High Availability (5.6.1)

High Availability (5.6.1)

New High Availability features added to FortiOS 5.6.1.

HA cluster Uptime on HA Status dashboard widget (412089)

The HA Cluster dashboard widget now displays how long the cluster has been operating (Uptime) and the time since the last failover occurred (State Changed). You can hover over the State Changed time to see the event that caused the state change.

You can also click on the HA Status dashboard widget to configure HA settings or to get a listing of the most recent HA events recorded by the cluster.

FGSP with static (non-dialup) IPsec VPN tunnels and controlling IKE routing advertisement (402295)

Until FortiOS 5.6.1, the FortiGate Session Life Support Protocol (FGSP) only supported IPsec tunnel synchronization for dialup (or dynamic) IPsec VPN tunnels. FortiOS 5.6.1 now also supports IPsec tunnel synchronization for static IPsec VPN tunnels. No special FGSP or IPsec VPN configuration is required. You can configure static IPsec VPN tunnels normally and create a normal FGSP configuration.

An additional feature has been added to support some FGSP configurations that include IPsec VPNs. A new CLI option allows you to control whether IKE routes are added to the FGSP backup unit.

config system cluster-sync edit 0 set slave-add-ike-routes {enable | disable}

end

Enable to add IKE routes to the backup unit, disable if the IKE routes should not be added to the backup unit.

High Availability (5.6)

VRRP support for synchronizing firewall VIPs and IP Pools (0397824)

FortiOS VRRP HA now supports failover of firewall VIPs and IP Pools when the status of a virtual router (VR) changes. This feature introduces a new proxy ARP setting to map VIP and IP Pool address ranges to each VR’s Virtual MAC (VMAC). After failover, the IP Ranges added to the new primary VR will be routed to the new primary VR`s VMAC.

Use the following command to add a proxy ARP address range and a single IP address to a VR added to a FortiGate`s port5 interface. The address range and single IP address should match the address range or single IP for VIPs or IP Pools added to the port5 interface:

config system interface edit port5 config vrrp edit 1 config proxy-arp edit 1 set ip 192.168.62.100-192.168.62.200

next edit 2 set ip 192.168.62.225 end

This entry was posted in FortiOS 5.6 on by .

About Mike

Michael Pruett, CISSP has a wide range of cyber-security and network engineering expertise. The plethora of vendors that resell hardware but have zero engineering knowledge resulting in the wrong hardware or configuration being deployed is a major pet peeve of Michael's. This site was started in an effort to spread information while providing the option of quality consulting services at a much lower price than Fortinet Professional Services. Owns PacketLlama.Com (Fortinet Hardware Sales) and Office Of The CISO, LLC (Cybersecurity consulting firm).

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.