labunix's blog

labunixのラボUnix

Fortigate 80CのHA構成(A-P)を簡単にする。

■Fortigate 80CのHA構成(A-P)を簡単にする。
 internalのswitchモードから、各interfaceごとに使用出来るようにして、
 port1を管理用、port6を同期用に使う。
 wan1はdhcpを止めるだけ。
 後はWeb管理から。

FGT-UTM2 # get system ha status
Model: FortiGate-80C
Mode: a-p
Group: 0
Debug: 0
ses_pickup: disable
Slave :120 FGT-UTM2         FGT80C0123456789 1
Master:128 FGT-UTM1         FGT80C0123456788 0
number of vcluster: 1
vcluster 1: standby 169.254.0.1
Slave :1 FGT80C0123456789
Master:0 FGT80C0123456788

FGT-UTM2 #

FGT-UTM1 login: admin
Password: ********
Welcome !

FGT-UTM1 # get system ha status
Model: FortiGate-80C
Mode: a-p
Group: 0
Debug: 0
ses_pickup: disable
Master:128 FGT-UTM1         FGT80C0123456788 0
Slave :120 FGT-UTM2         FGT80C0123456789 1
number of vcluster: 1
vcluster 1: work 169.254.0.1
Master:0 FGT80C0123456788
Slave :1 FGT80C0123456789

■githubに置いておいたので。

$ w3m -dump \
  "https://raw.githubusercontent.com/labunix/fortigate-80c-settings/master/fortigate-80c_HA_ActivePassive.sh" \
  > fortigate-80c_HA_ActivePassive.sh

$ chmod +x fortigate-80c_HA_ActivePassive.sh
$ ./fortigate-80c_HA_ActivePassive.sh


# グローバル設定
config system global
  set timezone 60
  set language 
  set hostname FGT-UTM1
  end

show system global

# switch ポートモードから、interfaceモードに切り替え

config system dhcp server
  delete 1
  end

show system dhcp server

config firewall policy
  delete 1
  end

show firewall policy

# 管理NIC設定

config system interface
  edit port1
  set ip 172.31.31.252/24
  set allowaccess ping telnet ssh http https
  set status up
  next
  edit wan1
  set mode static
  end

show system interface port1

# 管理NICルーティング設定

config router static
  edit 1
  set device port1
  set dst 172.31.31.0/255.255.255.0
  set gateway 172.31.31.254
  end

show router static

# 管理者設定

config system admin
  edit admin
  set password Password
  set trusthost1 172.31.31.0 255.255.255.0
  end

show system admin

# HA一号機設定

config system ha
  set mode a-p
  set group-name FGT-UTM
  set password HApass
  set hbdev internal 6
  set session-pickup enable
  set authentication enable
  set priority 128
end

show system ha

execute shutdown

# HA二号機設定
# 一号機設定を流した後に上書きが必要な箇所のために実行

# グローバル設定
config system global
  set hostname FGT-UTM2
  end

show system global

config system ha
  set mode a-p
  set group-name FGT-UTM
  set password HApass
  set hbdev internal 6
  set session-pickup enable
  set authentication enable
  set priority 120
end

show system ha

execute shutdown