Fortigate Session Life Support Protocol - (FGSP) - High Availability - Parte 3
- Iñaki Urrutxi
- 16 abr 2020
- 12 Min. de lectura
Actualizado: 21 abr 2020
Cuando configuramos el HA con FGSP ambos equipos funcionan independientemente, por tanto NO hay mac virtuales, se pueden sincronizan las sesiones y se puede si queremos sincronizar la configuración de ambos equipos aunque hay partes que NO se sincronizan. En este modo nosotros mediante rutado somos los que decidimos por cual de los equipos entra y sale el tráfico. Lo normal es usar algún protocolo dinámico, nosotros para este ejemplo usaremos BGP, uno de los protocolos dinámicos más usados, sobre todo entre ISPs.
A continuación tenemos el diagrama que seguiremos en este blog. Tenemos 2 CPDs interconectados con BGP tanto para la conectividad pública como de MPLS. Un equipo está en el CPD1 y otro en el CPD2. En ambos CPDs tenemos un Fortigate configurado en modo HA (FGSP) con 3 vdoms, el root para administrar de la plataforma completa, vdom1 para el cliente1 y vdom2 para el cliente2. Se pretende que el cliente1 salga/entre por el CPD1, en caso de problemas con el CPD1 todo saltaría al fortigate del CPD2, para ellos usamos BGP y el atributo MED del BGP para seleccionar cual es el CPD primario y secundario. Para balancear el tráfico entre ambos CPDs el cliente2 hará lo contrario, entra/sale por el CPD2 y en caso de fallo saldrá por el CPD1. En esta modalidad podemos sincronizar las sesiones y la configuración aunque esta última opción no viene activada por defacto, pero lo activaremos para que veáis como se hace.
Como hemos comentado la principal característica de este modo de HA es que ambos CPDs no están conectados mediante un SWICTH de nivel 2, sino solo mediante routing de nivel 3, a excepción del cable de HA que si queremos sincronizar la configuración tiene que ser un enlace de nivel 2. Los equipos funcionan independientemente y para seleccionar por cual de los Fortigates se realiza la comunicación con Internet usamos BGP. Sincronizaremos las sesiones y la configuración entre los equipos además de ver los comandos que nos dirá si está funcionando adecuadamente.
NO detallaremos la configuración de los MKs porque sale fuera de las pretensiones de este blog.
VDOM1
Configuración de los Interfaces
FW-HA-1
config system interface
edit "WAN-root"
set vdom "root" --> Se sincroniza
set ip 10.101.101.2 255.255.255.252 --> NO sincroniza
set allowaccess ping https ssh http -> NO sincroniza
set role wan --> NO sincroniza
set interface "wan1" --> Se sincroniza
set vlanid 100 --> Se sincroniza
next
edit "lan3"
set vdom "root" --> Se sincroniza
set ip 10.105.1.1 255.255.255.0 --> NO sincroniza
set type physical --> Se sincroniza
set alias "HA-sync" --> NO sincroniza
next
edit "WAN-vdom1" --> Se sincroniza
set vdom "vdom1" -> Se sincroniza
set ip 10.1.1.2 255.255.255.252 --> NO sincroniza
set allowaccess ping https ssh -> NO sincroniza
set role wan --> NO sincroniza
set secondary-IP enable
set interface "wan1" --> Se sincroniza
set vlanid 101 --> Se sincroniza
config secondaryip
edit 1
set ip 212.181.206.196 255.255.255.255 -> NO sinc
set allowaccess ping https ssh -> NO sincroniza
next
end
next
edit "MPLS-Vdom1" -> Se sincroniza
set vdom "vdom1" --> Se sincroniza
set ip 172.31.31.1 255.255.255.0 --> NO sincroniza
set allowaccess ping https ssh -> NO sincroniza
set role lan --> NO sincroniza
set interface "lan1" --> Se sincroniza
set vlanid 101 -> Se sincroniza
next
end
FW-HA-2
config system interface
edit "WAN-root"
set vdom "root"
set ip 10.201.201.2 255.255.255.252
set allowaccess ping https ssh http
set role wan
set interface "wan1"
set vlanid 100
next
edit "lan3"
set vdom "root"
set ip 10.105.1.2 255.255.255.0
set type physical
set alias "HA-sync"
next
edit "WAN-vdom1"
set vdom "vdom1"
set ip 10.2.2.2 255.255.255.252
set allowaccess ping https ssh
set role wan
set secondary-IP enable
set interface "wan1"
set vlanid 101
config secondaryip
edit 1
set ip 212.181.206.196 255.255.255.255
set allowaccess ping https ssh
next
end
next
edit "MPLS-Vdom1"
set vdom "vdom1"
set ip 172.32.32.1 255.255.255.0
set allowaccess ping https ssh
set role lan
set interface "lan1"
set vlanid 101
next
endBGP
Desde el MK de Internet importamos la ruta por defecto y exportamos nuestra ip pública y desde el MK de MPLS exportamos todos los prefijos con MED 11 incluida la ruta por defecto e importamos todo.
FW-HA-1
config router bgp
set as 650002
set router-id 10.1.1.2
set keepalive-timer 10
set holdtime-timer 30
config neighbor
edit "10.1.1.1"
set bfd enable
set remote-as 650001
next
edit "172.31.31.2"
set bfd enable
set next-hop-self enable
set remote-as 650001
set route-map-out "BGP-MPLS-FW-11-out"
next
end
config redistribute "connected"
set status enable
end
config redistribute "static"
set status enable
end
endFW-HA-2
Desde el MK de Internet importamos la ruta por defecto de Internet y exportamos nuestra ip pública y desde el MK de MPLS exportamos todos los prefijos con MED 12 incluida la ruta por defecto e importamos todo.
config router bgp
set as 650002
set router-id 10.2.2.2
set keepalive-timer 10
set holdtime-timer 30
config neighbor
edit "10.2.2.1"
set bfd enable
set remote-as 650001
next
edit "172.32.32.2"
set bfd enable
set next-hop-self enable
set remote-as 650001
set route-map-out "BGP-MPLS-FW-12-out"
next
end
config redistribute "connected"
set status enable
end
config redistribute "static"
set status enable
end
endRoute-map
FW-HA-1 y FW-HA-2
config router route-map
edit "BGP-MPLS-FW-12-out"
config rule
edit 1
set match-ip-address "prefix-MPLS-out-default"
set set-aspath-action replace
set set-aspath "65001"
set set-metric 12
next
edit 2
set match-ip-address "prefix-MPLS-out-Resto"
set set-metric 12
next
end
next
edit "BGP-MPLS-FW-11-out"
config rule
edit 1
set match-ip-address "prefix-MPLS-out-default"
set set-aspath-action replace
set set-aspath "65001"
set set-metric 11
next
edit 2
set match-ip-address "prefix-MPLS-out-Resto"
set set-metric 11
next
end
next
endPrefijos que exportamos a la MPLS
FW-HA-1 y FW-HA-2
config router prefix-list
edit "prefix-MPLS-out-default"
config rule
edit 1
set prefix 0.0.0.0 0.0.0.0
unset ge
unset le
next
end
next
edit "prefix-MPLS-out-Resto"
config rule
edit 1
set prefix any
unset ge
unset le
next
end
next
endNAT (ippool)
FW-HA-1 y FW-HA-2
config firewall ippool
edit "DIP-NAT-FW"
set startip 212.181.206.196
set endip 212.181.206.196
next
endPOLÍTICA
FW-HA-1 y FW-HA-2
config firewall policy
edit 1
set name "Salida a Internet"
set srcintf "MPLS-Vdom1"
set dstintf "WAN-vdom1"
set srcaddr "all"
set dstaddr "all"
set action accept
set schedule "always"
set service "ALL"
set ippool enable
set poolname "DIP-NAT-FW"
set nat enable
next
endHA sincronización de sesiones
FW-HA-1
config system cluster-sync
edit 1
set peerip 10.105.1.2 -> IP del hdev del otro peer
set syncvd "vdom1" "vdom2"--> Sesiones de Vdoms sync
next
endFW-HA-2
config system cluster-sync
edit 1
set peerip 10.105.1.1 -> IP del hdev del otro peer
set syncvd "vdom1" "vdom2"--> Sesiones de Vdoms sync
next
endFW-HA-1 y FW-HA-2
config system ha
set hbdev "lan3" 50 -> Puerto de Hearbeat
set session-pickup enable --> TCP
set session-pickup-connectionless enable --> ICMP/UDP
set session-pickup-expectation disable --> VOIP (Asimétricas)
set session-pickup-nat enable --> NAT
endTroubleshooting sesiones
FW-HA-1 (global) #diagnose sys session sync
sync_ctx: sync_started=1, sync_tcp=1, sync_others=1,
sync_expectation=0, sync_redir=0, sync_nat=1, stdalone_sesync=1.
sync: create=530:0, update=1833, delete=0:0, query=68
recv: create=426:0, update=2981, delete=0:0, query=42
ses pkts: send=0, alloc_fail=0, recv=0, recv_err=0 sz_err=0
udp pkts: send=2410, recv=3428
nCfg_sess_sync_num=5, mtu=1500, ipsec_tun_sync=1
sync_filter:
1: vd=1, szone=0, dzone=0, saddr=0.0.0.0:0.0.0.0, daddr=0.0.0.0:0.0.0.0, sport=0-65535, dport=0:65535
2: vd=2, szone=0, dzone=0, saddr=0.0.0.0:0.0.0.0, daddr=0.0.0.0:0.0.0.0, sport=0-65535, dport=0:65535FW-HA-2 (global) # diagnose sys session sync
sync_ctx: sync_started=1, sync_tcp=1, sync_others=1,
sync_expectation=0, sync_redir=0, sync_nat=1, stdalone_sesync=1.
sync: create=401:0, update=3106, delete=0:0, query=16
recv: create=75:0, update=167, delete=0:0, query=10
ses pkts: send=0, alloc_fail=0, recv=0, recv_err=0 sz_err=0
udp pkts: send=3523, recv=232
nCfg_sess_sync_num=5, mtu=1500, ipsec_tun_sync=1
sync_filter:
1: vd=1, szone=0, dzone=0, saddr=0.0.0.0:0.0.0.0, daddr=0.0.0.0:0.0.0.0, sport=0-65535, dport=0:65535
2: vd=2, szone=0, dzone=0, saddr=0.0.0.0:0.0.0.0, daddr=0.0.0.0:0.0.0.0, sport=0-65535, dport=0:65535
sync_started=1 shows that synchronization is working. If this is set to 0 then something is not correct with session synchronization and synchronization has not been able to start because of it.
sync_tcp=1, sync_others=1, sync_expectation=0, and sync_nat=1 show that the FGSP has been configured to synchronize TCP, connectionless, and NAT sessions but not asymmetric.
sync: create=530:0 and recv: create=426:0 show that this FortiGate has synchronized 12 sessions to its peer and has received 14 sessions from its peer.
vd=1 and vd=2 indicates that vdom1 and vdom2 sessions are synchronized.
FW-HA-1 (global) # diagnose test application sessionsync
1. Show setting
2. List tcp-dump processes
3. List all peers
4. Show statistics
5. Toggle switch of socket kernel receive
6. dump heartbeat peers
7. clear heartbeat peers
8. reset statisticsEjemplos:
FW-HA-1 (global) # diagnose test application sessionsync 1
HA is not enabled
sync context:
sync-enabled=0, sync-tcp=1, sync-redir=0, sync-nat=1
sync-other=1, sync-exp=0, standalone-sync=1, mtu=0
ipsec-tun-sync=1
standalone-peers-num=1, kernel-filters-num=2
standalone-peers:
vdom=0, ip/port=10.106.1.1:708
vdom=0, ip/port=0.0.0.0:0
vdom=0, ip/port=0.0.0.0:0
FW-HA-1 (global) # diagnose test application sessionsync 3
peer 201: 169.254.0.1 in vsys_ha, ha=1, num-sync-vd=0
peer 202: 0.0.0.0 in vsys_ha, ha=1, num-sync-vd=0
peer 203: 0.0.0.0 in vsys_ha, ha=1, num-sync-vd=0
peer 204: 0.0.0.0 in vsys_ha, ha=1, num-sync-vd=0
peer 1: 10.106.1.1 in root, ha=0, num-sync-vd=2
failed retries of SESYNC_PACKET_T_QUERYALL: 0Estado de las sesiones del FW con los flags que se activan para saber si se sincronizan con el resto del equipos del cluster
FW-HA-1 (vdom1) # diagnose sys session list
session info: proto=6 proto_state=01 duration=12 expire=3590 timeout=3600 flags=00000000 sockflag=00000000 sockport=0 av_idx=0 use=4
origin-shaper=
reply-shaper=
per_ip_shaper=
class_id=0 ha_id=0 policy_dir=0 tunnel=/ vlan_cos=0/255
state=may_dirty synced
statistic(bytes/packets/allow_err): org=15215/211/1 reply=338515/296/1 tuples=2
tx speed(Bps/kbps): 1230/9 rx speed(Bps/kbps): 27387/219
orgin->sink: org pre->post, reply pre->post dev=22->21/21->22 gwy=10.1.1.1/172.31.31.2
hook=post dir=org act=snat 10.39.39.99:52560->172.217.168.163:443(212.181.206.196:52560)
hook=pre dir=reply act=dnat 172.217.168.163:443->212.181.206.196:52560(10.39.39.99:52560)
pos/(before,after) 0/(0,0), 0/(0,0)
misc=0 policy_id=1 auth_info=0 chk_client_info=0 vd=2
serial=00002619 tos=ff/ff app_list=0 app=0 url_cat=0
rpdb_link_id = 00000000 ngfwid=n/a
dd_type=0 dd_mode=0state=log may_dirty synced to confirm that they are being synchronized by the FGSP.
FW-HA-2 (vdom1) # diagnose sys session list
session info: proto=6 proto_state=11 duration=57 expire=3542 timeout=3600 flags=00000000 sockflag=00000000 sockport=443 av_idx=0 use=5
origin-shaper=
reply-shaper=
per_ip_shaper=
class_id=0 ha_id=0 policy_dir=0 tunnel=/ vlan_cos=0/255
state=log may_dirty ndr nlb f00 syn_ses app_valid
statistic(bytes/packets/allow_err): org=0/0/0 reply=0/0/0 tuples=3
tx speed(Bps/kbps): 0/0 rx speed(Bps/kbps): 0/0
orgin->sink: org pre->post, reply pre->post dev=24->23/23->24 gwy=0.0.0.0/0.0.0.0
hook=post dir=org act=snat 10.38.38.200:52529->216.58.211.46:443(212.181.206.197:52529)
hook=pre dir=reply act=dnat 216.58.211.46:443->212.81.206.197:52529(10.38.38.200:52529)
hook=post dir=reply act=noop 216.58.211.46:443->10.38.38.200:52529(0.0.0.0:0)
pos/(before,after) 0/(0,0), 0/(0,0)
misc=0 policy_id=1 auth_info=0 chk_client_info=0 vd=1
serial=00001fcd tos=ff/ff app_list=6000 app=40568 url_cat=0
rpdb_link_id = 00000000 ngfwid=n/a
dd_type=0 dd_mode=0
state=log may_dirty ndr nlb f00 syn_ses app_valid session which is sync'ed over to peer FGT
Como solo sincroniza sesiones ejecutando el comando get system ha status veremos esto, en este caso estaba activado la sincronización de la configuración y la he desactivado para ver que muestra:
FW-HA-1 (global) # get system ha status
HA Health Status:
ERROR: FGT51E0000000002 is lost @ 2020/04/12 13:55:34
Model: FortiGate-51E
Mode: Standalone
Group: 0
Debug: 0
Cluster Uptime: 0 days 2:56:50
Cluster state change time: N/A
ses_pickup: enable, ses_pickup_delay=disable
override: enable
System Usage stats:
HBDEV stats:
number of vcluster: 0HA sincronización de la configuración
FW-HA-1
config system ha
set standalone-config-sync enable -> Sync config
set override enable
set priority 200
endFW-HA-2
config system ha
set standalone-config-sync enable -> Sync config
set override enable
set priority 100
endstandalone-config-sync is an independent feature and should be used with caution as there are some limitations. Fortinet recommends disabling it once the configurations have been synced over.
TROUBLESHOOTING
Configuración SINCRONIZADA correctamente
FW-HA-1 (global) # get system ha status
HA Health Status: OK
Model: FortiGate-51E
Mode: ConfigSync --> Modo FGSP con conf sinncronizada
Group: 0
Debug: 0
Cluster Uptime: 0 days 0:0:13
Cluster state change time: N/A
Master selected using:
<2020/04/12 14:04:04> FGT51E0000000001 is selected as the master because it has the largest value of override priority.
<2020/04/12 14:03:59> FGT51E0000000001 is selected as the master because it's the only member in the cluster.
ses_pickup: enable, ses_pickup_delay=disable
override: enable
Configuration Status:
FGT51E0000000001(updated 1586693050 seconds ago): in-sync
FGT51E0000000002(updated 1586693050 seconds ago): in-sync
System Usage stats:
FGT51E0000000001(updated 1586693050 seconds ago):
sessions=0, average-cpu-user/nice/system/idle=0%/0%/0%/0%, memory=0%
FGT51E0000000002(updated 1586693050 seconds ago):
sessions=0, average-cpu-user/nice/system/idle=0%/0%/0%/0%, memory=0%
HBDEV stats:
FGT51E0000000001(updated 1586693050 seconds ago):
FGT51E0000000002(updated 1586693050 seconds ago):
Master: , FGT51E0000000001, cluster index = 1
Slave : , FGT51E0000000002, cluster index = 0
number of vcluster: 1
vcluster 1: work 169.254.0.2
Master: FGT51E0000000001, operating cluster index=0->Override 200
Slave : FGT51E0000000002, operating cluster index=1->Override 100
FW-HA-2 (global) # get sys ha status
HA Health Status: OK
Model: FortiGate-51E
Mode: ConfigSync
Group: 0
Debug: 0
Cluster Uptime: 0 days 0:0:29
Cluster state change time: N/A
Master selected using:
<2020/04/12 14:04:46> FGT51E0000000001 is selected as the master because it has the largest value of override priority.
ses_pickup: enable, ses_pickup_delay=disable
override: enable
Configuration Status:
FGT51E0000000002(updated 1586693108 seconds ago): in-sync
FGT51E0000000001(updated 1586693108 seconds ago): in-sync
System Usage stats:
FGT51E0000000002(updated 1586693108 seconds ago):
sessions=0, average-cpu-user/nice/system/idle=0%/0%/0%/0%, memory=0%
FGT51E0000000001(updated 1586693108 seconds ago):
sessions=0, average-cpu-user/nice/system/idle=0%/0%/0%/0%, memory=0%
HBDEV stats:
FGT51E0000000002(updated 1586693108 seconds ago):
FGT51E0000000001(updated 1586693108 seconds ago):
Slave : , FGT51E0000000002, cluster index = 0
Master: , FGT51E0000000001, cluster index = 1
number of vcluster: 1
vcluster 1: work 169.254.0.2
Slave : FGT51E0000000002, operating cluster index = 1
Master: FGT51E0000000001, operating cluster index = 0Configuración NO SINCRONIZADA
Configuration Status:
FGT51E0000000001(updated 1586693050 seconds ago): in-sync
FGT51E0000000002(updated 1586693050 seconds ago): out-of-syncPara todos las modalidades de HA (FGCP o FGSP) desde la consola del equipo que NO está como primario podemos ver los intentos de sincronización con el activo y ver si se completa como es este el caso.
FW-HA-2 login: slave's configuration is not in sync with master's, sequence:0
slave's configuration is not in sync with master's, sequence:1
slave's configuration is not in sync with master's, sequence:2
slave's configuration is not in sync with master's, sequence:3
slave's configuration is not in sync with master's, sequence:4
slave starts to sync with master
logout all admin users
Problemas HA Interface
FW-HA-1 (global) # get system ha status
HA Health Status:
WARNING: FGT51E0000000001 has hbdev down;
Model: FortiGate-51E
Mode: ConfigSync
Group: 0
Debug: 0
Cluster Uptime: 0 days 0:4:10
Cluster state change time: N/A
Master selected using:
<2020/04/12 15:33:16> FGT51E0000000001 is selected as the master because it's the only member in the cluster.
ses_pickup: enable, ses_pickup_delay=disable
override: enable
System Usage stats:
FGT51E0000000001(updated 1 seconds ago):
sessions=60, average-cpu-user/nice/system/idle=0%/0%/0%/100%, memory=26%
HBDEV stats:
FGT51E0000000001(updated 1 seconds ago):
lan3: physical/10half, down, rx-bytes/packets/dropped/errors=0/0/0/0, tx=188/2/0/0
Master: FW-HA-1 , FGT51E0000000001, cluster index = 0
number of vcluster: 1
vcluster 1: work 169.254.0.1
Master: FGT51E0000000001, operating cluster index = 0
El resto de comandos del HA para verificar la sincronización del cluster que vimos en el la 2ª parte de esta serie de blogs sobre HA de Fortigate se siguen pudiendo utilizar para este caso:
FW-HA-1 (global) # diagnose sys ha checksum cluster
================== FGT51E0000000001 ==================
is_manage_master()=1, is_root_master()=1
debugzone
global: 3f fd 66 00 3a ba 0b 09 ae 5b 41 4f 9c f0 81 01
vdom1: c4 6e 79 0c 82 12 3e 39 d2 b0 f4 df 5e 30 32 aa
vdom2: c5 6e 88 4c 32 11 2e 22 52 b7 f3 df 5f 40 22 11
root: 17 c9 6c 54 1f 9f a1 0d 24 60 a8 cb cb 48 99 02
all: 2c 26 c9 5c 53 5c 15 91 5d ef 76 81 42 80 6a 84
checksum
global: 3f fd 66 00 3a ba 0b 09 ae 5b 41 4f 9c f0 81 01
vdom1: c4 6e 79 0c 82 12 3e 39 d2 b0 f4 df 5e 30 32 aa
vdom2: c5 6e 88 4c 32 11 2e 22 52 b7 f3 df 5f 40 22 11
root: 17 c9 6c 54 1f 9f a1 0d 24 60 a8 cb cb 48 99 02
all: 2c 26 c9 5c 53 5c 15 91 5d ef 76 81 42 80 6a 84
================== FGT51E0000000002 ==================
is_manage_master()=0, is_root_master()=1
debugzone
global: 3f fd 66 00 3a ba 0b 09 ae 5b 41 4f 9c f0 81 01
vddom1: c4 6e 79 0c 82 12 3e 39 d2 b0 f4 df 5e 30 32 aa
vdom2: c5 6e 88 4c 32 11 2e 22 52 b7 f3 df 5f 40 22 11
root: 17 c9 6c 54 1f 9f a1 0d 24 60 a8 cb cb 48 99 02
all: 2c 26 c9 5c 53 5c 15 91 5d ef 76 81 42 80 6a 84
checksum
global: 3f fd 66 00 3a ba 0b 09 ae 5b 41 4f 9c f0 81 01
vdom1: c4 6e 79 0c 82 12 3e 39 d2 b0 f4 df 5e 30 32 aa
vdom2: c5 6e 88 4c 32 11 2e 22 52 b7 f3 df 5f 40 22 11
root: 17 c9 6c 54 1f 9f a1 0d 24 60 a8 cb cb 48 99 02
all: 2c 26 c9 5c 53 5c 15 91 5d ef 76 81 42 80 6a 84 VDOM2
Para el VDOM2 la configuración es la misma, cambiando los elementos específicos del VDOM2, como ips, nombre del FW, etc pero como queremos que el FW-HA-2 sea el principal de este VDOM, invertiremos en el BGP los route-map. En el FW-HA-2 en el vecino de la MPLS aplicaremos el route-map BGP-MPLS-FW-11-out y en el FW-HA-1 aplicaremos el route-map BGP-MPLS-FW-12-out.
ACTUALIZACIÓN del cluster
Los equipos funcionan de modo independiente pero para actualizar los equipos tenemos casos:
- Activada sincronización de la configuración
Ambos equipos se actualizan a la vez, por lo que se produce una interrupción del servicio.
- Desactivada la sincronización de la configuración. Se puede actualizar independientemente ambos equipos, por lo cual, la interrupción de los servicios, es menor, ya que podemos actualizar primero uno de los equipos, todos los servicios pasan al otro y tras volver a funcionar este primero, podemos actualizar el otro. Por lo tanto, parece adecuado desactivar la sincronización antes de actualizar los equipos y tras finalizar la misma volver a activarla.
HEARBEAT interface
Es recomendable utilizar varios interfaces para tener un mayor redundancia. Para sincronizar las sesiones solo hace falta un enlace de nivel3, si los interfaces no están directamente conectados o no esta en la misma red ip, hará falta hacer routing, para ello sobre el vdom root podremos generar rutas estáticas o usar protocolos dinámicos. Para sincronizar la configuración si que necesitamos un nivel 2 usando el protocolo IP 802.3 usando el Ethernet type (Ethertype) con valor 0x8890( para NAT/Router clusters, 0x8891 para Transparent cluster, etc. Esto sería igual que cuando configuramos un cluster usando FGCP.
ANOTACIONES
Como os he comentado hay partes de la configuración que no se sincronizan. Por ejemplo, si hacéis una VPN IPSEC, la VPN, las políticas, los objetos, etc se sincronizan pero las rutas estáticas NO, tendrás que generarlas en el equipo slave manualmente.
Settings that are not synchronized
standalone-config-sync does not synchronize settings that identify the FortiGate to the network. The following settings are not synchronized:
Transparent mode management IPv4 and IPv6 IP addresses and default gateways.
All config system cluster-sync settings.
All config system interface settings except vdom, vlanid, type, and interface.
All config firewall sniffer settings.
All router BFD and BFD6 settings.
The following BGP settings: as, router-id, aggregate-address, aggregate-address6, neighbor-group, neighbor, network, and network6.
The following OSPF settings: router-id, area, ospf-interface, network, neighbor, and summary-address.
The following OSPF6 settings: router-id, area, and ospf6-interface.
All RIP settings.
All policy routing settings.
All static routing settings.
Estas son algunas limitaciones y cosas a tener en cuenta para este tipo de HA:
Limitations
When standalone configuration synchronization is enabled, there are some limitations, including but not limited to the following:
Network interruptions occur during firmware upgrades: when upgrading the firmware, all members in the standalone-config-sync group are upgraded simultaneously. This creates downtime if the FortiGates are the only outgoing gateway in the network. We recommend disabling the option before upgrading firmware.
Some unwanted configurations might be synced: the current design and implementation of standalone-config-sync is based on requirements from specific customers. Thus, some users may find that unwanted parts of the configurations are synced. Should this occur, we recommend disabling the option and modifying those configurations manually.
The wrong primary device might be picked accidentally: standalone-config-sync is derived from the HA primary unit selection mechanism. All members in the group will join the selection process in the same way as a the HA cluster selection process. It is important to select the correct device as the master, otherwise the wrong device could be selected and existing configurations could be overwritten.
Layer 2 heartbeat connections must be present: similar to HA heartbeat requirements, one or more layer 2 heartbeat connections are needed to sync configurations between the primary and backup devices.
Documentación pra realizar este BLOG.
¡¡Gracias a FORTINET !!
Comentarios