High Availability (5.6)

High Availability (5.6)

New High Availability features added to FortiOS 5.6.

Multicast session failover (293751)

FGCP HA multicast session synchronization supports multicast session failover. To configure multicast session failover, use the following command to change the multicast TTL timer to a smaller value than the default. The recommended setting to support multicast session failover is 120 seconds (2 minutes). The default setting is 600 seconds (10 minutes).

config system ha set multicast-ttl 120

end

The multicast TTL timer controls how long to keep synchronized multicast routes on the backup unit (so they are present on the backup unit when it becomes the new primary unit after a failover). If you set the multicast TTL lower the multicast routes on the backup unit are refreshed more often so are more likely to be accurate. Reducing this time causes route synchronization to happen more often and could affect performance.

Performance improvement when shutting down or rebooting the primary unit (380279)

In previous versions of FortiOS, if you entered the execute reboot or execute shutdown command on the primary unit, a split brain configuration could develop for a few seconds while the primary unit was shutting down. This would happen because the heartbeat packets would stop being sent by the primary unit, while it was still able to forward traffic. When the heartbeat packets stop the backup unit becomes the primary unit. The result was a split brain configuration with two primary units both capable of forwarding traffic.

High Availability (5.6)

This wouldn’t happen all the time, but when it did network traffic would be delayed until the primary unit shut down completely. To resolve this issue, in FortiOS 5.6 when you run the execute reboot or execute shutdown command on the primary unit, the primary unit first becomes the backup unit before shutting down

allowing the backup unit to become the new primary unit and avoiding the split brain scenario. This behavior only happens when you manually run the execute reboot or execute shutdown command from the primary unit.

VRRP failover process change (390938)

In a FortiOS 5.6 VRRP configuration, when the master cannot reach its next hop router (vrdst) it sends packets to the configured backup router(s). These packets set the priority of the master to be lower than the backup router (s). So a backup router now becomes the new master and takes over processing traffic.

Use the vrdst-priority option to set the lower priority that the master sends to the backup routers. The following CLI syntax resets the master’s priority to 10 if it can no longer connect to its next hop router.

config system interface edit port10 config vrrp set vrip 10.31.101.200 set priority 255 set vrdst 10.10.10.1 set vrdst-priority 10

end

Display cluster up time and history (get system ha status command changes)(394745)

The get system HA status command now displays cluster uptime and history: get system status

Version: FortiGate-5001D v5.6.0,build1413,170121 (interim) …

Current HA mode: a-p, master

Cluster uptime: 3 days, 4 hours, 3 minutes, 46 seconds …

In-band HA management Interface (401378)

You can use the following command to add a management interface to an individual cluster unit interface that is also connected to a network and processing traffic. The in-band management interface is an alternative to the reserved HA management interface feature and does not require reserving an interface just for management access.

config system interface edit port1 set management-ip 172.20.121.155/24

end

The management IP address is accessible from the network that the cluster interface is connected to. This setting is not synchronized so each cluster unit can have their own management IP addresses. You can add a management IP address to each cluster unit interface. You can use the execute ha manage command to connect to individual cluster units.

The management-ip can be on the same subnet as the interface you are adding it to but cannot be on the same subnet as other cluster unit interfaces.

High Availability (5.6)

Up to four dedicated HA management interfaces supported (378127)

You can now add up to four dedicated HA management interfaces. Just like all FortiGate interfaces, these management interfaces must be on a different subnet from any other FortiGate interface. You can also configure a separate default gateway for each interface.

Use the following command to add two dedicated HA management interfaces:

config system ha set ha-mgmt-status enable config ha-mgmt-interfaces edit 1 set interface port4 set gateway 10.10.10.1

next edit 2 set interface port5 set gateway 4.5.6.7 end

FGSP support for automatic session sync after peer reboot (365851)

New options allow you to configure your FGSP cluster to resume sessions more smoothly after a failed FortiGate rejoins the cluster. In some cases when a failed FortiGate in the cluster comes back up it may begin processing sessions before the session table has been synchronized to it from the other FortiGate in the cluster. When this happens, the FortiGate may drop packets until the session synchronization is complete.

Shutting down interfaces during session synchronization

This new feature allows you to shut some interfaces down on the failed FortiGate when it is starting up so that it will not accept packets until session synchronization is complete. Then the interfaces are brought up and traffic can flow. While the interfaces are down, the FortiGate that had not failed keeps processing traffic.

Use the following command to select the interfaces to shutdown while waiting for session synchronization to complete:

config system cluster-sync edit 1 set down-intfs-before-sess-sync port1 port2

end

Heartbeat monitoring

If the FortiGate that was running fails before session synchronization is complete, the FortiGate that is restarting would not be able to complete session synchronization and would not turn on its shutdown interfaces. To prevent this from happening FGSP now includes heartbeat monitoring. Using heartbeat monitoring the FortiGate that is waiting for session synchronization to finish can detect that the other FortiGate is down and turn on its interfaces even if session synchronization is not complete. You can use the following command to change the heartbeat interval (hb-interval) and lost heartbeat threshold (hp-lost-threshold) to change heartbeat monitoring timing.

config system cluster-sync edit 1 set hb-interval 2 set hb-lost-threshold 3

High Availability (5.6)

end

Change in cluster behavior when the primary unit is restarted (380279)

When testing HA failover or restarting the primary unit for other reasons, manually rebooting or shutting down the primary unit running previous versions of FortiOS can sometimes cause a failover delay. This happens because the backup unit may become the primary unit before the primary unit is fully shut down causing a temporary split brain scenario.

To resolve this issue, when you manually restart or shut down the primary unit running FortiOS 5.6.0 before the primary unit actually shuts down it becomes the backup unit and the previous backup unit becomes the primary unit. Traffic is then failed over to the new primary unit before the former primary unit shuts down or reboots.

 

(5.6.1)

This entry was posted in FortiOS 5.6 on by .

About Mike

Michael Pruett, CISSP has a wide range of cyber-security and network engineering expertise. The plethora of vendors that resell hardware but have zero engineering knowledge resulting in the wrong hardware or configuration being deployed is a major pet peeve of Michael's. This site was started in an effort to spread information while providing the option of quality consulting services at a much lower price than Fortinet Professional Services. Owns PacketLlama.Com (Fortinet Hardware Sales) and Office Of The CISO, LLC (Cybersecurity consulting firm).

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.