A recent requirement that came up was for there to be a redundant pair of firewalls, which allowed for session failover, configuration synchronisation and also maintain different external IPs and seperate BGP peering. A niche request, but something that was supported with FortiGates. Below details some configuration examples to achieve this.
Config and Session Sync
We start off by allowing the FortiGates to sync configuration and sessions without fully pairing them. This can be achieved through Fortinets “standalone-config-sync” setting under HA. This will allow configuration and sessions to be sync’d with the exception of interface settings*. This will need to be configured on both units and a “HA” link will need to be configured between the two.
config system ha
set hbdev port1 0
set session-pickup enable
set standalone-config-sync enable
*there is currently an issue where by IPv6 address interface configuration is sync’d across the two standalone devices.
As interface configuration is not sync’d in this set up and interfaces not monitored, we need something to replace the failover mechanism. This is where VRRP comes in. As units will not sync configuration relating to the interfaces, you will need to replicate this on both units – with the exception being the interface you want different IPs on for separate router peering.
config system interface
set vrrp-virtual-mac enable
edit 50 (32)
set vrip 10.31.101.120
set priority 255
edit 100 (64)
set vrip 10.31.101.130
set priority 50
The example VRRP comfinguration here was taken direct from http://help.fortinet.com/fos50hlp/56/Content/FortiOS/fortigate-high-availability/HA_VRRPEx2.htm?Highlight=VRRP
Your final step is to configure routing as you would with any standalone device. This will vary depending on routing protocol in use so I won’t bother with an example in this post – a post about routing on FortiGates will come later.
Once all above has been configured, you should be left with a routed, redundant “pair” of firewalls. Session sync and configuration sync handled by the FGCP protocol, failover handled by a combined VRRP and routed failover mechanism. If an interface should go down, the FortiGate should stop advertising the route and the neighbouring FortiGate VRRP interface should take over.