Soho_Dan
asked on
Fortigate 50B firewall redundant mode
Hi, I'm trying to find out how to configure a Fortigate 50B firewall appliance for redundancy. Currently, it is setup as a standalone firewall. Can this device even be setup for failover or redundancy?
Baleboos
If you mean failover in its upstream (WAN) connections: yes. If you mean failover by pairing it with another device and have it kick in when the other one croaks: no.
ASKER
No, I meant if the firewall appliance fail. As in not functioning due to power failure or just not working. I'll like to configure another Fortigate 50B to automatically take over without user intervention.
I don't think the 50B can be paired with another. I have seen device load balancing/failover in other more high end Forti boxes but not the 50B. Found a screen that lets you set up Failover; but like I said, it's WAN failover.
As to power failure, why not buy a $70 UPS? The device sips power very lightly. Shouldn't be too expensive to give you 3 hours of battery backup.
As to power failure, why not buy a $70 UPS? The device sips power very lightly. Shouldn't be too expensive to give you 3 hours of battery backup.
ASKER
I meant power failure as in the the firewall appliance itself. Like a faulty firewall that goes down completely.
It's something I'm trying to help a small company because they have no full time IT person. Maybe I'll recommend to them to purchase another FG50B, setup the same config and just leave it aside. The problem is that if anything were to change, someone must make the change to the spare one.
It's something I'm trying to help a small company because they have no full time IT person. Maybe I'll recommend to them to purchase another FG50B, setup the same config and just leave it aside. The problem is that if anything were to change, someone must make the change to the spare one.
That's the usual "oh s***" plan of small companies. Have a spare preconfigured identical box for swapping when needed.
You can do periodic backups of the config on the operational one and back it up to the spare.
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
myramu is right. Sorry. It's not under "System->HA" it's under System->config->HA (At least on the 60B).
I did a cursory search for the words "High Availability" in the docs (here: http://docs.fortinet.com/fgt/archives/3.0/install/FortiGate-50_series_Install_Guide_01-30004-0265-20070831.pdf) and found it only at FG-100 - thus my mistake.
I did a cursory search for the words "High Availability" in the docs (here: http://docs.fortinet.com/fgt/archives/3.0/install/FortiGate-50_series_Install_Guide_01-30004-0265-20070831.pdf) and found it only at FG-100 - thus my mistake.
ASKER
One quick question Myramu. Must the two units have separate static IP address?
All interfaces should have the static IP addresses to build HA. Once you build the HA, only HA configuration (Config system HA) and host name will not be synchronized each other. It means even interface IP addresses will be synchronized with the firewall rules and routes.
If you need a separate IP for slave to manage, you can configure under HA configuration.
Good Luck!
If you need a separate IP for slave to manage, you can configure under HA configuration.
Good Luck!
ASKER
Sorry, I'm not sure what you meant.
Do you mean I need to configure both Fortigate firewall appliance to have their own static IP addr or do they need to have the SAME static IP addr?
Do you mean I need to configure both Fortigate firewall appliance to have their own static IP addr or do they need to have the SAME static IP addr?
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.