Active-Passive Lab:

FG1 (Primary) IP Schema

Outside Layer 3 Interface Port1- 192.168.122.100/24
Inside Layer 3 Interface Port2 - 192.168.1.100/24
High availability (HA) 1 Port3 – Layer 2 no IP address
High availability (HA) 2 Backup Port4 – Layer 2 no IP address
FG2 (Secondary) IP Schema
Outside Layer 3 Interface Port1- 192.168.122.100/24
Inside Layer 3 Interface Port2 - 192.168.1.100/24
HA1 or Control Link Port3 – Layer 2 no IP address
HA1 or Control Link Backup Port4 – Layer 2 no IP address
LAN PC Details
LAN PC1 IP DHCP
LAN PC2 IP DHCP
LAN DHCP Range 192.168.1.1 – 192.168.1.99 /24
LAN PC DNS 8.8.8.8
Firewall Management IP subnet 192.168.122.0/24
Internet Gateway IP 192.168.122.2 /24
HA Details
Mode Active-Passive
Device Priority Master 100
Device Priority Slave 50
Group Name HAG
Heartbeat Ports Port3 and Port4

1 | P a g e Created by Ahmad Ali E-Mail: [email protected] , Mobile: 056 430 3717

Configure Primary Firewall:
Login:
First Console to Primary Firewall, find out the IP address to login.

Change Hostname:
Now, you should login to MASTER Firewall, I recommend changing the hostname before login,
this will improve the ability to identify the different FortiGate Unit Firewall.

Configure Interfaces:
Go to Network>Interfaces select port1 Click Edit. In Alias type WAN, change the Address Mode
to Manual type IP/Netmask 192.168.122.100/24, in Administrative access leave all the rest of
configuration default and press OK button. The firewall will be disconnected login with new
Management IP address which is the WAN IP address as well.

2 | P a g e Created by Ahmad Ali E-Mail: [email protected] , Mobile: 056 430 3717

Go to Network>Interfaces select port2 Click Edit in Alias type LAN, change the Address Mode to
Manual type IP/Netmask 192.168.1.100/24, in Administrative access only checked PING leave
all the rest of configuration default & press OK.

3 | P a g e Created by Ahmad Ali E-Mail: [email protected] , Mobile: 056 430 3717

Enable DHCP Server:
To add a DHCP server, go to Network > Interfaces. Edit the interface Port2 and select DHCP in
the addressing mode. Specify the DNS to 8.8.8.8.

Configure DNS:
Go to Network > DNS , click on Specify and enter in primary / secondary DNS servers. In Primary
DNS Server, type IP address of the primary DNS server 8.8.8.8. Click Apply to save changes.

Configure Default Route:

To create a new default route, go to Network > Static Routes and create a static route for ISP.
Set Destination to Subnet and leave the destination IP address set to 0.0.0.0/0.0.0.0. Set
Gateway to the IP address provided by your ISP and Interface to the Internet-facing interface in
my case 192.168.122.2 which my VM8 VMware Workstation Gateway. Set the Interface to the
WAN interface. Press OK to Save the changes.

4 | P a g e Created by Ahmad Ali E-Mail: [email protected] , Mobile: 056 430 3717

LAN to WAN Policy:
To create a new policy, go to Policy & Objects > IPv4 Policy. Give the policy a Name that
indicates that the policy will be for traffic to the Internet in my case it is Allow-LAN2WAN. Set
the Incoming Interface to LAN and the Outgoing Interface to WAN. Set Source, Destination
Address, Schedule, and Services, as required in this case All. Ensure the Action is set to ACCEPT.
Turn on NAT and select Use Outgoing Interface Address.

5 | P a g e Created by Ahmad Ali E-Mail: [email protected] , Mobile: 056 430 3717

HA Active-Passive Configuration:
Go to System > HA Select the Active-Passive mode. Give Device Priority to MASTER Firewall a
bigger number than the slave one (100). Set a group name and password for the cluster. You
will use it again in slave machine. Enable Session Pickup: Enable this option to sync master to
backup machine. Check the interface you want to monitor normally internet. Enable two
heartbeat to create a stable HA.

Mode Select HA mode for cluster or return cluster to standalone.

Device Priority Set the Highest device priority usually becomes primary unit.
Group Name Enter name to identify cluster. group name must be same in all
Password Enter a password to identify the cluster. Its must be same in all
Session Pickup Sessions are picked up by cluster unit that becomes primary.
Monitor Interfaces Select to enable or disable monitoring FortiGate interfaces.
Heartbeat Interfaces Select to enable or disable HA heartbeat communication.
Heartbeat Interface Priority Set the heartbeat interface priority
Management Interface The HA Reserved Management Interface provides a direct
Reservation management access to all cluster units by reserving a
management interface as part of the HA configuration.

6 | P a g e Created by Ahmad Ali E-Mail: [email protected] , Mobile: 056 430 3717

Verification of Primary:
After HA configuration done, go to System > HA it will show below port1 is monitor port and
Port3 and Port4 is heartbeat interfaces.

7 | P a g e Created by Ahmad Ali E-Mail: [email protected] , Mobile: 056 430 3717

Configure Slave Firewall:
After configure are of Primary Firewall is done, we will be setting up slave machine. Console to
Slave Firewall get the IP address and login.

Change Hostname:
Now, you should login to SLAVE Firewall, I recommend changing the hostname before login,
this will improve the ability to identify the different FortiGate Unit Firewall.

HA Active-Passive Configuration:
Same as master, Go to System > HA Select the Active-Passive mode. Give Device Priority to
SLAVE Firewall a lower number than the Master one (50). Set the same group name and same
password for the cluster which already set on MASTER Firewall. Enable Session Pickup: Enable
this option to sync master to backup machine. Check the interface you want to monitor
normally internet. Enable two heartbeat to create a stable HA.

8 | P a g e Created by Ahmad Ali E-Mail: [email protected] , Mobile: 056 430 3717

Verification:
Check the status of cluster group make sure master and slave machine are correct. Go to
Primary Firewall go to System > HA you will find both firewall setting here. The HA status page
shows both FortiGate in the cluster. It also shows that Primary is the primary (master) and the
page also shows that Backup is the primary (master) FortiGate.

9 | P a g e Created by Ahmad Ali E-Mail: [email protected] , Mobile: 056 430 3717

Go to Dashboard > Status, The HA Status dashboard widget also shows synchronization status.

LAN PCs Configuration:

Right click on both PC1 and PC2 to enable DHCP configuration to get IP from LAN interface.

10 | P a g e Created by Ahmad Ali E-Mail: [email protected] , Mobile: 056 430 3717

Go to Security Fabric > Physical Topology If the cluster is part of a Security Fabric, the FortiView
Physical and Logical Topology views show information about the cluster status.

Failover Verification:
Lets put continue ping from any LAN PC.

Let’s powered off the primary Firewall you will be logging into the backup FortiGate.

11 | P a g e Created by Ahmad Ali E-Mail: [email protected] , Mobile: 056 430 3717

You will see a momentary pause in the ping results, until traffic diverts to the backup FortiGate,
allowing the ping traffic to continue.

Check the host name to verify the FortiGate that you have logged into. The FortiGate continues
to operate in HA mode.

12 | P a g e Created by Ahmad Ali E-Mail: [email protected] , Mobile: 056 430 3717

if restart the primary FortiGate, after a few minutes it should rejoin the cluster and operate as
the backup FortiGate. Traffic should not be disrupted when the restarted primary unit rejoins
the cluster. The Override behavior allows firewall with higher numerical value to resume as
Primary Firewall enable Override on Primary Firewall.
PrimaryFW # config system ha
PrimaryFW (ha) # set override enable

13 | P a g e Created by Ahmad Ali E-Mail: [email protected] , Mobile: 056 430 3717