High Availability

Question 1

What does FortiGate use to discover members, elect the primary FortiGate, and monitor the health of members?

Answer 1

FortiGate Clustering Protocol (FGCP)

Question 2

What are the two HA operation modes?

Answer 2

• Active-active
• Active-passive

Question 3

In active-passive mode, how does the secondary FortiGate device behave?

Answer 3

• Passive, monitors the status of the primary device
• Takes over primary role if a problem is detected on the primary FortiGate

Question 4

What is the difference between active-passive mode and active-active mode?

Answer 4

• In active-active, all cluster members can process traffic
• The primary FortiGate can distribute supported sessions to the secondary devices

Question 5

What are the requirements to form an HA cluster?

Answer 5

• Members must have the same
• Model
• Firmware version
• Licensing (if different, uses the lower)
• Hard drive configuration
• Operating mode

Question 6

What settings should you configure the same on each HA cluster member?

Answer 6

• Group ID
• Group name
• Password
• Heartbeat interface settings

Question 7

What are some best practices to apply when configuring HA clusters?

Answer 7

• Configure at least two heartbeat interfaces for redundancy
• Try to place all heartbeat interfaces in the same broadcast domain, or directly connected if only two

Question 8

How does the primary FortiGate election process work?

Answer 8

• Compares number of monitored interfaces that are up
• Compares HA uptime of each member
• Highest priority
• Highest serial number

Question 9

What happens when HA override is disabled?

Answer 9

• HA uptime has precedence over the priority setting
• If you must manually fail over to a secondary device, you can do so by reducing the HA uptime of the primary FortiGate by running diagnose sys ha reset-uptime

Question 10

What is a task the primary FortiGate takes on only in active-active mode?

Answer 10

Distributes sessions to secondary members

Question 11

What is a task performed by the secondary FortiGate only in active-active mode?

Answer 11

Processes traffic distributed by the primary

Question 12

How does FGCP assign heartbeat IP addresses?

Answer 12

• Automatically based on the serial number of each device
• 169.254.0.1 gets assigned to the device with the highest SN

Question 13

What are characteristics of heartbeat IP addresse?

Answer 13

• Non-routable
• Only used for FGCP operations
• HA cluster uses them to distinguish cluster members and synchronize data

Question 14

What is good practice when configuring heartbeat interfaces?

Answer 14

• Must configure at least one port as a heartbeat interface, and can only use physical interfaces
• Heartbeat traffic should be on a dedicated VLAN

Question 15

What must be configured for link failover to work?

Answer 15

One or more monitored interfaces

Question 16

How does FortiGate prepare for a failover?

Answer 16

• HA cluster keeps its configurations in sync
• Checks every 60 seconds

Question 17

What does the primary FortiGate automatically synchronize with VPNs?

Answer 17

• IPsec data, tunnels continue to be up after failover
• Not SSL VPN data, tunnel must be restarted after a failover

Question 18

What’s memory based failover?

Answer 18

HA failover is triggered when the memory utilization on the primary FortiGate reaches the configured threshold

Question 19

What happens in terms of virtual MAC address after a failover?

Answer 19

The newly elected primary adopts the same virtual MAC address as the former primary

Question 20

What’s the point of a full mesh HA topology?

Answer 20

To eliminate a single point of failure

Question 21

Which session type can you synchronize in an HA cluster?

Answer 21

Non-proxy TCP sessions

Question 22

How would you upgrade firmware in an HA cluster?

Answer 22

Upload the new firmware to the primary FortiGate only