2010
01.07

When setting up High Availability on FortiGate, one thing struck me as a bit unusual. Differently from other firewall clustering solutions (correct me if I’m wrong), FortiGate devices don’t force you to assign both physical and logical IP addresses on interfaces. You are supposed to configure logical IP addresses only. This implies that you can’t directly access a specific node/firewall in your cluster. You have to SSH into the Master unit and, from there, log into the Subordinate one(s). Here are the relevant CLI commans:

FW-NODE-A # get system ha status
Model: 100
Mode: a-p
Group: 0
Debug: 0
ses_pickup: disable
Master:129 FW-NODE-A      FG100C3000000000 0
Slave :128 FW-NODE-B      FG100C3000000001 1
number of vcluster: 1
vcluster 1: work 169.254.0.1
Master:0 FG100C3000000000
Slave :1 FG100C3000000001

FW-NODE-A # execute ha manage ?
please input peer box index.
<1>     Subsidary unit FG100C3000000001

FW-NODE-A # execute ha manage 1

FW-NODE-B $

I wonder what would happen if the Master unit were to hang. I mean: stuck itself in a state where the failover mechanism doesn’t work and neither does SSH/HTTPS access. How could you remotely force a failover to another node? In such a scenario, is a physical power cycle of the master unit the only option?

Share