Higher Availability in FortiGate and VRRP in Cisco

Higher Availability in FortiGate and VRRP in Cisco

A brief explanation of the given topology: -

Ø On top of all, there are two FortiGate Firewalls one Active other one as Standby.

Ø With the Higher Availability (HA) configured for handling the Failover of active Firewall.

Ø There are two CORE switches with VRRP Configuration: CORE-1 as Master and CORE-2 as Slave.

Ø Between two CORE-1 and CORE-2, two links in the Port Channel have been configured.

Ø SVIs and static default route toward the Firewall has been configured for LAN users.

Ø Also, the DHCP server has been configured for DATA and VOICE VLANs.

Ø Two Layer 2 switches with uplinks as trunk and VLANs.

FortiGate Firewall Configuration

HA Configuration in FortiGate Firewall: -

Here I have kept by default priority i.e.; 128 for “ACTIVE-FIREWALL” whose role is primary and I have set 100 for the “STANDBY-FIREWALL” whose role is secondary.

By default, the selection process of HA in FortiGate

Note: Here I have given Higher priority to make “Fortinet1” as “Active Firewall”.

Step-1: Go to the system select HA and do the Following Configuration: - (Here I have Selected mode as “Active-Passive” i.e.; one Firewall as active other as standby waiting for the active to fail, and the Group name as “Higher-Availability” and the password as “Admin@123” but it can be anything as per your choice, the Monitor interface will the one you want to keep a track that if it goes down than the Standby will become active in my case it’s the LAN interface “port2” and the Heartbeat interface should be the link between the two firewalls which is in my case “port4”)

Step 2: Go to the Standby Firewall and do the duplicate configuration on it except the Priority as it should be lower than the Active to make it a standby.

Note: On both the Firewalls the Group name and Password Should match or else it could form Higher Availability (HA)

Policy Configuration in FortiGate Firewall: -

Step 1: Go to Policy & Objects -> select Firewall Policy -> Click on Create New-> and do the following configuration: - (Here I have done the following configurations Name as “LAN-TO-WAN” Incoming interface in my case LAN interface i.e.; port2 and outgoing interface in my case WAN interface i.e.; port1, source “all” destination “all” and services also “all” i.e.; from all source to all destination and all the services is been allowed, NAT is been enabled as the traffic is going to reach the internet.)

Note: Here I have created two routes one is the default route towards the internet and the other one is the static summary route towards the two VLANs i.e.; DATA and VOICE via the core switch.

Step 2: Go to Network -> select Static Route -> Click on Create New-> and do the following configuration: -

Static Default Route for the Internet: -

Static Summary Route for LAN users (DATA & VOICE VLANs): -

Cisco Router Configuration

hostname CORE-1

ip dhcp excluded-address 192.168.1.252 192.168.1.254

ip dhcp excluded-address 192.168.2.252 192.168.2.254

ip dhcp excluded-address 192.168.10.252 192.168.10.254

track 100 interface GigabitEthernet0/2 line-protocol

delay down 5 up 5

ip dhcp pool DATA

network 192.168.1.0 255.255.255.0

default-router 192.168.1.254

dns-server 8.8.8.8

ip dhcp pool VOICE

network 192.168.2.0 255.255.255.0

default-router 192.168.2.254

dns-server 8.8.8.8

option 43 ip 192.168.2.254

interface Port-channel1