一、管理需求
在HA集群中,所有集群成员的配置全部相同,通过IP只能管理到主设备,无法通过IP对每个slave设备进行单独的管理。同时为了业务的安全,需要将管理网络与业务网络独立开。包括独立管理,包括syslog日志、SNMP、Radius等,
还包括DNS、Fortiguard更新也需要通过管理口进行处理。为实现如上需求,HA使用独立的管理接口是无法完全满足了,这是就需要使用最终极的解决方案独立管理VDOM了。
二、网络拓扑
三、配置要点
1、配置HA基础配置
2、配置基础LAN/WAN上网服务
3、配置"HA独立VDOM"
4、配置防火墙的SYSLOG、SNMP和FMG
四、操作步骤
1、配置HA基础配置
初始化配置防火墙的时候可以通过mgmt口登陆到防火墙上,一般mgmt口的管理IP是192.168.1.99,第一步可以通过此IP登陆防火墙,或者通过console口管理防火墙。具体型号初始化如果网管和接口的网管IP信息等可参考
链接:https://docs.fortinet.com/product/fortigate/hardware 和 https://docs.fortinet.com/document/fortigate/hardware/fortigate-quickstart-guide-high-end?model=all
举例FGT1500D:
https://docs.fortinet.com/document/fortigate/hardware/fortigate-1500d-information-supplement?model=all
按照以上方式登陆第一次开箱的防火墙。先登陆主防火墙,并配置进行HA的基础配置,然后登陆到备防火墙,配置备防火墙的HA基础配置。
分别配置主防火墙和备防火墙的HA,主防火墙优先级调整为150,备防火墙的优先级保持默认的120,配置HA-cluster组名字和密码,监控业务接口wan1和port1,使用HA1和HA2接口将二者互联。双方的HA配置完毕之后将ha1和ha2线相互直连,将会进行HA的选举,此时优先级150高的FGT将成为主防火墙,优先级低的120的FGT将成为备防火墙。然后备防火墙的配置将会和主防火墙进行同步,备防火墙所有配置和主防火墙一致,此时备防火墙也将不再可以WEB/SSH登录,仅仅可以Console登录。在没有配置HA独立管理VDOM之前,所有的操作和配置都在主防火墙上的GUI、SSH或Console完成。
主备防火墙HA的GUI配置:
主备防火墙的HA命令行配置:
FGT101E_Master_379 # config system ha
FGT101E_Master_379 (ha) # show
config system ha
set group-name "FGT-101E"
set mode a-p
set password ENC qFCIFxyvcDoECk2Ysw2kMkrRd8Mrn8loJ2pHGXvs59vKg6hXAAnLZsasIa/Icht5CTdtlUmA2yXAfJAfwa3EgR4JSnzpfbL451HgDGoAT7rzPB8YgTU7KHiQSMgu4ShEZI1YVFD0bYQ3RxM4gW/2gzmvJWNDuDNfjwQXkTnAMTeWYLlNwTbLowPjTJZRjZKgiqJ8vw==
set hbdev "ha2" 50 "ha1" 50
set session-pickup enable
set override disable
set priority 150
set monitor "port1" "wan1"
end
FGT101E_Slave_045 # config system ha
FGT101E_Slave_045 (ha) # show
config system ha
set group-name "FGT-101E"
set mode a-p
set password ENC ZR+owfGtfZ/JmdqLcPi2QI6q8oZHUQFq0iF9esgd8Dzx1wUO8InUODuF+NX0A2R7Rmuh0t4QcCuLX6zh8+1ScAOD5zKOts0dm/YKBeShMJYNkQZGCAWGdbnNG2CgBevJ3Izq4qnSZcEdMytJybEMqXjiaqGffuGnHamqZa18v/0vH/1SQx4J0sKm9D6fGa90b1ClmQ==
set hbdev "ha2" 50 "ha1" 50
set session-pickup enable
set override disable
set priority 120
set monitor "port1" "wan1"
end
配置完毕之后,直连接上ha1、ha2的心跳线,ha将会进行选举,选举结果如下:
FGT101E_Master_379 # diagnose sys ha status
HA information
Statistics
traffic.local = s:0 p:576052 b:153225536
traffic.total = s:0 p:575650 b:153242567
activity.fdb = c:0 q:0
Model=100, Mode=2 Group=0 Debug=0
nvcluster=1, ses_pickup=1, delay=0
[Debug_Zone HA information]
HA group member information: is_manage_master=1.
FG101E4Q17000379: Master, serialno_prio=0, usr_priority=150, hostname=FGT101E_Master_379
FG101E4Q17000045: Slave, serialno_prio=1, usr_priority=120, hostname=FGT101E_Slave_045
[Kernel HA information]
vcluster 1, state=work, master_ip=169.254.0.1, master_id=0:
FG101E4Q17000379: Master, ha_prio/o_ha_prio=0/0
FG101E4Q17000045: Slave, ha_prio/o_ha_prio=1/1
FGT101E_Master_379 #
这三个命令都可以看到HA的选举结果和HA状态:
# diagnose sys ha status
# get system status
# get system ha status
GUI查看HA的选举结果和状态:
2、配置基础LAN/WAN上网服务
此步骤为正常上网的基础配置,大概的步骤是配置接口IP、配置默认路由、配置策略即可实现防火墙的简单上网配置。不详细展开说明,仅仅提供配置截图和命令行。(所有配置都在主防火墙上完成,备防火墙此时不可以登陆)
配置接口IP:
配置默认路由:
配置上网策略:
配置上网的命令行:
config system interface
edit "port1"
set ip 192.168.10.1 255.255.255.0
set allowaccess ping https ssh http fgfm
set alias "LAN"
next
end
edit "wan1"
set ip 202.100.1.21 255.255.255.0
set allowaccess ping https ssh http fgfm
set alias "WAN1_Unicom"
next
end
config router static
edit 1
set gateway 202.100.1.192
set distance 1
set device "wan1"
next
end
config firewall policy
edit 1
set name "TO_Internet"
set srcintf "port1"
set dstintf "wan1"
set srcaddr "all"
set dstaddr "all"
set action accept
set schedule "always"
set service "ALL"
set utm-status enable
set logtraffic all
set av-profile "default"
set application-list "default"
set profile-protocol-options "default"
set ssl-ssh-profile "certificate-inspection"
set nat enable
next
end
3、配置"HA独立VDOM"
首先需要开启VDOM特性(主设备上配置,会自动同步到备机):
FGT101E_Master_379 # config system global
FGT101E_Master_379 (global) # set vdom-admin enable
FGT101E_Master_379 (global) # end
You will be logged out for the operation to take effect
Do you want to continue? (y/n)y
Auto backup config ...
exit
FGT101E_Master_379 login:
FGT101E_Master_379 login: admin
Password: ********
Welcome !
FGT101E_Master_379 #
创建新的MGMT独立管理VDOM(主设备上配置,会自动同步到备机):
GUI创建MGMT VDOM:
命令行创建MGMT VDOM:
FGT101E_Master_379 # config vdom
FGT101E_Master_379 (vdom) # edit MGMT
FGT101E_Master_379 (MGMt) # end
FGT101E_Master_379 #
将MGMT独立管理VDOM修改为管理VDOM(只能命令行修改)
FGT101E_Master_379 (vdom) # end
FGT101E_Master_379 # config global
FGT101E_Master_379 (global) # config system global
FGT101E_Master_379 (global) # set management-vdom
<string> please input string value
MGMT vdom
root vdom
FGT101E_Master_379 (global) # set management-vdom MGMT \\ 设置MGMT为管理VDOM,也就是说fortiguard、dns、ntp...等等主动更新,都是从MGMT这个VDOM发起,是一个管理的VDOM
FGT101E_Master_379 (global) # end
FGT101E_Master_379 (global) # end
HA里面指定MGMT VDOM为独立管理VDOM
FGT101E_Master_379 # config global
FGT101E_Master_379 (global) # config system ha
FGT101E_Master_379 (ha) # set standalone-mgmt-vdom enable \\ (此配置HA的主备同步,在主设备配置会自动同步到备设备上),HA里面也要做相应的独立管理VDOM开启
FGT101E_Master_379 (ha) # end
FGT101E_Master_379 (global) # config system ha
FGT101E_Master_379 (ha) # show
config system ha
set group-id 30
set group-name "FGT-101E"
set mode a-p
set password ENC 6NEF2ju60YG/UTJdCcPb/zuCvcqAvBz6nSfBihvkRE0ORog3e8XvP8RU1RLEYaFoBm07Z5aEAS0QitmhXuCJK+V1FYkTk9YcVOazbmJI4+H61xkzNhYM35Pf3ecCfkkY//UPUG/kfhZJTROkuSoWkqKDrvKIgnWwFquGq+uz/tTqFAtYu4O4/ECh3oQuKPSGHLThAg==
set hbdev "ha2" 50 "ha1" 50
set session-pickup enable
set standalone-mgmt-vdom enable
set override disable
set priority 150
set monitor "port1" "wan1" "wan2"
end
FGT101E_Master_379 (ha) # end
FGT101E_Master_379 (global) # end
将mgmt接口加入到MGMT VDOM中,并配置上管理IP和默认路由:
GUI配置过程:
先配置主防火墙的mgmt接口:
命令行配置过程:
配置mgmt加入到VDOM-MGMT以及配置管理IP地址:
FGT101E_Master_379 # config global
FGT101E_Master_379 (global) # config system interface
FGT101E_Master_379 (interface) # edit mgmt
FGT101E_Master_379 (mgmt) # set vdom MGMT
FGT101E_Master_379 (mgmt) # set ip 192.168.91.21/24
FGT101E_Master_379 (mgmt) # set alias "HA_Dedicated_MGMT"
FGT101E_Master_379 (mgmt) # show
config system interface
edit "mgmt"
set vdom "MGMT"
set ip 192.168.91.21 255.255.255.0
set allowaccess ping https ssh http
set type physical
set alias "HA_Dedicated_MGMT"
set role lan
set snmp-index 2
next
end
FGT101E_Master_379 (mgmt) # end
FGT101E_Master_379 (global) # end
FGT101E_Master_379 #
配置默认路由:
FGT101E_Master_379 # config vdom
FGT101E_Master_379 (vdom) # edit MGMT
current vf=MGMT:1
FGT101E_Master_379 (MGMT) # config router static
FGT101E_Master_379 (static) #
FGT101E_Master_379 (static) # edit 0
new entry '0' added
FGT101E_Master_379 (0) # set gateway 192.168.91.254
FGT101E_Master_379 (0) # set device mgmt
FGT101E_Master_379 (0) # show
config router static
edit 1
set gateway 192.168.91.254
set device "mgmt"
next
end
FGT101E_Master_379 (0) # end
FGT101E_Master_379 (MGMT) #
FGT101E_Master_379 (MGMT) # execute ping 192.168.91.254
PING 192.168.91.254 (192.168.91.254): 56 data bytes
64 bytes from 192.168.91.254: icmp_seq=0 ttl=255 time=0.2 ms
64 bytes from 192.168.91.254: icmp_seq=1 ttl=255 time=0.1 ms
64 bytes from 192.168.91.254: icmp_seq=2 ttl=255 time=0.1 ms
64 bytes from 192.168.91.254: icmp_seq=3 ttl=255 time=0.1 ms
64 bytes from 192.168.91.254: icmp_seq=4 ttl=255 time=0.1 ms
--- 192.168.91.254 ping statistics ---
5 packets transmitted, 5 packets received, 0% packet loss
round-trip min/avg/max = 0.1/0.1/0.2 ms
FGT101E_Master_379 (MGMT) #
FGT101E_Master_379 (MGMT) # end
FGT101E_Master_379 #
主机配置完毕。
这个时候可以通过GUI登录到备机,查看备机的GUI配置:
此时备机是无法WEB/SSH登陆的需要通过主机的命令(或者Console线)连到备机的命令行界面:
FGT101E_Master_379 # config global
FGT101E_Master_379 (global) # execute ha manage
<id> please input peer box index.
<1> Subsidary unit FG101E4Q17000045
FGT101E_Master_379 (global) # execute ha manage 1 \\ 从主机登陆到备机的命令行
FGT101E_Slave_045 login: admin
Password: ********
Welcome !
FGT101E_Slave_045 $
FGT101E_Slave_045 $
备防火墙那边会自动同步VDOM和mgmt加入到MGMT的配置(如果配置同步不正常,可以将备机重启,并等待配置同步完成,再操作),而独立管理MGMT-VDOM内部的配置是不会同步的,因此只需要修改备防火墙的mgmt的接口IP和路由即可:
FGT101E_Slave_045 $ config vdom
FGT101E_Slave_045 (vdom) $ edit MGMT
current vf=MGMT:1
FGT101E_Slave_045 (MGMT) $ config system interface
FGT101E_Slave_045 (interface) $ edit mgmt
FGT101E_Slave_045 (mgmt) $ set ip 192.168.91.22/24
FGT101E_Slave_045 (mgmt) $ set allowaccess https http ping ssh
FGT101E_Slave_045 (mgmt) $ set alias "HA_Dedicated_MGMT"
FGT101E_Slave_045 (mgmt) $ show
config system interface
edit "mgmt"
set vdom "MGMT"
set ip 192.168.91.22 255.255.255.0
set allowaccess ping https ssh http
set type physical
set alias "HA_Dedicated_MGMT"
set role lan
set snmp-index 2
next
end
FGT101E_Slave_045 (mgmt) $ end
FGT101E_Slave_045 (MGMT) $ config router static
FGT101E_Slave_045 (static) $ edit 0
new entry '0' added
FGT101E_Slave_045 (0) $ set device mgmt
FGT101E_Slave_045 (0) $ set gateway 192.168.91.254
FGT101E_Slave_045 (0) $ end
FGT101E_Slave_045 (MGMT) $ execute ping 192.168.91.254
PING 192.168.91.254 (192.168.91.254): 56 data bytes
64 bytes from 192.168.91.254: icmp_seq=0 ttl=255 time=0.2 ms
64 bytes from 192.168.91.254: icmp_seq=1 ttl=255 time=0.1 ms
64 bytes from 192.168.91.254: icmp_seq=2 ttl=255 time=0.1 ms
64 bytes from 192.168.91.254: icmp_seq=3 ttl=255 time=0.1 ms
64 bytes from 192.168.91.254: icmp_seq=4 ttl=255 time=0.1 ms
--- 192.168.91.254 ping statistics ---
5 packets transmitted, 5 packets received, 0% packet loss
round-trip min/avg/max = 0.1/0.1/0.2 ms
FGT101E_Slave_045 (MGMT) $ end
FGT101E_Slave_045 $
FGT101E_Slave_045 $ exit
Auto backup config ...
FGT101E_Master_379 (global) #
FGT101E_Master_379 (global) #
备机也配置完毕。
这个时候可以通过GUI登录到备机,查看备机的GUI配置:
这时候可以通过192.168.91.21和192.168.91.22分别管理到主防火墙和备防火墙了。
HA独立管理VDOM效果验证:
通过独立VDOM的mgmt管理IP:192.168.91.21 管理主防火墙。
通过独立VDOM的mgmt管理IP:192.168.91.22 管理备防火墙。
4、配置防火墙的SYSLOG、SNMP和FMG
关于发送syslog日志:
配置SYSLOG等本机发出的网管配置:
默认情况下MGMT和root会继承global的syslog日志配置:
对应命令行:
FGT101E_Master_379 # config global
FGT101E_Master_379 (global) #
FGT101E_Master_379 (global) # config log syslogd setting
FGT101E_Master_379 (setting) #
FGT101E_Master_379 (setting) # show
config log syslogd setting
set status enable
set server "192.168.91.115"
end
FGT101E_Master_379 (setting) # end
FGT101E_Master_379 (global) # end
FGT101E_Master_379 #
主/备防火墙的日志都会通过独立管理VDOM的mgmt 192.168.91.21和192.168.91.22将syslog日志发送出去:
FGT101E_Master_379 (MGMT) # diagnose sniffer packet any "port 514" 4
interfaces=[any]
filters=[port 514]
0.742199 mgmt out 192.168.91.21.18954 -> 192.168.91.115.514: udp 571
0.742290 mgmt out 192.168.91.21.18954 -> 192.168.91.115.514: udp 741
7.326997 mgmt out 192.168.91.21.18954 -> 192.168.91.115.514: udp 566
9.896881 mgmt out 192.168.91.21.18954 -> 192.168.91.115.514: udp 435
11.968832 mgmt out 192.168.91.21.18954 -> 192.168.91.115.514: udp 736
FGT101E_Slave_045 (MGMT) # diagnose sniffer packet any "port 514" 4
interfaces=[any]
filters=[port 514]
2.756374 mgmt out 192.168.91.22.11695 -> 192.168.91.115.514: udp 319
5.996477 mgmt out 192.168.91.22.11695 -> 192.168.91.115.514: udp 476
10.768830 mgmt out 192.168.91.22.11695 -> 192.168.91.115.514: udp 455
15.270956 mgmt out 192.168.91.22.11695 -> 192.168.91.115.514: udp 476
关于SNMP的配置:
VDOM-MGMT的mgmt接口下开启SNMP协议,主设备和备设备都要开,VDOM-MGMT里面的配置不同步:
然后再全局开启SNMP协议(全局的配置HA是同步的):
对应命令行:
FGT101E_Master_379 # config vdom
FGT101E_Master_379 (vdom) # edit MGMT
current vf=MGMT:3
FGT101E_Master_379 (MGMT) # config system interface
FGT101E_Master_379 (interface) # edit mgmt
FGT101E_Master_379 (mgmt) # show
config system interface
edit "mgmt"
set vdom "MGMT"
set ip 192.168.91.21 255.255.255.0
set allowaccess ping https ssh snmp http fgfm
set type physical
set alias "HA_Dedicated_MGMT"
set role lan
set snmp-index 2
next
end
FGT101E_Master_379 (mgmt) # end
FGT101E_Master_379 (MGMT) # end
FGT101E_Master_379 # config global
FGT101E_Master_379 (global) # config system snmp community
FGT101E_Master_379 (community) # show
config system snmp community
edit 1
set name "public"
config hosts
edit 1
set ip 192.168.10.125 255.255.255.255
next
edit 2
next
end
next
end
FGT101E_Master_379 (community) # end
FGT101E_Master_379 (global) # config system snmp sysinfo
FGT101E_Master_379 (sysinfo) # show
config system snmp sysinfo
set status enable
set description "FGT101E"
set contact-info "support_cn@fortinet.com"
set location "BEIJING"
end
FGT101E_Master_379 (sysinfo) # end
FGT101E_Master_379 (global) # end
FGT101E_Master_379 #
FGT101E_Master_379 (MGMT) # dia sniff pa any "port 161 or port 162 and host 192.168.91.115" 4
interfaces=[any]
filters=[port 161 or port 162 and host 192.168.91.115]
13.000278 mgmt in 192.168.91.115.4783 -> 192.168.91.21.161: udp 40
13.000937 mgmt out 192.168.91.21.161 -> 192.168.91.115.4783: udp 45
FGT101E_Slave_045 (MGMT) # dia sniff pa any "port 161 or port 162 and host 192.168.91.115" 4
interfaces=[any]
filters=[port 161 or port 162 and host 192.168.91.115]
7.749979 mgmt in 192.168.91.115.1257 -> 192.168.91.22.161: udp 40
7.750645 mgmt out 192.168.91.22.161 -> 192.168.91.115.1257: udp 44
HA切换的时候发送snmp trap:
关于FortiManger的管理(只能通过业务接口添加):
防火墙主动去找FMG,实际数据也还是会通过root里面的业务接口去连接FMG,并不走独立管理VDOM里面的mgmt:
对应命令行:
FGT101E_Master_379 # config vdom
FGT101E_Master_379 (vdom) # edit root
current vf=root:0
FGT101E_Master_379 (root) # config system interface
FGT101E_Master_379 (interface) # edit port1
FGT101E_Master_379 (port1) # show
config system interface
edit "port1"
set allowaccess ping https ssh snmp http fgfm
next
end
FGT101E_Master_379 (port1) # end
FGT101E_Master_379 (root) # end
FGT101E_Master_379 #
FGT101E_Master_379 # config global
FGT101E_Master_379 (global) # config system central-management
FGT101E_Master_379 (central-management) # show
config system central-management
set type fortimanager
set fmg "192.168.147.250"
end
FGT101E_Master_379 (central-management) # end
FGT101E_Master_379 (global) # end
FGT101E_Master_379 #
或者FMG主动添加FGT都可以:
如果是FGT主动去注册FMG,则FMG会有未注册的设备提示:
只需要将设备添加到FMG的设备管理中即可:
关于FMG还是建议使用业务接口进行管理,不能使用独立管理口/独立管理VDOM进行管理。对于FMG来说HA-Cluster就是一台设备,因此需要一个固定的IP地址来网管FGT会比较合适,可以有效的避免HA发生切换的时候,FGT和FMG的tunnel中断的情况。
此时所有的SNMP/Radius/SYSLOG/DNS/FORTGUARD都是通过MGMT这个VDOM进行更新的,完全独立于root业务VDOM,彻底的管理是管理,业务是业务。这是HA独立管理的终极解决方案。
最终总结注意事项:
FortiManger管理HA-Cluster的时候只能通过业务接口进行管理,不能通过独立管理口或者独立管理VDOM进行管理。
