Fortinet - FortiGate HA cluster for a fail-safe firewall setup
Fortinet
Whether your FortiGate is deployed as a security gateway, an internal segmentation firewall, in the cloud or in an MSSP environment, as long as critical traffic passes through it, it is at risk of being a single point of failure. Physical failures can be caused by power outages, physical link failures, transceiver failures or power supply failures. Non-physical failures can be caused by routing, resource problems or kernel panics.
Network outages cause business disruption, downtime and user frustration, and in some cases can result in financial setbacks. When designing your network and architecture, it is important to weigh the risks and consequences of unexpected outages.
To proactively address such issues, any FortiGate can be deployed in a high availability cluster. To do this, a few things need to be considered:
-
Only identical models can work together within a cluster.
This means that two FortiGate 100Fs can form a cluster, but one FortiGate 100F and one FortiGate 101F cannot. A combination of FortiGate 100F and FortiGate 100E is also not possible. -
Both firewalls must be fully licensed.
In an HA cluster, the lowest common denominator of licences is used here. So if the UTP licence package is running on one FortiGate, but only a support licence on the second, only the support licence would be available in cluster operation. - Both firewalls must also use the same firmware version at the time when the cluster is formed.
- To enable smooth failover, additional hardware may be required. For example, a switch that sits between the FortiGate firewalls and the access device to the Internet, such as a modem or router. This can then automatically allow the backup firewall to connect to the internet without anyone having to move the cable. In addition, both FortiGate firewalls should also be connected to a switch in the direction of the internal network, so that failover is also possible at this end without having to reconnect.
Fortinet uses an active-active cluster as standard for an HA cluster. This means that both firewalls are active and divide the work between them. In the event of a failure of one firewall, the second would then take over directly and ideally only the network admin would be aware that something has happened.
Of course, active-passive clusters are also possible.
But how do you actually set up an HA?
Something like this should always be well planned.
-
The cabling must be set up logically. In a simple setup it would look like this:
Internet -> Router -> Switch -> FortiGate cluster -> Switch -> internal network - If it is a new infrastructure, do the basic configuration on the FortiGate firewalls.
- If it is an existing firewall, do the basic configuration on the second appliance.
- Carry out the following configuration in System -> HA:
- Mode: Active-Active or Active-Passive
- Device Priority: 128 or higher (only for primary firewall!)
- Group name: Enter the desired cluster name here.
- Heartbeat interfaces: Enter one or more interfaces via which both firewalls are directly connected to each other. Settings, sessions and heartbeat information are exchanged via these interfaces.
Carry out the same configuration for the second firewall, but set the priority lower so that it registers as a secondary firewall in the cluster.
What do I do if I want to update the firmware?
You have two options here. An uninterrupted upgrade, which takes more time, or one with interruption. Basically, the process of updating the firmware of a cluster is no different from that of a single FortiGate unit. You select the desired firmware to be installed via System -> Firmware and trigger the upgrade process. The firmware is then first installed on a secondary firewall and this is then declared a primary firewall. This then takes over the work, i.e. a kind of failover is carried out. Then the firmware is run on the primary firewall. After this has been completed, the primary firewall is then re-selected on the basis of the cluster configuration.
Should the secondary firewall crash or stop responding during the update, the primary firewall would continue to run and only perform an update as soon as the secondary one rejoins the cluster with a successful update.
If you are interested in a Fortinet FortiGate Firewall or want to make your existing infrastructure redundant with the help of a cluster, we would be happy to advise you. Contact us for a free initial consultation via our telephone number, e-mail address or our contact form.