■VMware WorkStation 10のvmnet*をプロミスキャスモードにする。
Fortigate-VMをHA構成にするにはプロミスキャスモードを有効にする必要がある。
$ cat /etc/debian_version
7.8
$ lsb_release -a
No LSB modules are available.
Distributor ID: Debian
Description: Debian GNU/Linux 7.8 (wheezy)
Release: 7.8
Codename: wheezy
$ vmware-installer -l
Product Name Product Version
==================== ====================
vmware-workstation 10.0.2.1744117
FGVM_SerialNo9
Version: FortiGate-VM64 v5.2.3,build0670,150318 (GA)
Release Version Information: GA
■プロミスキャスモードに変更
$ grep -3 "promiscuous /dev/vmnet" /etc/init.d/vmware
vmwareStartVmnet() {
vmwareLoadModule $vnet
"$BINDIR"/vmware-networks --start >> $VNETLIB_LOG 2>&1
chgrp promiscuous /dev/vmnet*
chmod g+rw /dev/vmnet*
}
$ grep promiscuous /etc/group > /dev/null || \
sudo groupadd promiscuous; \
id | grep promiscuous > /dev/null || \
sudo usermod -a -G promiscuous `whoami`
$ sudo chgrp promiscuous /dev/vmnet*; \
sudo chmod g+rw /dev/vmnet*
■確認
$ grep promiscuous.*`whoami` /etc/group
promiscuous:x:1001:labunix
$ grep promiscuous /etc/group
promiscuous:x:1001:labunix
$ ls -l /dev/vmnet*
crw-rw---- 1 root promiscuous 119, 0 6月 7 07:54 /dev/vmnet0
crw-rw---- 1 root promiscuous 119, 1 6月 7 07:54 /dev/vmnet1
crw-rw---- 1 root promiscuous 119, 8 6月 7 07:54 /dev/vmnet8
$ sudo vmrun -T ws list
Total running VMs: 2
/home/labunix/vmware/SharedVMs/FGT-VM64_2/FortiGate-VM64_2.vmx
/home/labunix/vmware/SharedVMs/FGT-VM64_1/FortiGate-VM64_1.vmx
■「diagnose sys ha status」でSlave側の番号を確認
$ ssh admin@XXX.XXX.XXX.XXX 'diagnose sys ha status' | \
sed -e 's/FGVM[0-9]*\([0-9]\)/FGVM_SerialNo\1/g'
FGVM_SerialNo9
Statistics
traffic.local = s:0 p:5510 b:756818
traffic.total = s:0 p:5510 b:756818
activity.fdb = c:0 q:0
Model=5, Mode=2 Group=0 Debug=0
nvcluster=1, ses_pickup=0, delay=0
HA group member information: is_manage_master=1.
FGVM_SerialNo9, 1. Master:128 FGVM_SerialNo9
FGVM_SerialNo0, 0. Slave:100 FGVM_SerialNo0
vcluster 1, state=work, master_ip=169.254.0.2, master_id=0:
FGVM_SerialNo9, 0. Master:128 FGVM_SerialNo9(prio=0, rev=0)
FGVM_SerialNo0, 1. Slave:100 FGVM_SerialNo0(prio=1, rev=1)
config system ha
set group-name "FGT"
set mode a-p
set hbdev "port1" 50
set override disable
set monitor "port1" "port3"
end
■「execute ha manage [Slave側の番号]」でSlave側にログイン、再起動
FGVM_SerialNo9
config system ha
set group-name "FGT"
set mode a-p
set hbdev "port1" 50
set override disable
set monitor "port1" "port3"
end
FGVM_SerialNo9
priority : 128
FGVM_SerialNo9
FGVM_SerialNo0 $ show system ha | grep -v password
config system ha
set group-name "FGT"
set mode a-p
set hbdev "port1" 50
set override disable
set priority 100
set monitor "port1" "port3"
end
FGVM_SerialNo0 $ execute reboot
■フェイルオーバ
※管理元から見えるホストが変わるので、
リモートではなくWeb管理コンソールやシリアルコンソールから実行した方が良い。
FGVM_SerialNo9
FGVM_SerialNo0 $