August 21, 2018

FortiGate :: HA Routed Failover w/ Session Failover

(Last Updated On: 27th March 2018)

A recent requirement that came up was for there to be a redundant pair of firewalls, which allowed for session failover, configuration synchronisation and also maintain different external IPs and seperate BGP peering. A niche request, but something that was supported with FortiGates. Below details some configuration examples to achieve this.

Config and Session Sync

We start off by allowing the FortiGates to sync configuration and sessions without fully pairing them. This can be achieved through Fortinets “standalone-config-sync” setting under HA. This will allow configuration and sessions to be sync’d with the exception of interface settings*. This will need to be configured on both units and a “HA” link will need to be configured between the two.

config system ha
set hbdev port1 0
set session-pickup enable
set standalone-config-sync enable
end

*there is currently an issue where by IPv6 address interface configuration is sync’d across the two standalone devices.

VRRP

As interface configuration is not sync’d in this set up and interfaces not monitored, we need something to replace the failover mechanism. This is where VRRP comes in. As units will not sync configuration relating to the interfaces, you will need to replicate this on both units – with the exception being the interface you want different IPs on for separate router peering.

config system interface
edit port2
set vrrp-virtual-mac enable
config vrrp
edit 50 (32)
set vrip 10.31.101.120
set priority 255
next
edit 100 (64)
set vrip 10.31.101.130
set priority 50
end
end

The example VRRP comfinguration here was taken direct from http://help.fortinet.com/fos50hlp/56/Content/FortiOS/fortigate-high-availability/HA_VRRPEx2.htm?Highlight=VRRP

Routing

Your final step is to configure routing as you would with any standalone device. This will vary depending on routing protocol in use so I won’t bother with an example in this post – a post about routing on FortiGates will come later.

Once all above has been configured, you should be left with a routed, redundant “pair” of firewalls. Session sync and configuration sync handled by the FGCP protocol, failover handled by a combined VRRP and routed failover mechanism. If an interface should go down, the FortiGate should stop advertising the route and the neighbouring FortiGate VRRP interface should take over.

Previous «
Next »

Jake is a security engineer working in West Yorkshire. He has experience with various firewall vendors including FortiGate, Check Point, Cisco and Palo Alto.

2 Comments

  1. Jake,
    I am currently in a similar situation, where we have 2 fortigates in standalone but doing session synch. My problem is that we have separate BGP peelings on each box, but would like to configure a VRRP interface for SSL VPN. I am wondering if this is possible at all?

    • Hello Aj,

      If you’re looking to implement an SSL VPN on an external interface which uses VRRP, the interfaces need to be in the same subnet; which likely isn’t the case if you’re running different BGP peerings. If that’s the case, you won’t be able to set up VRRP on the outside for SSL VPN.

      If they are the same subnet, and this is some sort of WAN level failover through BGP, then it is possible, but you’d need to ensure L2 connectivity is available between both FortiGates on the WAN side to allow the VRRP multicast traffic. If all interfaces share the same subnets but don’t have L2 on the outside, you could explore the standard Active/Passive set up available with FGCP – though if you’re not already doing that I assume there’s a good reason for it.

      Let me know if you need any more assistance and thanks for reading!

Leave a Reply

Subscribe to SYNACK via Email

%d bloggers like this: