Configuring virtual clustering with two VDOMs and VDOM partitioning – web-based manager

Leave a reply

To add a default route to each VDOM

1. Enter the following command to add default routes to the root and Eng_vdm VDOMs.

config vdom edit root

config router static edit 1

set dst 0.0.0.0/0.0.0.0 set gateway 172.20.120.2 set device port1

end

next

edit Eng_vdm

config router static edit 1

set dst 0.0.0.0/0.0.0.0 set gateway 172.20.120.2 set device port5

end

end

 

To configure VDOM partitioning

1. Enter the get system ha status command to view cluster unit status:

For example, from the FGT_ha_2 cluster unit CLI:

 

config global

get system ha status

Model: XXXX Mode: a-p Group: 0

Debug: 0

ses_pickup: disable

Master:128 FGT_ha_2 FG600B3908600825 0

Slave :128 FGT_ha_1 FG600B3908600705 1 number of vcluster: 1

vcluster 1: work 169.254.0.1

Master:0 FG600B3908600825

Slave :1 FG600B3908600705

This command output shows that VDOM partitioning has not been configured because only virtual cluster 1 is shown. The command output also shows that the FGT_ha_2 is the primary unit for the cluster and for virtual cluster 1 because this cluster unit has the highest serial number

2. Enter the following commands to configure VDOM partitioning:

config global

config system ha

set vcluster2 enable

config secondary-vcluster set vdom Eng_vdm

end

end end

3. Enter the get system ha status command to view cluster unit status: For example, from the FGT_ha_2 cluster unit CLI:

 

config global

get system ha status

Model: XXXX Mode: a-p Group: 0

Debug: 0

ses_pickup: disable

Master:128 FGT_ha_2 FG600B3908600825 0

Slave :128 FGT_ha_1 FG600B3908600705 1 number of vcluster: 2

vcluster 1: work 169.254.0.1

Master:0 FG600B3908600825

Slave :1 FG600B3908600705 vcluster 2: work 169.254.0.1

Master:0 FG600B3908600825

Slave :1 FG600B3908600705

This command output shows VDOM partitioning has been configured because both virtual cluster 1 and virtual cluster 2 are visible. However the configuration is not complete because FGT_ha_2 is the primary unit for both virtual clusters. The command output shows this because under both vcluster entries the Master entry shows FG600B3908600825, which is the serial number of FGT_ha_2. As a result of this configuration, FGT_ha_2 processes traffic for both VDOMs and FGT_ha_1 does not process any traffic.

4. Change the Virtual Cluster 1 and Virtual Cluster 2 device priorities for each cluster unit so that FGT_ha_1 processes virtual cluster 1 traffic and FGT_ha_2 processes virtual cluster 2 traffic.

Since the root VDOM is in virtual cluster 1 and the Eng_vdm VDOM is in virtual cluster 2 the result of this configuration will be that FGT_ha_1 will process all root VDOM traffic and FGT_ha_2 will process all Eng_vdm traffic. You make this happen by changing the cluster unit device priorities for each

virtual cluster. You could use the following settings:

 

Device Priority

 

Host Name Virtual Cluster 1 Virtual Cluster 2
FGT_ha_1 200 100
FGT_ha_2 100 200

 

Since the device priority is not synchronized you can edit the device priorities of each virtual cluster on each FortiGate unit separately. To do this:

  • Log into the CLI and note the FortiGate unit you have actually logged into (for example, by checking the host name displayed in the CLI prompt).
  • Change the virtual cluster 1 and 2 device priorities for this cluster unit.
  • Then use the execute ha manage command to log into the other cluster unit CLI and set its virtual cluster 1 and 2 device priorities.

 

Enter the following commands from the FGT_ha_1 cluster unit CLI:

config global config system ha

set priority 200

config secondary-vcluster set priority 100

end

end end

Enter the following commands from the FGT_ha_2 cluster unit CLI:

 

config global config system ha

set priority 100

config secondary-vcluster set priority 200

end

 

end end

 

The cluster may renegotiate during this step resulting in a temporary loss of con- nection to the CLI and a temporary service interruption.

Since the device priority of Virtual Cluster 1 is highest for FGT_ha_1 and since the root VDOM is in Virtual Cluster 1, all traffic for the root VDOM is processed by FGT_ha_1.

Since the device priority of Virtual Cluster 2 is highest for FGT_ha_2 and since the Eng_vdm VDOM is in Virtual Cluster 2, all traffic for the Eng_vdm VDOM is processed by FGT_ha_2.

 

To verify the VDOM partitioning configuration

1. Log into the FGT_ha_2 cluster unit CLI and enter the following command:

config global

get system ha status

Model: XXXX Mode: a-p Group: 0

Debug: 0

ses_pickup: disable

Slave :100 FGT_ha_2 FG600B3908600825 0

Master:200 FGT_ha_1 FG600B3908600705 1 number of vcluster: 2

vcluster 1: standby 169.254.0.2

Slave :1 FG600B3908600825

Master:0 FG600B3908600705 vcluster 2: work 169.254.0.1

Master:0 FG600B3908600825

Slave :1 FG600B3908600705

The command output shows that FGT_ha_1 is the primary unit for virtual cluster 1 (because the command output show the Master of virtual cluster 1 is the serial number of FGT_ha_1) and that FGT_ha_2 is the primary unit for virtual cluster 2.

If you enter the same command from the FGT_ha_1 CLI the same information is displayed but in a different order. The command always displays the status of the cluster unit that you are logged into first.

config global

get system ha status

Model: XXXX Mode: a-p Group: 0

Debug: 0

ses_pickup: disable

Master:200 FGT_ha_1 FG600B3908600705 1

Slave :100 FGT_ha_2 FG600B3908600825 0 number of vcluster: 2

vcluster 1: work 169.254.0.2

Master:0 FG600B3908600705

Slave :1 FG600B3908600825 vcluster 2: standby 169.254.0.1

Slave :1 FG600B3908600705

Master:0 FG600B3908600825

 

To test the VDOM partitioning configuration

You can do the following to confirm that traffic for the root VDOM is processed by FGT_ha_1 and traffic for the Eng_vdm is processed by FGT_ha_2. These steps assume the cluster is operating correctly.

1. Log into the CLI by connecting to port2 using IP address 10.11.101.100.

You will log into FGT_ha_1 because port2 is in the root VDOM and all traffic for this VDOM is processed by FGT_ha_1. You can confirm that you have logged into FGT_ha_1 by checking the host name in the CLI prompt. Also the get system status command displays the status of the FGT_ ha_1 cluster unit.

2. Log into the web-based manager or CLI by connecting to port6 using IP address 10.12.101.100.

You will log into FGT_ha_2 because port6 is in the Eng_vdm VDOM and all traffic for this VDOM is processed by FGT_ha_2.

3. Add security policies to the root virtual domain that allow communication from the internal network to the Internet and connect to the Internet from the internal network.

4. Log into the web-based manager and go to System > HA > View HA Statistics.

The statistics display shows more active sessions, total packets, network utilization, and total bytes for the FGT_ha_1 unit.

5. Add security policies to the Eng_vdm virtual domain that allow communication from the engineering network to the Internet and connect to the Internet from the engineering network.

6. Log into the web-based manager and go to System > HA > View HA Statistics.

The statistics display shows more active sessions, total packets, network utilization, and total bytes for the FGT_ha_2 unit.

Pages: 1 2 3 4 5 6
This entry was posted in FortiOS 5.4 Handbook and tagged , on by .

About Mike

Michael Pruett, CISSP has a wide range of cyber-security and network engineering expertise. The plethora of vendors that resell hardware but have zero engineering knowledge resulting in the wrong hardware or configuration being deployed is a major pet peeve of Michael's. This site was started in an effort to spread information while providing the option of quality consulting services at a much lower price than Fortinet Professional Services. Owns PacketLlama.Com (Fortinet Hardware Sales) and Office Of The CISO, LLC (Cybersecurity consulting firm).

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.