Category Archives: FortiOS 5.4 Best Practices

FGSP now supports synchronizing IPsec sessions

High Availability FortiOS 5.4 Before You Begin

So, a lot of people are starting to deploy HA clusters of Fortinet hardware which is awesome. There are however some things you will want to consider before doing so. Here is a drill down from the Fortinet HA for FortiOS 5.4 Administration document.

Before you begin

Before you begin using this guide, take a moment to note the following:

If you enable virtual domains (VDOMs), HA is configured globally for the entire FortiGate unit and the configuration is called virtual clustering.
This HA guide is based on the assumption that you are a FortiGate administrator. It is not intended for others who may also use the FortiGate unit, such as FortiClient administrators or end users.
The configuration examples show steps for both the web-based manager (GUI) and the CLI. At this stage, the following installation and configuration conditions are assumed:
You have two or more FortiGate units of the same model available for configuring and connecting to form an HA cluster. You have a copy of the QuickStart Guide for the FortiGate units.
You have administrative access to the web-based manager and CLI.

Many of the configuration examples in this document begin FortiGates unit configured with the factory default configuration. This is optional, but may make the examples easier to follow. As well, you do not need to have installed the FortiGate units on your network before using the examples in this document.

Before you set up a cluster

Before you set up a cluster ask yourself the following questions about the FortiGate units that you are planning to use to create a cluster. Do all the FortiGate units have the same hardware configuration? Including the same hard disk configuration and the same optional components installed in the same slots?

1. Do all FortiGate units have the same firmware build?

2. Are all FortiGate units set to the same operating mode (NAT or Transparent)?

3. Are all the FortiGate units operating in the same VDOM mode?

4. If the FortiGate units are operating in multiple VDOM mode do they all have the same VDOM configuration?

Report Grouping – FortiAnalyzer 5.4

Report grouping

If you are running a large number of reports which are very similar, you can significantly improve report generation time by grouping the reports. Report grouping can reduce the number of hcache tables and improve auto-hcache completion time and report completion time.

Step 1: Configure report grouping

To group reports whose titles contain the string Security_Report and are grouped by device ID and VDOM, enter the following CLI commands:

config system report group
edit 0
set adom root
config group-by
edit devid next edit
vd next

end

set report-like Security_Report

end Notes:

The report-like field is the name pattern of the report that will utilize the report-group This string is case-sensitive.
The group-by value controls how cache tables are grouped.
To see a listing of reports and which ones have been included in the grouping, enter the following CLI command:

execute sql-report list-schedule <ADOM>

Step 2: Initiate a rebuild of hcache tables

To initiate a rebuild of hcache tables, enter the following CLI command:

diagnose sql rebuild-report-hcache <start-time> <end-time>

Where <start-time> and <end-time> are in the format: <yyyy-mm-dd hh:mm:ss>.

Step 3: Perform an hcache-check for a given report

Perform an hcache-check for a given report to ensure that the hcache tables exactly match the start and end time frame for the report time period. Enter the following CLI command:

execute sql-report hcache-check <adom> <report_id> <start-time> <end-time>

If you do not run this command, the first report in the report group will take a little longer to run. All subsequent reports in that group will run optimally.

Fortinet GURU

FortiGate Guides and MORE!