High Availability
Download 160.65 Kb.
|
Zero Trust security
- Navigate this page:
- The FortiGate Clustering Protocol (FGCP)
- FortiGate Session Life Support Protocol (FGSP)
- Virtual Router Redundancy Protocol (VRRP)
- Session Pickup
- Virtual Clustering
| Classified as Confidential Internal by SEC - الشركة السعودية للكهرباء مصنف مقيد (داخلي) High Availability:FortiGate HA offers several solutions for adding redundancy in the case where a failure occurs on the FortiGate, or is detected by the FortiGate through monitored links, routes, and other health checks. These solutions support fast failover to avoid lengthy network outages and disruptions to your traffic. A common solution to the high availability problem is to eliminate the security gateway as single point of failure by introducing redundancy. With two or more redundant security gateways, if one fails, the remaining one or more gateways keep the traffic flowing. FortiOS provides six redundancy solutions: industry standard VRRP as well as five proprietary solutions: FortiGate Cluster Protocol (FGCP) high availability, FortiGate Session Life Support Protocol (FGSP) high availability, Session-Aware Load Balancing Clustering (SLBC), Enhanced Load Balanced Clustering (ELBC) and Content Clustering. diagnose hardware deviceinfo nic port1 get system ha diagnose sniff packet any “ether proto 0x8890” 4 The FortiGate Clustering Protocol (FGCP):The FortiGate Clustering Protocol (FGCP) is a proprietary HA solution whereby FortiGates can find other member FortiGates to negotiate and create a cluster. A FortiGate HA cluster consists of at least two FortiGates (members) configured for HA operation. All FortiGates in the cluster must be the same model and have the same firmware installed. Cluster members must also have the same hardware configuration (such as the same number of hard disks). All cluster members share the same configurations except for their host name and priority in the HA settings. The cluster works like a device but always has a hot backup device. FGCP is the most commonly used HA solution. It allows two or more FortiGates of the same type and model to be put into a cluster in Active-Passive (A-P) or Active-Active (A-A) mode. A-P mode provides redundancy by having one or more FortiGates in hot standby in case the primary device experiences a detectable failure. If a failure occurs, traffic quickly fails over to a secondary device, preventing any significant downtime. A-A mode allows traffic to be balanced across the units in the cluster for scanning purposes, and also performs failover. FortiGate Session Life Support Protocol (FGSP):FGSP is used in more advanced setups that include external load balancers that distribute traffic across the firewall nodes. FGSP members do not need to have the same network configuration, so they do not need to be in the same physical location. Each FGSP member usually has identical firewall policies to enforce the same access rules. Sessions can be failed over from one FGSP member to another if a device failure occurs. The external load balancers or routers can distribute sessions among the FortiGates and the FGSP performs session synchronization of IPv4 and IPv6 TCP, SCTP, UDP, ICMP, expectation, and NAT sessions to keep the session tables of both entities synchronized. In the event of a failure, the load balancer can detect the failed unit and failover the sessions to other active members to continue processing the traffic. Virtual Router Redundancy Protocol (VRRP):FortiGates also support VRRP. This can be an appropriate choice when interoperating with third party routers and firewalls. FortiGates can function as primary or backup Virtual Router Redundancy Protocol (VRRP) routers. The FortiGates can quickly and easily integrate into a network that has already deployed VRRP. A FortiGate can be integrated into a VRRP group with any third-party VRRP devices, and VRRP can provide redundancy between multiple FortiGates. FortiOS supports VRRP version 2 and 3. VRRP domains can be created, which can include multiple FortiGates and other VRRP-compatible routers. Different FortiGate models can be added to the same VRRP domain. Session Pickup:Session pickup is an optional setting that can be enabled to synchronize connectionless (UDP and ICMP) sessions, expectation sessions, and NAT sessions. If session pickup is not enabled, the FGSP does not share session tables for the particular session type, and sessions do not resume after a failover. All sessions are interrupted by the failover and must be re-established at the application level. Many protocols can successfully restart sessions with little, or no, loss of data. Others may not recover as easily. Enable session pickup for sessions that may be difficult to reestablish. Since session pickup requires FortiGate memory and CPU resources, only enable this feature for sessions that need to synchronize. https://docs.fortinet.com/document/fortigate/7.4.1/administration-guide/869218/fgsp-basic-peer-setup Virtual Clustering:Virtual clustering is an extension of FGCP HA that provides failover protection between two instances of one or more VDOMs operating on two FortiGates in a virtual cluster. Active-passive virtual clustering uses VDOM partitioning to send traffic for some VDOMs to the primary FortiGate and traffic for other VDOMs to the backup FortiGate(s). Traffic distribution between both FortiGates can potentially improve throughput. If a failure occurs and only one FortiGate continues to operate, all traffic fails over to that FortiGate, similar to normal HA. If the failed FortiGates rejoin the cluster, the configured traffic distribution is restored. Classified as Confidential Internal by SEC - الشركة السعودية للكهرباء مصنف مقيد (داخلي) Download 160.65 Kb. Share with your friends:
|