Scribd
Upload
126 views

Fortigate-Vm Ha Deployment Guide For Avx Series Network Functions Platform

Uploaded by

Ayan Naskar
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
126 views

Fortigate-Vm Ha Deployment Guide For Avx Series Network Functions Platform

Uploaded by

Ayan Naskar
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
You are on page 1/ 19

Deployment Guide

May-2019 rev. a

FortiGate-VM HA Deployment Guide


for AVX Series Network Functions Platform
Table of Contents
Table of Contents .......................................................................................................... 1

1. Introduction............................................................................................................... 2

2. Prerequisites ............................................................................................................. 3

2.1. Array Networks AVX Network Functions Platform ........................................................ 3


2.2. Fortinet FortiGate-VM Instances .................................................................................. 3
3. Network Topology .................................................................................................... 4

4. Configuring AVX1 ..................................................................................................... 5

5. Deploying the FortiGate-VM instance on AVX1 ..................................................... 6

5.1. Obtain the Image of the FortiGate-VM ......................................................................... 6


5.2. Import the Image to the AVX Appliance ....................................................................... 6
5.3. Create a VA instance with the Image on the AVX Appliance ........................................ 6
5.4. Assign Virtual Traffic Ports to the VA Instance ............................................................. 7
5.5. Start the VA Instance ................................................................................................... 8
6. Configuring the FortiGate-VM Instance on AVX1 .................................................. 9

7. Configuring AVX2 ................................................................................................... 12

8. Deploying the FortiGate-VM Instance on AVX2 ................................................... 13

9. Configuring the FortiGate-VM Instance on AVX2 ................................................ 14

10. Verifying the FortiGate-VM HA on AVX Configuration ................................... 16

©2019 Array Networks, Inc. All Rights Reserved. 1


1. Introduction
Array Networks AVX Series network functions platforms host multiple Array and 3rd-party virtual
appliances, providing the agility of cloud and virtualization with the guaranteed performance of dedicated
appliances.

Array's AVX Series network functions platform hosts up to 32 fully independent virtual appliances (VAs),
including Array load balancing, SSL VPN and WAF as well as 3rd-party VAs from leading networking and
security vendors. Designed with managed service provider and enterprises in mind, the AVX Series
enables data center consolidation without sacrificing the agility of cloud and virtualization or the
performance of dedicated appliances. Uniquely capable of assigning dedicated CPU, SSL, memory and
interface resources per VA, the AVX Series network functions platform is the only solution to deliver
guaranteed performance in shared environments.

A firewall is a network security device that monitors incoming and outgoing network traffic and determines
whether to allow or block specific traffic based on a defined set of security rules. A firewall sandwich is a
deployment in which multiple firewalls are sandwiched between a pair of load balancers to improve
availability, scalability, and manageability across the IT infrastructure.

The following sections will describe the steps required to deploy a Fortinet FortiGate-VM HA (High
Availability) on the AVX Series network functions platform.

The Fortinet FortiGate-VM (Virtual Machine) is a Next-Generation Firewall that offers flexible deployments
from the network edge to the core, data center, internal segment, and the cloud. FortiGate-VM firewalls
delivers scalable performance of advanced security services like threat protection, SSL inspection, and
ultra-low latency for protecting internal segments and mission critical environments. For the purposes of
this deployment guide, the FortiGate-VM will be deployed on the AVX as a VA instance.

2
2. Prerequisites
This deployment guide requires the following hardware and software products.

2.1. Array Networks AVX Network Functions Platform


• Two AVX Series (x600 or x800 models) network functions platform running version ArrayOS 2.7.0.34
or later

The AVX appliance can be purchased from Array Networks or authorized resellers. For more information
on deploying the AVX appliance, please refer to the AVX Web UI Guide, which is accessible through the
product's Web User Interface.

2.2. Fortinet FortiGate-VM Instances


• Two FortiGate-VM (VM02, VM04 or VM08) instances running version 6.0.2 or later for the KVM
hypervisor. One FortiGate-VM instance will be deployed on each AVX platform. Ensure the AVX
platforms have enough hardware resources to support the FortiGate-VM instances.

The FortiGate-VM instances may be purchased from Fortinet or a reseller. For more information on
deploying the FortiGate-VM instances for KVM, please visit https://www.fortinet.com.

Note: Assuming you have all these components, it should roughly take 90-120 minutes to complete the
entire configuration in this deployment guide.

©2019 Array Networks, Inc. All Rights Reserved. 3


3. Network Topology
Figure 1 shows a detailed configuration of the FortiGate-VM HA on AVX deployment.

Figure 1 – Deployment Details

In this deployment, there is one FortiGate-VM instance running on each of the AVX platforms. The
FortiGate-VM instances will have identical IP configuration on the ingress (port3) and egress (port4)
interfaces. Port3 and port4 are the traffic ports and both use the SR-IOV ports. The HA heartbeat uses
port1. Port1 is a virtual port on the virtual switch. The virtual switch is bound to an SR-IOV port for
external communication.

Typical Traffic Flow: Inbound

The client machine is running CentOS and the Web Server is running CentOS, both external to the AVX
platforms. The two CentOS machines are required only to validate the design.

The client (top) will generate Web Server (bottom) requests to the CentOS Web Servers via the
FortiGate-VM instance. In the event of HA failure and the master/active FortiGate-VM instance fails, the
standby FortiGate-VM instance will take over as the master/active FortiGate-VM. If the original
master/active FortiGate-VM instance becomes active again, it will resume ownership as the master/active
instance.

©2019 Array Networks, Inc. All Rights Reserved. 4


4. Configuring AVX1
To configure the first AVX appliance, follow these steps:

1. Login to the AVX console using default credentials.

Login: array

Password: admin

2. Type “enable” and hit the <Enter> key twice to enter enable mode. No password is required.

AN>enable

Enable password:

AN#

3. Type “config terminal” to enter config mode.

AN#config terminal

AN(config)#

4. Change the hostname to AVX1.

AN(config)#hostname AVX1

AVX1(config)#

5. Configure the IP address and default gateway for the management port.

AVX1(config)#ip address 10.10.152.171 255.255.255.0 (use your own IP)

AVX1(config)#ip route default 10.10.152.1 (use your own gateway IP)

6. Enable WebUI.

AVX1(config)#webui on

7. Save changes.

AVX1(config)#write memory

You may now access the AVX1 appliance using the WebUI at https://<IP>:8888. In this example,
https://10.10.152.171:8888.

©2019 Array Networks, Inc. All Rights Reserved. 5


5. Deploying the FortiGate-VM instance on AVX1
To deploy the FortiGate-VM instance on the AVX appliance, follow these steps:

1. Obtain the image of the FortiGate-VM

2. Import the image to the AVX appliance

3. Create a VA instance with the image on the AVX appliance

4. Assign virtual traffic ports to the VA instance

5. Start the VA instance

Licenses are required for each VA instance. Please contact Fortinet to obtain licenses.

5.1. Obtain the Image of the FortiGate-VM


Before deploying a FortiGate-VM, please contact Fortinet to obtain the KVM image. KVM images can be
directly uploaded to the AVX. Please consult the AVX Application Guide or AVX CLI Handbook for
additional instructions on how to upload and create a VA instance.

5.2. Import the Image to the AVX Appliance


On the AVX WebUI, navigate to VA Management > VA Image to upload the FortiGate-VM image.

5.3. Create a VA instance with the Image on the AVX Appliance


On the AVX WebUI, navigate to VA Management > VA to create the VA instance using the FortiGate-VM
image.

1. Create a FortiGate-VM VA instance named FG-1. Select the VA size to match the FortiGate-VM
instance size you are installing (see table below).

FortiGate VM Version Recommended AVX


Instance Size

FortiGate VM02 Small (2 vCPUs, 4G RAM/Instance)

FortiGate VM04 Medium (4 vCPUs, 8G RAM/Instance)

FortiGate VM08 Large (8 vCPUs, 16G RAM/Instance)

©2019 Array Networks, Inc. All Rights Reserved. 6


2. Configure two traffic ports using the SR-IOV ports. Select the Manual option.

3. Confirm the VA Instance Configuration.

4. Click on Save. Navigate to VA Management > VA to view your newly created VA instance

5.4. Assign Virtual Traffic Ports to the VA Instance


In this deployment, the AVX platform’s built-in virtual switch will be used for the High Availability (HA)
heartbeat. The virtual switch will be bound to an SR-IOV port to interconnect to the other AVX. On the
AVX WebUI, navigate to Platform > Network > Virtual Switch to create virtual switches.

1. Create a Virtual Switch named vsw1 and attach the FG-1 VA instance. Assign the Virtual Port Name
to vport1.

©2019 Array Networks, Inc. All Rights Reserved. 7


2. Click on Save.

3. Click on the General Settings tab and toggle the Binding Interface. Select an available SR-IOV port
for binding. In our example, port3 is selected.

4. Click Apply Changes.

5. Confirm the interfaces are correct for FG-1 by navigating to VA Management > VA and selecting FG-
1.

You should see one management port, two SR-IOV traffic ports and a virtual port.

5.5. Start the VA Instance


On the AVX WebUI, navigate to VA Management > VA to start the VA instance.

1. Locate the VA instance named FG-1 and click on the  symbol under the Action column to start the
VA instance.

©2019 Array Networks, Inc. All Rights Reserved. 8


6. Configuring the FortiGate-VM Instance on AVX1
To configure the FortiGate-VM VA instance on AVX1, follow these steps:

1. Login into the FG-1 console with the username “admin”. You can use the AVX WebUI VA console or
the AVX VA console option. By default, there is no password. Just press Enter.

2. The AVX ports do not map identically to the ports on the FortiGate-VM instance. Conduct a check to
confirm correct port numbering and MAC addresses using the “get hardware nic portX” command on
the FG-1 console.

3. Configure the network settings (management = port2, ingress = port3, egress = port4) as follows:

config system interface

edit “port2”

set ip 10.10.152.123 255.255.255.0 (use your own IP address)

set allowaccess ping https ssh http fgfm

next

edit "port3"

set ip 192.168.1.51 255.255.255.0 (use your own IP address)

set allowaccess ping https ssh http fgfm

next

edit "port4"

set ip 192.168.2.51 255.255.255.0 (use your own IP address)

set allowaccess ping https ssh http fgfm

end

4. Configure the network gateway as follows:

config router static

edit 1

set device "port2"

set gateway 10.10.152.1 (use your own gateway IP)

end

5. Login to the FG-1 WebUI with the default admin credentials.

6. Apply a valid FortiGate-VM license (from Fortinet) to proceed.

7. Login again into the FG-1 WebUI and confirm the network settings for port2, port3 and port4.

©2019 Array Networks, Inc. All Rights Reserved. 9


8. Add the following Static Routes:

9. Configure the IPV4 Policy for port3 (WAN) to port4 (LAN) traffic as follows:

10. Configure the IPV4 Policy for port4 (LAN) to port3 (WAN) traffic as follows:

©2019 Array Networks, Inc. All Rights Reserved. 10


11. Configure HA by navigating to System > HA.

a. Mode = Active-Passive

b. Device priority = 250 (higher value to indicate the Master)

c. Group name = FG-HA (or name of your own choice)

d. Password (your own choice)

e. Heartbeat interfaces = port1

This FortiGate-VM will be the Master/Active device.

12. Click on OK. FG-1 on AVX1 is the first member and Master of the HA cluster.

©2019 Array Networks, Inc. All Rights Reserved. 11


7. Configuring AVX2
To configure the second AVX appliance, repeat the same steps from section 4 Configuring AVX1 with the
only difference in steps 4-5.

4. Change hostname to AVX2.

AN(config)#hostname AVX2

AVX2(config)#

5. Configure IP address and default gateway for the management port.

AVX2(config)#ip address 10.10.152.172 255.255.255.0 (use your own IP)

AVX2(config)#ip route default 10.10.152.1 (use your own gateway IP)

After step 7 is completed, you may now access the AVX2 appliance using the WebUI at https://<IP>:8888.
For our example, https://10.10.152.172:8888.

©2019 Array Networks, Inc. All Rights Reserved. 12


8. Deploying the FortiGate-VM Instance on AVX2
To deploy the FortiGate-VM instance on the second AVX appliance, AVX2, repeat the same steps from
section 5 Deploying the FortiGate-VM instance on AVX1.

Note that the AVX2 WebUI will have a different management IP address than AVX1.

©2019 Array Networks, Inc. All Rights Reserved. 13


9. Configuring the FortiGate-VM Instance on AVX2
To complete the FortiGate-VM configuration, repeat the same steps from section 6 Configuring the
FortiGate-VM instance on AVX1 with the only difference in steps 3 (edit port2), and 11-12.

3. Configure the network settings (management = port2, ingress = port3, egress = port4) as follows:

config system interface

edit "port2"

set ip 10.10.152.124 255.255.255.0 (use your own IP)

set allowaccess ping https ssh http fgfm

end

11. Configure HA by navigating to System > HA.

a. Mode = Active-Passive

b. Device priority = 50 (lower value than the Master 250)

c. Group name = (same name used for FG-1 on AVX1)

d. Password (your own choice)

e. Heartbeat interfaces = port1

This FortiGate-VM will be the Slave/Passive device.

©2019 Array Networks, Inc. All Rights Reserved. 14


12. Click on OK. The process will take a few minutes and you will lose connectivity to the WebUI. You will
need to login again to FG-1 on AVX1 to view the HA status. When complete, FG-1 on AVX2 is the
second member and Slave of the HA cluster.

©2019 Array Networks, Inc. All Rights Reserved. 15


10. Verifying the FortiGate-VM HA on AVX Configuration
To test and verify that the FortiGate-VM HA on AVX configuration is working, you must now simulate a
failure of the master or active FortiGate-VM over to the slave or passive FortiGate-VM.

1. Login to the console on both AVX1 and AVX2.

2. Login to FG-1 console on both AVX1 and AVX2.

3. Type “get system ha status” to obtain the HA status of the cluster.

©2019 Array Networks, Inc. All Rights Reserved. 16


Note that the Master is FGVM08TM19000909 on AVX1 (left-hand side) and the Slave is
FGVM08TM19000911 on AVX2 (right-hand side).

4. Now force a failure by rebooting the Master on AVX1 and checking the status on AVX2.

Note that the new Master is FGVM08TM19000911 on AVX2 (right-hand side).

5. When the FGVM08TM19000909 on AVX1 (left-hand side) boots back up successfully, it will resume
ownership as the Master.

©2019 Array Networks, Inc. All Rights Reserved. 17


About Array Networks
Array Networks, the network functions platform company, develops purpose-built systems
for deploying virtual app delivery, networking and security functions with guaranteed
performance. Headquartered in Silicon Valley, Array is backed by over 250 worldwide
employees and is poised to capitalize on explosive growth in the areas of virtualization,
cloud and software-centric computing. Proven at over 5000 worldwide customer
deployments, Array is recognized by leading analysts, enterprises and service providers, for
next-generation technology that delivers agility at scale.

Corporate To purchase
Headquarters China India Array Networks
[email protected] [email protected] [email protected] Solutions, please
408-240-8700 +010-84446688 +91-080-41329296
contact your
1 866 MY-ARRAY
www.arraynetworks.com Array Networks
France and North Africa Japan representative at
EMEA [email protected] sales-japan@ 1-866-MY-ARRAY
[email protected] +33 6 07 511 868 arraynetworks.com (692-7729) or
+32 2 6336382 +81-44-589-8315 authorized reseller
May-2017 rev. a

© 2017 Array Networks, Inc. All rights reserved. Array Networks and the Array Networks logo are trademarks of Array Networks, Inc. in
the United States and other countries. All other trademarks, service marks, registered marks, or registered service marks are the
property of their respective owners. Array Networks assumes no responsibility for any inaccuracies in this document. Array Networks
reserves the right to change, modify, transfer, or otherwise revise this publication without notice.

©2019 Array Networks, Inc. All Rights Reserved. 18

You might also like