tothepointfortinet3823
      @tothepointfortinet3823  Рік тому +1

      The first minute and a half of the video covers this, just try to relate it to IPsec to answer your question. So for IPsec, both firewalls have the identical configuration for each VPN, the passive firewall will only actually use its config (and the IPs bound to the physical interfaces that the IPsec interface is associated with) when a failover event occurs.
      The purpose of HA is to essentially have a carbon copy of the exact same firewall config, there isn't extra logic/behavior on the passive firewall for different features(there are some exceptions to this)

  • @alastaircupples
    @alastaircupples Рік тому

    Did you need to create an aggregate interface to connect the FortiGates to the lan switch? When i setup this in my environment it doesn't like that I have the 2 gates connected to the same switch

    • @tothepointfortinet3823
      @tothepointfortinet3823  Рік тому

      aggregate interface is not a requirement. I'd say call into TAC for troubleshooting assistance.

  • @lazzybug007
    @lazzybug007 9 місяців тому

    Im confused how to connect the switch to fortigate and how to write a policy for this ? Can you help me with details on this connection.. i have two fortigate 121g and two switches 424E-FPOE ..im new to networking.. i dont know how to implement HA in this.. kindly help my job is on the line 🙏

    • @tothepointfortinet3823
      @tothepointfortinet3823  9 місяців тому

      Here's a link on what appears to be the topology you are trying to setup:
      docs.fortinet.com/document/fortiswitch/7.0.8/devices-managed-by-fortios/801190/ha-mode-fortigate-units-managing-a-stack-of-several-fortiswitch-units

  • @mattashfield2567
    @mattashfield2567 7 місяців тому

    After HA gets sycnrhonized, will FG2 change it's primary/external IP address or keep the separate one that it started with?

    • @mattashfield2567
      @mattashfield2567 7 місяців тому

      The reason i ask is realted to IPSEC Tunnels

    • @tothepointfortinet3823
      @tothepointfortinet3823  7 місяців тому

      Yes fg2 will change its external ip to be the same one as fg1. Although fg2 won't actually 'claim' the fg1 ip from a networking perspective until fg1 goes down

  • @mattashfield2567
    @mattashfield2567 7 місяців тому

    Should FG2 start out with zero polices/networks/vlan/other-configuration, other than a public IP address?

    • @tothepointfortinet3823
      @tothepointfortinet3823  7 місяців тому

      Yes no config needed on fg2, just need to be able to access it so even pub ip not actually needed

  • @thebocop
    @thebocop Рік тому

    Super confused on the way you have these hooked up to the switches.

    • @tothepointfortinet3823
      @tothepointfortinet3823  Рік тому +1

      How so? Let me know if you have a question so I can help answer it.
      Using my example, the switch could be a dumb switch, it's purpose is to place both fortigate interfaces on the same broadcast domain and to facilitate GARP updates