High Availability

Question 1

How many FTG’s can be put in a cluster?

Answer 1

two to four

Question 2

What is synchronized in an HA Cluster?

Answer 2

Configruation, session info, FIB entries, FortiGuard definitions,

Question 3

Do passive members in a A-P HA cluster process traffic?

Answer 3

No, only start forwarding in the event of a fail over.

Question 4

How does active-active work?

Answer 4

The primary FTG can distribute sessions to other cluster members

Question 5

What is FGCP?

Answer 5

FortiGate Clustering Protocol

Question 6

What does FGCP do?

Answer 6

Used for member discovery, primary election, data sync, member health monitoring.

Question 7

What is frame type 8890/1 in H/A Heartbeats

Answer 7

0x8890 is NAT mode 0x8891 is transparent mode

Question 8

What is frame type 8893 in H/A Heartbeats

Answer 8

Data synchronization, logging and cli management

Question 9

For HA what does inner packet type TCP/UDP 703 used for?

Answer 9

Data Sync

Question 10

For HA what does inner packet type TCP 700 used for?

Answer 10

Logging and email alerts

Question 11

For HA what does inner packet type TCP 22 used for?

Answer 11

CLI Management

Question 12

What can trigger an HA Failover

Answer 12

Dead member, Failed link, Failed remote link, high memory usage, failed SSD, admin triggered

Question 13

What must match in order to form an HA Cluster?

Answer 13

Firmware version,
Model (virtual or physical)
Licensing
Hard drive config (size, partitions)
Operating mode: NAT or transparent

Question 14

What happens if the licensing models are different in HA Clusters?

Answer 14

The lowest level of license in common is used.

Question 15

What must match from an HA Settings perspective?

Answer 15

Group ID, group name, password and interface settings

Question 16

Should you place all heart beat interfaces in the same broadcast domain?

Answer 16

Yes

Question 17

What is the Election process when override is disabled

Answer 17

of connected interfaces
HA Uptime
Priority (highest)
Lowest serial number

Question 18

what does diagnose sys ha reset-uptime do?

Answer 18

Reset HA uptime to 0]

Question 19

What is the primary fortunate election with override enabled?

Answer 19

of connected interfaces
Priority (highest)
HA Uptime
Lowest serial number

The highest priority means you can specify a FTG that will always become the primary even after it recovers from a failover.

Question 20

What operational data does the primary FTG synch

Answer 20

Some config settings
FIB entries
DHCP lease
ARP table
FortiGuard definitions
IPsec SA’s
Sessions (must be enabled)

Question 21

What is the heartbeat IP address assignment for the highest serial number? second?

Answer 21

169.254.0.1 for first
169.254.0.2 for the second

Question 22

When do heartbeat IP address change?

Answer 22

When a device joins or leaves the cluster

Question 23

What port must you use for heartbeats?

Answer 23

physical only

Question 24

Are heartbeat interfaces used for user traffic?

Answer 24

no

Question 25

What is a monitored interface?

Answer 25

An interface that is monitored to determine a failure has occurred and to failover to the other unit.

Question 26

What are examples of incremental sync in HA

Answer 26

DHCP leases
FIB entries
IPSec SAs
Session info

Question 27

What happens if checksums don’t match in a HA cluster?

Answer 27

After five attempts the secondary downloads the full configuration from the primary.

Question 28

What are settings are not synced between HA devices>

Answer 28

HA interface settings
HA override
HA device priority
HA virtual cluster priority
FTG hostname
ping sever
Licenses
Cache

Question 29

Does FTG keep track of Multicast sessions for HA?

Answer 29

No just multicast routes

Question 30

What is the recommended TTL timer for multicast routes to stay in the HA table?

Answer 30

120 seconds recommended.

Question 31

Is link HA priority synchronized to all members?

Answer 31

No it is locally significant only.

Question 32

How do you prevent MAC address conflicts with multiple HA clusters in the same broadcast domain?

Answer 32

Assign different HA group IDs

Question 33

How does the new primary let the network know it can reach the virtual Mac addresses through new ports?

Answer 33

Gratuitous ARPs

Question 34

Does the Primary HA Fortigate resign traffic sessions when a secondary fails?

Answer 34

Yes

Question 35

What command enables distribution of all traffic for an HA cluster?

Answer 35

under HA settings type load-balance-all

Question 36

Does the Primary FTG always receive the packets from clients in an Active-Active (proxy-based) HA cluster?

Answer 36

Yes

Question 37

What sessions cannot be load balanced for HA

Answer 37

ICMP, Multicast, broad cast, SIP SLG, IM, P@P and IPsec VPN SSL and WCCP

Question 38

When are HTTPS sessions not load balanced in an Active-Active deployment?

Answer 38

if subjected to proxy based HTTPS inspection

Question 39

When are HTTPS sessions load balanced in active-active HA cluster

Answer 39

Load-balance-all is enabled
and
flow mode inspection
or
proxy mode is enabled but HTTPS traffic is not enabled.

Question 40

What is the default A/A Load balancing methods?

Answer 40

weight-round-robin the higher the weight the more sessions

Question 41

What is the variable order for the set weight command

Answer 41

<id> <weight)
</id>