Redundancy:

o Redundancy, Failover, High Availability, Clustering, RAID and Fault-tolerance.

o A good network design provides the redundancy in devices and network links.
o Redundancy is basically extra hardware or software that can be used as backup.
o If the main hardware or software fails or link fail or unavailable in case of emergency.
o It is method for ensuring network availability in case of network device or path failure.
o It is method for ensuring network availability in case of network device unavailability.
o Network redundancy is process through which additional or alternate instances of network
o devices, equipment & communication mediums are installed within network infrastructure.
o Redundancy can be achieved via failover, load balancing & high availability in automatically.
o High availability is a feature which provides redundancy and fault tolerance automatically.
o High Availability is a number of connected devices processing and providing a services.
o The goal is to ensure this service is always available even in the event of a failure or down.
o Clustering is similar to redundant servers & provides fault tolerance in case of emergency.
o A group of servers are logically combined into a cluster and seen as one device to work.
o If a device fails within cluster services continue because other devices continue services.
o One link processing traffic & second link would only become active if primary link fails.
o Set up to allow company to connect their device to more than one Internet connection.
o If one connection goes down, all traffic would failover to the other Internet connection.
o This would eliminate single point of failure and would re-assure availability and reliability.
o RAID is a fault tolerance solution for hard drives usually implemented in the servers.
o Redundant Array of Independent Disks providing redundancy and fault tolerance.
o Automatic failover is process of moving active services from primary device to backup.
o Usually backup device continues these services until primary device has come back up.
o When a device fails another device takes over this process which is referred to as a failover.
o Services failover to backup device which will continue from where primary device left off.
o Failover feature allows for hardware firewalls to have some redundancy and backup.
o Have two or more hardware device configured if primary fails, the backup take over.
o It is implemented on the high-end hardware devices for networks require redundancy.
o HSRP is a Cisco proprietary protocol for establishing a fault-tolerant default gateway.
o Redundancy, Fault-tolerance, & High-availability, all refer to some sort of failover of backup.

1 | P a g e Created by Ahmad Ali E-Mail: ahmadalimsc@gmail.com , Mobile: 056 430 3717

2 | P a g e Created by Ahmad Ali E-Mail: ahmadalimsc@gmail.com , Mobile: 056 430 3717
High Availability Overview:
o HA is usually required in a system where there is high demand for little downtime.
o The High availability (HA) is a deployment in which two firewalls are placed in a group.
o Their configuration is synchronized to prevent a single point of failure on your network.
o Heartbeat connection between firewall peers ensures failover in event peer goes down.
o Setting up two firewalls in an HA pair provides redundancy & ensure business continuity.
o Firewalls in an HA pair use HA links to synchronize data and maintain state information.
o While FortiGate Unit Network Firewall require you to use the in-band ports as HA links.
o Use HA ports to manage communication and synchronization between FortiGate firewalls.
o All FortiGate’s in cluster must be the same model and have the same firmware installed.

FortiGate Firewall HA Modes:

Active-Passive:
o In Active-Passive one firewall actively manages traffic while other is synchronized.
o In Active-Passive passive is ready to transition to active state, should a failure occur.
o One actively manages traffic until a path, link, system, or network failure occurs.
o When active firewall fails, passive firewall transitions to active state and takes over.
o Active-Passive does not increase session capacity or network throughput in firewall.
o Active-Passive has simple design concept, so it is easier to troubleshooting routing.

Active-Active:
o Active-Active deployment, both firewalls in the pair are active and processing traffic.
o Use an Active-Active setup to load balance TCP sessions across multiple Firewall units.
o UDP, ICMP, multicast, and broadcast traffic remains only on the primary Firewall unit.
o The primary FortiGate unit Firewall distributes the TCP sessions to all other Firewalls.
o Active-active High Availability provides session failover protection for all TCP sessions.
o Active-active HA does not provide session failover for UDP, ICMP, multicast & broadcast.
o Active-Active High Availability is less session fail-over resilient than Active-Passive mode.
o Active-Active does not provide load-balancing for all sessions enable profiles & proxy.
o Active-active HA load balancing distributes proxy-based security profile processing to all.

3 | P a g e Created by Ahmad Ali E-Mail: ahmadalimsc@gmail.com , Mobile: 056 430 3717

HA Pre-Requisite:
o To set up High Availability HA on firewalls, need a pair of firewalls that meet fallowing.
o The same model—The FG firewalls in the pair must be of the same hardware model.
o The same FortiOS version—The firewalls must be running the same FortiOS version.
o All FortiGate’s in cluster must be the same model and have the same firmware installed.
o Cluster members must also have the same hardware configuration such as same HDD.
o And must each be up-to-date on the application, URL, and threat databases the same.
o To setup HA in Active-Active & Active-Passive mode the same type of interfaces require.
o All cluster members share same configurations except host name & priority in HA settings.
o Set all the interface of FortiGate to manually, make sure you are not using DHCP or PPPoE.
o Licenses are unique to each firewall & cannot be shared between firewalls same set require.

High Availability Links:

o By default, FortiGate models two interfaces are configured to be heartbeat interfaces.
o The HA1 link is used to exchange hellos, heartbeats, and the HA state information.
o The HA1 link is used to exchange management plane sync for routing & User-ID info.
o HA1 acts to monitor HA status such configuration synchronization for active-passive.
o HA1 acts keepalive between HA agents, it senses power cycle, reboot & power down.
o The FG firewalls also use this link to synchronize configuration changes with its peer.
o Heartbeat interface is Ethernet interface in cluster used by the FGCP for HA heartbeat.
o Heartbeat packets are non-TCP packets use Ethertype values 0x8890, 0x8891 & 0x8893.
o The default time interval between High Availability (HA) link is heartbeats is 200 ms.
o It uses link-local IPv4 addresses in 169.254.0.x range for HA heartbeat interface IP add.
o If cluster two Firewall connect heartbeat device interfaces directly using crossover cable.
o The Heartbeat packets contain sensitive information about the cluster configuration.
o The Heartbeat packets may also use a considerable amount of network bandwidth.
o On startup, a FortiGate configured for HA operation broadcasts HA heartbeat hello.
o Packets from its HA heartbeat interface to find other configured to operate in HA mode.
o In addition to selecting heartbeat interfaces also set Priority for each heartbeat interface.
o Heartbeat interface with the highest priority is used for all HA heartbeat communication.
o If interface fails or disconnected next highest priority handles all heartbeat communication.
o For the HA cluster to function correctly, you must select at least one heartbeat interface.
o In FortiGate network Unit NG Firewall, the heartbeat interface priority range is 0 to 512.
o Default priority when select new heartbeat interface is 0, higher number higher priority.
o Can enable heartbeat communications for physical interface but not for VLAN Subinterface.
o Also, not for IPsec VPN interface, redundant interface, or for 802.3ad aggregate interfaces.
o You cannot select in FortiGate Firewall these types of interfaces in heartbeat interface list.
o In FortiGate Unit Network next Generation Firewall can select up to 8 heartbeat interfaces.

4 | P a g e Created by Ahmad Ali E-Mail: ahmadalimsc@gmail.com , Mobile: 056 430 3717

HA Terminologies:
Failover:
o When a failure occurs on one firewall and the peer takes over the task of securing traffic.
o Procedure by which firewall automatically transfers control to peer when it detects a fault.
o The failover operation is the process of switching production to a backup facility or firewall.
o A failover is triggered, for example, when a monitored metric on the firewall in HA pair fails.

Heartbeat Messages:
o Hello Messages, are send from one peer to the other to verify the state of the firewall.
o The Heartbeat is an non-TCP packets to the HA peer over the High Availability HA Link .
o Firewalls use hello message and heartbeats to verify that the peer firewall is responsive.
o Firewalls use hello message and heartbeats to verify that the peer firewall is operational.
o Hello messages are sent from one peer to other at the configured Hello Interval to verify.
o Peer responds to non-TCP packets to establish that firewalls are connected and responsive.
o By default, In FortiGate Network Firewall the interval for the heartbeat is 200 milliseconds.
o If 6 heartbeat packets are not received from unit then cluster unit is considered to failed.

Link Monitoring:
o Physical interfaces to be monitored are grouped into a link group and their state is monitor.
o FortiGate Network Firewall, link group can contain one or more physical interfaces or links.
o A FG Firewall failure is triggered when any or all of the interfaces or link in the group fail.
o Default behavior is failure of any one link in the link group will cause the firewall to change.
o You configure monitored the interfaces also called interface monitoring or port monitoring.

Priority:
o When two FortiGate Networks firewalls are deployed in the active-passive cluster.
o It is mandatory to configure device priority higher priority for Master low for Slave.
o Firewall with high numerical value & therefore higher priority, is designated as Master.
o The device priority decides which FortiGate firewall will preferably take the Master role.
o Which FortiGate firewall will take over the Slave role when both the firewalls boot up.

5 | P a g e Created by Ahmad Ali E-Mail: ahmadalimsc@gmail.com , Mobile: 056 430 3717

HA Override:
o The Override behavior allows firewall with higher numerical value to resume as Primary.
o By default, Override is disabled on the firewalls and must be enabled on primary firewalls.
o Before adding the FortiGate unit to the cluster, enable override on the primary FortiGate.
o The Override which influences this behavior on the event of it being enabled or disabled.
o For override to be effective, must also set the device priority highest on the cluster unit.
o The FortiGate Unit Firewall which That you want to always be the primary unit or Firewall.

Session-Pickup:
o When it is enabled, FGCP synchronizes primary unit's TCP session table to all cluster units.
o As new TCP session is added to primary unit session table, session is synchronized to all.
o This synchronization happens as quickly as possible to keep the session tables synchronized.
o If primary fails, new primary unit uses synchronized session table to resume all TCP session.
o That were being processed by the former primary unit firewall with only minimum time.

Unicast HA Heartbeat:
o In the virtual machine (VM) environments that do not support broadcast communication.
o You can set up unicast High Availability (HA) heartbeat when configuring High Availability.
o Setting up unicast HA heartbeat consists of enabling feature and adding a peer IP address.
o Peer IP address is IP address of HA heartbeat interface of other FortiGate VM in HA cluster.
o You can enable unicast High Availability heartbeat from the GUI by going to System > HA.
o Enabling Unicast heartbeat & adding an Peer IP, which is address of heartbeat interface.

6 | P a g e Created by Ahmad Ali E-Mail: ahmadalimsc@gmail.com , Mobile: 056 430 3717

Active-Passive Lab:

FG1 (Primary) IP Schema

Outside Layer 3 Interface Port1- 192.168.122.100/24
Inside Layer 3 Interface Port2 - 192.168.1.100/24
High availability (HA) 1 Port3 – Layer 2 no IP address
High availability (HA) 2 Backup Port4 – Layer 2 no IP address
FG2 (Secondary) IP Schema
Outside Layer 3 Interface Port1- 192.168.122.100/24
Inside Layer 3 Interface Port2 - 192.168.1.100/24
HA1 or Control Link Port3 – Layer 2 no IP address
HA1 or Control Link Backup Port4 – Layer 2 no IP address
LAN PC Details
LAN PC1 IP DHCP
LAN PC2 IP DHCP
LAN DHCP Range 192.168.1.1 – 192.168.1.99 /24
LAN PC DNS 8.8.8.8
Firewall Management IP subnet 192.168.122.0/24
Internet Gateway IP 192.168.122.2 /24
HA Details
Mode Active-Passive
Device Priority Master 100
Device Priority Slave 50
Group Name HAG
Heartbeat Ports Port3 and Port4

7 | P a g e Created by Ahmad Ali E-Mail: ahmadalimsc@gmail.com , Mobile: 056 430 3717

Configure Primary Firewall:
Login:
First Console to Primary Firewall, find out the IP address to login.

Change Hostname:
Now, you should login to MASTER Firewall, I recommend changing the hostname before login,
this will improve the ability to identify the different FortiGate Unit Firewall.

Configure Interfaces:
Go to Network>Interfaces select port1 Click Edit. In Alias type WAN, change the Address Mode
to Manual type IP/Netmask 192.168.122.100/24, in Administrative access leave all the rest of
configuration default and press OK button. The firewall will be disconnected login with new
Management IP address which is the WAN IP address as well.

8 | P a g e Created by Ahmad Ali E-Mail: ahmadalimsc@gmail.com , Mobile: 056 430 3717

Go to Network>Interfaces select port2 Click Edit in Alias type LAN, change the Address Mode to
Manual type IP/Netmask 192.168.1.100/24, in Administrative access only checked PING leave
all the rest of configuration default & press OK.

Enable DHCP Server:

To add a DHCP server, go to Network > Interfaces. Edit the interface Port2 and select DHCP in
the addressing mode. Specify the DNS to 8.8.8.8.

9 | P a g e Created by Ahmad Ali E-Mail: ahmadalimsc@gmail.com , Mobile: 056 430 3717

Configure DNS:
Go to Network > DNS , click on Specify and enter in primary / secondary DNS servers. In Primary
DNS Server, type IP address of the primary DNS server 8.8.8.8. Click Apply to save changes.

Configure Default Route:

To create a new default route, go to Network > Static Routes and create a static route for ISP.
Set Destination to Subnet and leave the destination IP address set to 0.0.0.0/0.0.0.0. Set
Gateway to the IP address provided by your ISP and Interface to the Internet-facing interface in
my case 192.168.122.2 which my VM8 VMware Workstation Gateway. Set the Interface to the
WAN interface. Press OK to Save the changes.

10 | P a g e Created by Ahmad Ali E-Mail: ahmadalimsc@gmail.com , Mobile: 056 430 3717

LAN to WAN Policy:
To create a new policy, go to Policy & Objects > IPv4 Policy. Give the policy a Name that
indicates that the policy will be for traffic to the Internet in my case it is Allow-LAN2WAN. Set
the Incoming Interface to LAN and the Outgoing Interface to WAN. Set Source, Destination
Address, Schedule, and Services, as required in this case All. Ensure the Action is set to ACCEPT.
Turn on NAT and select Use Outgoing Interface Address.

11 | P a g e Created by Ahmad Ali E-Mail: ahmadalimsc@gmail.com , Mobile: 056 430 3717

HA Active-Passive Configuration:
Go to System > HA Select the Active-Passive mode. Give Device Priority to MASTER Firewall a
bigger number than the slave one (100). Set a group name and password for the cluster. You
will use it again in slave machine. Enable Session Pickup: Enable this option to sync master to
backup machine. Check the interface you want to monitor normally internet. Enable two
heartbeat to create a stable HA.

Mode Select HA mode for cluster or return cluster to standalone.

Device Priority Set the Highest device priority usually becomes primary unit.
Group Name Enter name to identify cluster. group name must be same in all
Password Enter a password to identify the cluster. Its must be same in all
Session Pickup Sessions are picked up by cluster unit that becomes primary.
Monitor Interfaces Select to enable or disable monitoring FortiGate interfaces.
Heartbeat Interfaces Select to enable or disable HA heartbeat communication.
Heartbeat Interface Priority Set the heartbeat interface priority
Management Interface The HA Reserved Management Interface provides a direct
Reservation management access to all cluster units by reserving a
management interface as part of the HA configuration.

12 | P a g e Created by Ahmad Ali E-Mail: ahmadalimsc@gmail.com , Mobile: 056 430 3717

Verification of Primary:
After HA configuration done, go to System > HA it will show below port1 is monitor port and
Port3 and Port4 is heartbeat interfaces.

13 | P a g e Created by Ahmad Ali E-Mail: ahmadalimsc@gmail.com , Mobile: 056 430 3717

Configure Slave Firewall:
After configure are of Primary Firewall is done, we will be setting up slave machine. Console to
Slave Firewall get the IP address and login.

Change Hostname:
Now, you should login to SLAVE Firewall, I recommend changing the hostname before login,
this will improve the ability to identify the different FortiGate Unit Firewall.

HA Active-Passive Configuration:
Same as master, Go to System > HA Select the Active-Passive mode. Give Device Priority to
SLAVE Firewall a lower number than the Master one (50). Set the same group name and same
password for the cluster which already set on MASTER Firewall. Enable Session Pickup: Enable
this option to sync master to backup machine. Check the interface you want to monitor
normally internet. Enable two heartbeat to create a stable HA.

14 | P a g e Created by Ahmad Ali E-Mail: ahmadalimsc@gmail.com , Mobile: 056 430 3717

Verification:
Check the status of cluster group make sure master and slave machine are correct. Go to
Primary Firewall go to System > HA you will find both firewall setting here. The HA status page
shows both FortiGate in the cluster. It also shows that Primary is the primary (master) and the
page also shows that Backup is the primary (master) FortiGate.

15 | P a g e Created by Ahmad Ali E-Mail: ahmadalimsc@gmail.com , Mobile: 056 430 3717

Go to Dashboard > Status, The HA Status dashboard widget also shows synchronization status.

LAN PCs Configuration:

Right click on both PC1 and PC2 to enable DHCP configuration to get IP from LAN interface.

16 | P a g e Created by Ahmad Ali E-Mail: ahmadalimsc@gmail.com , Mobile: 056 430 3717

Go to Security Fabric > Physical Topology If the cluster is part of a Security Fabric, the FortiView
Physical and Logical Topology views show information about the cluster status.

Failover Verification:
Lets put continue ping from any LAN PC.

Let’s powered off the primary Firewall you will be logging into the backup FortiGate.

17 | P a g e Created by Ahmad Ali E-Mail: ahmadalimsc@gmail.com , Mobile: 056 430 3717

You will see a momentary pause in the ping results, until traffic diverts to the backup FortiGate,
allowing the ping traffic to continue.

Check the host name to verify the FortiGate that you have logged into. The FortiGate continues
to operate in HA mode.

18 | P a g e Created by Ahmad Ali E-Mail: ahmadalimsc@gmail.com , Mobile: 056 430 3717

if restart the primary FortiGate, after a few minutes it should rejoin the cluster and operate as
the backup FortiGate. Traffic should not be disrupted when the restarted primary unit rejoins
the cluster. The Override behavior allows firewall with higher numerical value to resume as
Primary Firewall enable Override on Primary Firewall.
PrimaryFW # config system ha
PrimaryFW (ha) # set override enable

19 | P a g e Created by Ahmad Ali E-Mail: ahmadalimsc@gmail.com , Mobile: 056 430 3717