Scribd Logo
Importer

Bienvenue sur Scribd !

  • Fortigate Basic Example Configuration

    Transféré par

    Diego
    76 vues3 pages
    546546246

    Copyright

    © © All Rights Reserved

    Formats disponibles

    PDF, TXT ou lisez en ligne sur Scribd

    Avez-vous trouvé ce document utile ?

    Ce contenu est-il inapproprié ?

    Signaler ce document
    546546246

    Droits d'auteur :

    © All Rights Reserved
    Téléchargez comme PDF, TXT ou lisez en ligne sur Scribd
    Signaler comme contenu inapproprié
    76 vues3 pages

    Fortigate Basic Example Configuration

    Transféré par

    Diego
    546546246

    Droits d'auteur :

    © All Rights Reserved
    Téléchargez comme PDF, TXT ou lisez en ligne sur Scribd
    Signaler comme contenu inapproprié
    sur 3

    22/08/18 Basic example configuration

    Search
    Home > Online Help
    > Chapter 16 - High Availability > FortiGate Session Life Support Protocol (FGSP) > Basic example
    configuration

    Basic example configuration

    The following configuration example shows how to configure basic FGSP HA for the two peer
    FortiGates shown below. The host names of peers are peer_1 and peer_2. Both peers are
    configured with two virtual domains: root and vdom_1. All sessions processed by vdom_1 are
    synchronized. The synchronization link interface is port3 which is in the root virtual domain. The IP
    address of port3 on peer_1 is 10.10.10.1. The IP address of port3 on peer_2 is 10.10.10.2.

    Also on both peers, port1 and port2 are added to vdom_1. On peer_1 the IP address of port1 is set
    to 192.168.20.1 and the IP address of port2 is set to 172.110.20.1. On peer_2 the IP address of
    port1 is set to 192.168.20.2 and the IP address of port2 is set to 172.110.20.2.

    Example FGSP HA network configuration

    To configure FGSP HA

    1. Configure the load balancer or router to send all sessions to peer_1.


    2. Configure the load balancer or router to send all traffic to peer_2 if peer_1 fails.
    3. Use normal FortiGate configuration steps on peer_1:
    Enable virtual domain configuration.
    Add the vdom_1 virtual domain.
    Add port1 and port2 to the vdom_1 virtual domain and configure these interfaces.
    Set the IP address of port1 to 192.168.20.1.
    Set the IP address of port2 to 172.110.20.1.
    Set the IP address of port3 to 10.10.10.1.
    Add route mode security policies between port1 and port2 to vdom_1.

    help.fortinet.com/fos50hlp/54/Content/FortiOS/fortigate-high-availability-52/HA_standaloneConfigBasic.htm 1/3
    22/08/18 Basic example configuration

    4. Enter the following commands to configure session synchronization for peer_1:


    config system cluster-sync
    edit 1
    set peerip 10.10.10.2
    set peervd root
    set syncvd vdom_1
    end

    5. Use normal FortiGate configuration steps on peer_2:


    Enable virtual domain configuration.
    Add the vdom_1 virtual domain.
    Add port1 and port2 to the vdom_1 virtual domain and configure these interfaces.
    Set the IP address of port1 to 192.168.20.2.
    Set the IP address of port2 to 172.110.20.2.
    Set the IP address of port3 to 10.10.10.1.
    Add route mode security policies between port1 and port2 to vdom_1.

    6. Enter the following command to configure session synchronization for peer_1


    config system cluster-sync
    edit 1
    set peerip 10.10.10.1
    set peervd root
    set syncvd vdom_1
    end

    Now that the FortiGates are connected and configured their configurations are
    synchronized, so when you make a configuration change on one FortiGate it is
    synchronized to the other one.

    To add filters

    You can add a filter to this basic configuration if you only want to synchronize some TCP sessions.
    For example you can enter the following command to add a filter so that only HTTP sessions are
    synchronized:
    config system cluster-sync
    edit 1
    config filter
    set service HTTP
    end
    end
    You can also add a filter to control the source and destination addresses of the IPv4 packets that
    are synchronized. For example you can enter the following command to add a filter so that only
    sessions with source addresses in the range 10.10.10.100 to 10.10.10.200 are synchronized.
    config system cluster-sync
    edit 1
    config filter
    set srcaddr 10.10.10.100 10.10.10.200
    end
    end
    You can also add a filter to control the source and destination addresses of the IPv6 packets that
    are synchronized. For example you can enter the following command to add a filter so that only
    sessions with destination addresses in the range 2001:db8:0:2::/64 are synchronized.

    help.fortinet.com/fos50hlp/54/Content/FortiOS/fortigate-high-availability-52/HA_standaloneConfigBasic.htm 2/3
    22/08/18 Basic example configuration
    config system cluster-sync
    edit 1
    config filter
    set dstaddr6 2001:db8:0:2::/64
    end
    end

    To synchronize TCP sessions

    You enter the following command to synchronizationTCP sessions and set the synchronization link
    (heartbeat device):
    config system ha
    set hbdev "port3" 50
    set session-pickup enable
    end

    To synchronize UDP and ICMP sessions

    You enter the following command to add synchronization of UDP and ICMP sessions to this
    configuration:
    config system ha
    set session-pickup enable
    set session-pickup-connectionless enable
    end

    To synchronize the configuration

    Enter the following command to enable configuration synchronization.


    config system ha
    set standalone-config-sync enable
    end

    Copyright © 2018 Fortinet, Inc. All Rights Reserved. | Terms


    of Service | Privacy Policy

    help.fortinet.com/fos50hlp/54/Content/FortiOS/fortigate-high-availability-52/HA_standaloneConfigBasic.htm 3/3

    Vous aimerez peut-être aussi