Scribd
Upload
60 views2 pages

73-High Availability Overview

High Availability (HA) in firewalls involves deploying two synchronized firewalls to ensure redundancy and prevent single points of failure, with configurations for Active-Passive and Active-Active modes. Active-Passive mode has one active firewall managing traffic while the other is on standby, whereas Active-Active mode allows both firewalls to process traffic simultaneously for load balancing. Proper setup requires matching hardware models, FortiOS versions, and specific interface configurations, along with designated heartbeat links for communication and synchronization.

Uploaded by

Williams
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
60 views2 pages

73-High Availability Overview

High Availability (HA) in firewalls involves deploying two synchronized firewalls to ensure redundancy and prevent single points of failure, with configurations for Active-Passive and Active-Active modes. Active-Passive mode has one active firewall managing traffic while the other is on standby, whereas Active-Active mode allows both firewalls to process traffic simultaneously for load balancing. Proper setup requires matching hardware models, FortiOS versions, and specific interface configurations, along with designated heartbeat links for communication and synchronization.

Uploaded by

Williams
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
You are on page 1/ 2

High Availability Overview:

o HA is usually required in a system where there is high demand for little downtime.
o The High availability (HA) is a deployment in which two firewalls are placed in a group.
o Their configuration is synchronized to prevent a single point of failure on your network.
o Heartbeat connection between firewall peers ensures failover in event peer goes down.
o Setting up two firewalls in an HA pair provides redundancy & ensure business continuity.
o Firewalls in an HA pair use HA links to synchronize data and maintain state information.
o While FortiGate Unit Network Firewall require you to use the in-band ports as HA links.
o Use HA ports to manage communication and synchronization between FortiGate firewalls.
o All FortiGates in cluster must be the same model and have the same firmware installed.

FortiGate Firewall HA Modes:


Active-Passive:
o In Active-Passive one firewall actively manages traffic while other is synchronized.
o In Active-Passive passive is ready to transition to active state, should a failure occur.
o One actively manages traffic until a path, link, system, or network failure occurs.
o When active firewall fails, passive firewall transitions to active state and takes over.
o Active-Passive does not increase session capacity or network throughput in firewall.
o Active-Passive has simple design concept, so it is easier to troubleshooting routing.

Active-Active:
o Active-Active deployment, both firewalls in the pair are active and processing traffic.
o Use an Active-Active setup to load balance TCP sessions across multiple Firewall units.
o UDP, ICMP, multicast, and broadcast traffic remains only on the primary Firewall unit.
o The primary FortiGate unit Firewall distributes the TCP sessions to all other Firewalls.
o Active-active High Availability provides session failover protection for all TCP sessions.
o Active-active HA does not provide session failover for UDP, ICMP, multicast & broadcast.
o Active-Active High Availability is less session fail-over resilient than Active-Passive mode.
o Active-Active does not provide load-balancing for all sessions enable profiles & proxy.
o Active-active HA load balancing distributes proxy-based security profile processing to all.

1 | P a g e Created by Ahmad Ali E-Mail: [email protected] , Mobile: 00966564303717


HA Pre-Requisite:
o To set up High Availability HA on firewalls, need a pair of firewalls that meet fallowing.
o The same model—The FG firewalls in the pair must be of the same hardware model.
o The same FortiOS version—The firewalls must be running the same FortiOS version.
o All FortiGates in cluster must be the same model and have the same firmware installed.
o Cluster members must also have the same hardware configuration such as same HDD.
o And must each be up-to-date on the application, URL, and threat databases the same.
o To setup HA in Active-Active & Active-Passive mode the same type of interfaces requires.
o All cluster members share same configurations except host name & priority in HA settings.
o Set all the interface of FortiGate to manually, make sure you are not using DHCP or PPPoE.
o Licenses are unique to each firewall & cannot be shared between firewalls same set require.

High Availability Links:


o By default, FortiGate models two interfaces are configured to be heartbeat interfaces.
o The HA1 link is used to exchange hellos, heartbeats, and the HA state information.
o The HA1 link is used to exchange management plane sync for routing & User-ID info.
o HA1 acts to monitor HA status such configuration synchronization for active-passive.
o HA1 acts keepalive between HA agents, it senses power cycle, reboot & power down.
o The FG firewalls also use this link to synchronize configuration changes with its peer.
o Heartbeat interface is Ethernet interface in cluster used by the FGCP for HA heartbeat.
o Heartbeat packets are non-TCP packets use Ethertype values 0x8890, 0x8891 & 0x8893.
o The default time interval between High Availability (HA) link is heartbeats is 200 ms.
o It uses link-local IPv4 addresses in 169.254.0.x range for HA heartbeat interface IP add.
o If cluster two Firewall connect heartbeat device interfaces directly using crossover cable.
o The Heartbeat packets contain sensitive information about the cluster configuration.
o The Heartbeat packets may also use a considerable amount of network bandwidth.
o On startup, a FortiGate configured for HA operation broadcasts HA heartbeat hello.
o Packets from its HA heartbeat interface to find other configured to operate in HA mode.
o In addition to selecting heartbeat interfaces also set Priority for each heartbeat interface.
o Heartbeat interface with the highest priority is used for all HA heartbeat communication.
o If interface fails or disconnected next highest priority handles all heartbeat communication.
o For the HA cluster to function correctly, you must select at least one heartbeat interface.
o In FortiGate network Unit NG Firewall, the heartbeat interface priority range is 0 to 512.
o Default priority when select new heartbeat interface is 0, higher number higher priority.
o Can enable heartbeat communications for physical interface but not for VLAN Subinterface.
o Also, not for IPsec VPN interface, redundant interface, or for 802.3ad aggregate interfaces.
o You cannot select in FortiGate Firewall these types of interfaces in heartbeat interface list.
o In FortiGate Unit Network Next Generation Firewall can select up to 8 heartbeat interfaces.

2 | P a g e Created by Ahmad Ali E-Mail: [email protected] , Mobile: 00966564303717

You might also like