High Availability Flashcards
HA Requirements
All members must have the same:
Model
Firmware Version
Licensing (If different, cluster uses lowest-level license)
Hard Drive Configuration
Operating mode of management VDOM
Setup:
Same HA group ID, group name, password, and heartbeat interface settings
Best Practices:
Use at least two heartbeat interfacess
Initially, switch DHCP and Point-To-Point Protocol over Ethernet (PPPoE) interfaces to static config
Command to force failover
diagnose sys ha reset-uptime
check HA uptime command
diagnose sys ha dump-by vcluster
uptime/reset_cnt=7814/0
uptime/reset_cnt=0/1
Primary FGT elections with Override Disables
Connected Monitored Ports -> HA Uptime -> Priority -> Serial Number
Greater value an all = Primary FGT
HA Override
config system ha
set override enable
end
Force a failover - Change the HA Priority
Same election process
Ethernet Types in HA
0x8890 (NAT/Route) or 0x8891 (transparent):
Heartbeats
Discover other FGTs in HA group
Elect the Primary
Synchronize other data
Detect when a device fails
0x8893
Config Synchronization
Sniffer for HA heartbeats example
diagnose sniff packet any “ether proto 0x8890” 4
Session Synchronization
Dedicated session sync interfaces -
set session-sync-dev <interface1> <interface2></interface2></interface1>
By default, occurs over heartbeat link. Dedicated sync links reduce bandwidth requirements of the HA heartbeat interface and improves the efficiency and performance of the cluster.
It is recommended to use dedicated sync links because session sync requires higher bandwidth with an impact on heartbeats when the links are not separated. When mixed, it can result in potential loss of heartbeats and false failover when there is very large number of sessions to be synced. Can select multiple interfaces to load balance. If all session sync interfaces become disconnected, session sync reverts to using the HA heartbeat link
Virtual MAC Addresses and Failover
On primary, each interface (except HA heartbeat interfaces and reserved management interfaces) is given a virtual MAC address.
Upon failover, the newly elected primary adobts the same Virtual MAC addresses as the former primary.
After a failover, new primary broadcasts gratuitous ARP packets, notifying the network that each virtual MAC address is now reachable through a different Switch Port. But some switches don’t clear their MAC tables fast enough.
Virtual MAC Address Assignment
FGT uses formula below:
<group-prefix>:<group-id_hex>: (vcluster_integer> + <idx>)
group-prefix is determined by the set of group IDs:
Set 1: group IDs 0-255: group prefix 00:09:0f:09
Set 2: group IDs 256-511: group prefix e0:23:ff:fc
Set 3: group IDs 512-767: group prefix e0:23:ff:fd
Set 2: group IDs 768-1023: group prefix e0:23:ff:fe
group-id_hex is the HA group ID % 256 converted to hexadecimal
vcluster_integer is 0x00 for virtual cluster 1 and 0x80 for virtual cluster 2
idx is the interface index number (interfaces are numbered 0 to x)
Two or more HA clusters in the same LAN segment should use different HA group IDs to prevent virtual MAC address conflicts
</idx></group-id_hex></group-prefix>
Verify HA Virtual MAC Address command
diagnose hardware deviceinfo nix port1
Hwaddr = virtual MAC address
To shutdown interfaces of former Primary, use the command:
One second long shutdown.
config system ha
set link-failed-signal enable | disable Disabled is default
Because of the link outage, all switches detect the failure and clear their MAC tables
Active-Active Traffic Flow (Proxy Inspection)
Client sends SYN, received by port on the Primary as the packet destination is the virtual MAC on the port.
Primary Forwards the SYN to the selected secondary. MAC address rewrite occurs(change source MAC to physical MAC on Primary’s port and change destination MAC to the physical MAC of the Secondary’s port. It is also encapsulated in 0x8891 EtherType packet, which is only done for the first packet of a load balanced session. Includes original packet plus session info that secondary needs
Secondary responds to the Client with SYN/ACK packet that contains the physical MAC of the Secondary’s port as the source and destination as the MAC of the client.
Client acknowledges SYN/ACK by sending ACK to the cluster, which is destined to the port on the primary.
Primary Matches the session infromation and forwards to the secondary. Three way handshake complete
Then the secondary begins the connection to the server. Same cycle is performed again with the secondary and server, while primary forwards matching sessions to the secondary.
Goal of Active-Active
To leverage unused CPU and memory on secondary devices. Not really to load balance traffic. Since traffic from endpoints is always sent to the primary, you usually see more traffic on the primary than any secondary devices
Active-Active Traffic Flow (No proxy inspection)
Sessions are distributed to the Secondary only if you enable load-balance-all under HA configuration
Traffic sourced from client or server destined to the cluster is sent to primary, with destination MAC set to virtual MAC. If load balanced traffic, sent to secondary and uses physical MACs. Any traffic from the cluster and destined to endpoint is sourced from secondary physical MAC address of egress interface.
Major difference is that FortiGate does not reply to packets on behal;f of the client or server. Instead, it forwards packets through the secondary to destination endpoint (client or server)
Active Active Load Balancing Method: none
Primary device handles all sessions
Active Active Load Balancing Method: leastconnection
Sessions are sent to the member with the least number of sessions
Active Active Load Balancing Method: round-robin
Default-method. Sessions are distributed equally across members
Also by default, only sessions subject to proxy inspection are distributed. Need to enable load-balance-all to force all traffic to be load balanced
Active Active Load Balancing Method: weight-round-robin
The more weight a member is assigned, the more sessions it handles
Active Active Load Balancing Method: random
Sessions distributed randomly
Active Active Load Balancing Method: ip
sessions with the same source and destination IP pair are handled by the same member
Active Active Load Balancing Method: ipport
Distribution based on source address, source port, dest address, and dest port information
Virtual Clustering
Operates in Active Passive Mode. Limited to 30 virtual clusters. Extension of FGCP for a cluster of FGT devices with multiple VDOMs enabled. If you have two VDOMs with high traffic volume, can configure each cluster member to be primary for each VDOM.
Control distribution of traffic by adjusting which device is primary for each VDOM.
config system ha
set mode a-p
…
set vcluster-status enable
config vcluster
edit 1
set override disable
set priority 100 —-> Determines Priority
set vdom “VDOM1” “root”
next
FGSP
FortiGate Session Life Support Protocol used only for sharing sessions between standalone FGT devices or an FGCP cluster.
Peer-to-Peer communication
2-16 standalone devices or 2-16 clusters or two members each
Load Balancing and failover is performed by external network devices
All IPv4 and IPv6 TCP sessions, and IPsec tunnels are synchronized by default
Configuration required to synchronize other types of sessions
Primarily used when there is an external load balancer in the topology.
config system standalone-cluster
config cluster-peer
edit 1
set peerip 10.10.10.1
end
Session Sync over Layer 2
config system standalone-cluster
set sessions-sync-dev <port>
end</port>
Happens if interface is configured and peer session sync interfaces are directly connected
Session Sync Encryption
Can be encrypted using an IPsec tunnel - layer 3 connections only
config system standalone-cluster
set encryption enable
set psksecret fortinet
end
IPsec vpn and policies are automatically created
Inspection with Asymmetric Traffic
For FGSP peers with layer 2 access to each other, UTM inspection can be supported by always forwarding traffic back to the session owner for processing. The session owner is the FGT that receives the first packet of the session.
in standalone-cluster settings,
set layer2-connection available/unavailable
If unavailable(layer 3), traffic bound for the session owner is forwarded through the peer interface using a UDP connection
FGSP Config Sync
AKA Standalone Configuration Synchronization
Config and external files are synced over heartbeat connections from one device to another in the same was as in FGCP (Layer 2 required and multiple heartbeat ports for redundancy)
Basically the same as sync feature in FGCP:
Primary device is elected with same election process
Primary and secondary device roles are only for config sync purposes and NOT for traffic
config global
config system ha
…
set mode standalone
…
set standalone-config-sync enable
…
end
VRRP
Virtual Router Redundancy Protocol. VRRP routers periodically sends VRRP advertisements to maintain the status of the primary and backup routers. Backup with highest priority becomes new primary when it stops receiving VRRP advertisements.
FortiOS supports VRRP version 2 and 3, and IPv4 and IPv6 VRRP. Can create VRRP domains, which include multiple FGTs and other VRRP-compatible routers.
Can configure up to two VRRP destination addresses to be monitored by the primary device. Best practice is that these destinations are remote.
