High-Availability & Traffic Shaping

High-Availability & Traffic Shaping

Posted on Jan 13, 2020 (0)

High-Availability & Traffic Shaping

High Availability is the most important stuff in networking technology mostly in event of network failures. Fortinet provides three different solutions in terms of high availability.

Fortigate Cluster Protocol:

It is also called as FGCP helps us to combine two or more fortigate units in to one logical units called fortigate cluster. This FGCP protocol is a default protocol for clustering and has two flavours of configuration:

  • Active –Active
  • Active-Passive

To understand this lets take an example in below figure, where two fortigate units are in cluster over WAN-1 and WAN-2 which is also used for heartbeat message exchange between them. Following are the steps to configure HA mode in fortigate units.

Step1: Configure WAN-1 and WAN-2 interface with IP address as mentioned in diagram.

To configure high availability go to System | Config | HA and select Active-Active or Active-Passive Mode.

Select the Management Interface Reservation and select the any another port with IP address , this is required because to have a non synchronised interface on every unit giving different IP to each one and this is very much used in management of virtual clusters.

Device Priority (highest) is used when we want to manually select the Primary master in a cluster else if priority is same then whose SN is highest will be master of cluster.

Group name should same for both units and also enable sessions Pickup flag which is used to activate failover for TCP, UDP, IPSEC, ICMP sessions.

Repeat the same configuration on fortigate secondary units with changed IP address of WAN-1 and WAN-2 interface and lower device Priority.

Once everything is done, both device will synchronise the configuration as seen in below figure.

Fortigate Session Life Support Protocols:

This Protocols is used for traffic redundancy if there is load balancer present in network. External Load balancer helps in load balancing and session failover while two fortigate units are integrated to it. Depending upon the configuration of load balancer all the packets are sent to primary unit and in case of failure these packets are directed to secondary units or even work load is also load balanced.

FGSP is configured using CLI and if we have done HA configuration then we have to remove it as both HA and FSGP will not work together on same unit.

config system settings
config system session-sync
edit : Enter the unique ID number for the session synchronization configuration to edit (any number between 1 and 200).
set peerip : Enter the IP address of the interface on the peer unit that is used for the session synchronization link.
config filter: Add a filter to FGSP.
set dstaddr : Enter the destination IP address of the sessions to synchronize.
set dstintf : Enter the name of a FortiGate interface. Only sessions destined for this interface are synchronized.
set service : Only sessions that use this service are synchronized.
set srcaddr : Enter the source IP address of the sessions to synchronize.
set srcintf : Enter the name of a FortiGate interface. Only sessions from this interface are synchronised.

To show an FGSP configuration, let's suppose that our two units, FortiGateA and FortiGateB have a synchronization link on port3, with addresses and On FortiGateA we will insert the following commands:

config system settings
config system session-sync
edit 10
set peerip

On FortiGateB we will insert the following commands:

config system settings
config system session-sync
edit 11
set peerip

VRRP ( Virtual Router Redundancy Protocol ):

VRRP is the open standard redundancy protocols which provides gateway redundancy service between two fortigate units. If primary or master device fails, secondary or backup device resume roles of primary and all the traffic passes via primary. Primary device send all the information to all backup device and inform about its presence, if master fails backup device will no longer receives advertisement from primary device and hence resume the role of master device . VRRP is also used to form VRRP cluster with non-fortinet device.

Following is the configure steps:

config system settings
config vrrp
edit : Enter an ID for the virtual router.
set adv-interval : Define the virtual router advertisement message interval (between 1 and 255 seconds).
set priority : Enter a priority value for this device.
set start-time : Define the time (in seconds) that the backup unit (not receiving advertisement messages) will wait before replacing the master.
set status {enable | disable}: Used to disable or re-enable the FGSP configuration.
set vrdst : Monitor the route to a destination IP address.
set vrip : Enter the virtual IP for the virtual router.


    You are will be the first.


Please login here to comment.