1) Redundancy:
o A good network design provides the redundancy in devices and network links.
o Redundancy is basically extra hardware or software that can be used as backup.
o It is method for ensuring network availability in case of network device or path failure.
o It is method for ensuring network availability in case of network device unavailability.
o Network redundancy is process through which additional or alternate instances of network devices, equipment & communication mediums are installed within network infrastructure.
o Redundancy can be achieved via failover, load balancing & high availability in automatically.
o High availability is a feature which provides redundancy and fault tolerance automatically.
o High Availability is a number of connected devices processing and providing a services.
o The goal is to ensure this service is always available even in the event of a failure or down.
2) High Availability Overview: o HA is usually required in a system where there is high demand for little downtime.
o The High availability (HA) is a deployment in which two firewalls are placed in a group.
o Their configuration is synchronized to prevent a single point of failure on your network.
o Heartbeat connection between firewall peers ensures failover in event peer goes down.
o Setting up two firewalls in an HA pair provides redundancy & ensure business continuity.
o Firewalls in an HA pair use HA links to synchronize data and maintain state information.
o While FortiGate Unit Network Firewall require you to use the in-band ports as HA links.
o Use HA ports to manage communication and synchronization between FortiGate firewalls.
o All FortiGate’s in cluster must be the same model and have the same firmware installed.
3) FortiGate Firewall HA Modes:- i )Active-Passive
o In Active-Passive one firewall actively manages traffic while other is synchronized.
o In Active-Passive passive is ready to transition to active state, should a failure occur.
o One actively manages traffic until a path, link, system, or network failure occurs.
o When active firewall fails, passive firewall transitions to active state and takes over.
o Active-Passive does not increase session capacity or network throughput in firewall.
o Active-Passive has simple design concept, so it is easier to troubleshooting routing.
ii)Active-Active
o Active-Active deployment, both firewalls in the pair are active and processing traffic.
o Use an Active-Active setup to load balance TCP sessions across multiple Firewall units.
o UDP, ICMP, multicast, and broadcast traffic remains only on the primary Firewall unit.
o The primary FortiGate unit Firewall distributes the TCP sessions to all other Firewalls.
o Active-active High Availability provides session failover protection for all TCP sessions.
o Active-active HA does not provide session failover for UDP, ICMP, multicast & broadcast.
o Active-active HA load balancing distributes proxy-based security profile processing to all.
4) HA Pre-Requisite:- o All FortiGate’s in cluster must be the same model and have the same firmware installed.
o Cluster members must also have the same hardware configuration such as same HDD.
o And must each be up-to-date on the application, URL, and threat databases the same.
o To setup HA in Active-Active & Active-Passive mode the same type of interfaces require.
o All cluster members share same configurations except host name & priority in HA settings.
o Set all the interface of FortiGate to manually, make sure you are not using DHCP or PPPoE.
o Licenses are unique to each firewall & cannot be shared between firewalls same set require.
5) High Availability Links:- o By default, FortiGate models two interfaces are configured to be heartbeat interfaces.
o The HA1 link is used to exchange hellos, heartbeats, and the HA state information.
o HA1 acts to monitor HA status such configuration synchronization for active-passive.
o HA1 acts keepalive between HA agents, it senses power cycle, reboot & power down.
o The FG firewalls also use this link to synchronize configuration changes with its peer.
o Heartbeat interface is Ethernet interface in cluster used by the FGCP for HA heartbeat.
o Heartbeat packets are non-TCP packets use Ethernet type values 0x8890, 0x8891 & 0x8893.
o The default time interval between High Availability (HA) link is heartbeats is 200 ms.
o It uses link-local IPv4 addresses in 169.254.0.x range for HA heartbeat interface IP address.
o If cluster two Firewall connect heartbeat device interfaces directly using crossover cable.
o The Heartbeat packets contain sensitive information about the cluster configuration.
o The Heartbeat packets may also use a considerable amount of network bandwidth.
o On startup, a FortiGate configured for HA operation broadcasts HA heartbeat hello.
o In addition to selecting heartbeat interfaces also set Priority for each heartbeat interface.
o Heartbeat interface with the highest priority is used for all HA heartbeat communication.
o If interface fails or disconnected next highest priority handles all heartbeat communication.
o For the HA cluster to function correctly, you must select at least one heartbeat interface.
o In FortiGate network Unit NG Firewall, the heartbeat interface priority range is 0 to 512.
o Default priority when select new heartbeat interface is 0, higher number higher priority.
o Can enable heartbeat communications for physical interface but not for VLAN Sub interface. Also, not for IPsec VPN interface, redundant interface, or for 802.3ad aggregate interfaces.
o In FortiGate Unit Network next Generation Firewall can select up to 8 heartbeat interfaces.
6) Heartbeat Messages:- o Hello Messages, are send from one peer to the other to verify the state of the firewall.
o The Heartbeat is an non-TCP packets to the HA peer over the High Availability HA Link.
o Firewalls use hello message and heartbeats to verify that the peer firewall is responsive.
o Firewalls use hello message and heartbeats to verify that the peer firewall is operational.
o Hello messages are sent from one peer to other at the configured Hello Interval to verify.
o Peer responds to non-TCP packets to establish that firewalls are connected and responsive.
o By default, In FortiGate Network Firewall the interval for the heartbeat is 200 milliseconds.
o If 6 heartbeat packets are not received from unit then cluster unit is considered to failed.
7) Priority:-
o When two FortiGate Networks firewalls are deployed in the active-passive cluster.
o It is mandatory to configure device priority higher priority for Master low for Slave.
o Firewall with high numerical value & therefore higher priority, is designated as Master.
o The device priority decides which FortiGate firewall will preferably take the Master role.
8) HA Override:-
o The Override behavior allows firewall with higher numerical value to resume as Primary.
o By default, Override is disabled on the firewalls and must be enabled on primary firewalls.
o Before adding the FortiGate unit to the cluster, enable override on the primary FortiGate.
o The Override which influences this behavior on the event of it being enabled or disabled.
o For override to be effective, must also set the device priority highest on the cluster unit.
o The FortiGate Unit Firewall which that you want to always be the primary unit or Firewall
9) Session-Pickup:-
o When it is enabled, FGCP synchronizes primary unit’s TCP session table to all cluster units.
o As new TCP session is added to primary unit session table, session is synchronized to all.
o This synchronization happens as quickly as possible to keep the session tables synchronized.
o If primary fails, new primary unit uses synchronized session table to resume all TCP session that were being processed by the former primary unit firewall with only minimum time.
10) Unicast HA Heartbeat:-
o In the virtual machine (VM) environments that do not support broadcast communication you can set up unicast High Availability (HA) heartbeat when configuring High Availability.
o Setting up unicast HA heartbeat consists of enabling feature and adding a peer IP address.
o Peer IP address is IP address of HA heartbeat interface of other FortiGate VM in HA cluster.
o You can enable unicast High Availability heartbeat from the GUI by going to System > HA.
o Enabling Unicast heartbeat & adding an Peer IP, which is address of heartbeat interface.