読者です 読者をやめる 読者になる 読者になる

labunix's blog

labunixのラボUnix

Fortigate-60CのHA構成を外してトランスペアレントに変更する。

■Fortigate-60CのHA構成を外してトランスペアレントに変更する。
 現状の自宅の評価セグメントは以下のような一般的な階層型になっている。

$ echo "[Client] --> [WS2970G(Intra-VLAN)] -- HA(a-p) --> { start: front,0; } [Fortigate-60C-1],[Fortigate-60C-2] \
                               --> { end: back,0; } [Router(WAN)],[Cisco892-J(DMZ)]" | graph-easy
                                                           +------------------------------------------------+
                                                              |                                                |
+--------+     +---------------------+           HA(a-p)    +-----------------+           +-----------------+  |
| Client | --> | WS2970G(Intra-VLAN) | ------+------------> | Fortigate-60C-1 | ------+-> | Cisco892-J(DMZ) |  |
+--------+     +---------------------+       |              +-----------------+       |   +-----------------+  |
                                             |                                        |                        |
                                             |                                        |                        |
                                             |                                        |                        |
                                             |   HA(a-p)    +-----------------+       |                        |
                                             +------------> | Fortigate-60C-2 | ------+                        |
                                                            +-----------------+                                |
                                                              |                                                |
                                                              |                                                |
                                                              |                                                |
                                                              |                                                |
                                                  +-----------+------------------------------------------------+
                                                  |
                                                  |         +-----------------+
                                                  +-------> |   Router(WAN)   |
                                                            +-----------------+

■Fortigate-60Cはメモリが少ないのもあって、
 冗長化構成よりは以下の構成の方が良いかも知れない。

$ echo "[Client] -- Transparent mode --> { start: front,0; } [Fortigate-60C-2] -- NAT mode --> [Fortigate-60C-1] \
                               --> { end: back,0; } [Router(WAN)],[Cisco892-J(DMZ)]" | graph-easy

+--------+  Transparent mode   +-----------------+  NAT mode   +-----------------+     +-----------------+
| Client | ------------------> | Fortigate-60C-2 | ----------> | Fortigate-60C-1 | --> | Cisco892-J(DMZ) |
+--------+                     +-----------------+             +-----------------+     +-----------------+
                                                                 |
                                                    +------------+
                                                    |
                                                    |          +-----------------+
                                                    +--------> |   Router(WAN)   |
                                                               +-----------------+

■バックアップの取得。
 

■2号機のシリアルナンバーを控えてシャットダウン。

$ ssh admin@172.31.31.252
home-utm1 # execute ha manage ?
<id>    please input peer box index.
<0>	Subsidary unit FGT60CXXXXXXXXXX
# execute ha manage 0
$ get system status | grep ^Serial
Serial-Number: FGT60CXXXXXXXXXX
$ execute shutdown 
This operation will shutdown the system !
Do you want to continue? (y/n)y

■1号機をStandaloneに変更。

# show system ha | grep -v password
config system ha
    set group-name "home-utm"
    set mode a-p
    set hbdev "dmz" 50 
    set override disable
    set monitor "dmz" "wan1" 
end
# config system ha
    set mode standalone
  end

■2号機のLANケーブルをすべて外し、電源ON。
 初期化前に一応standaloneにしてから初期化コマンド投入。

... login: admin
Password:
# config system ha
    set mode standalone
  end
# execute factoryreset 
This operation will reset the system to factory default!
Do you want to continue? (y/n)y


System is resetting to factory default...


■2号機の初期設定

... login: admin
Password:
# config system global
    set hostname home-utm2
    set timezone 60
    set language japanese
  end

■変更するべき箇所は以下のfirewallポリシー、dhcp server、virtual-switch。
 dhcp serverには設定が無く、virtual-switchが設定されているモデルではない。

# show firewall policy | grep -f nat
config firewall policy
    edit 1
        set srcintf "internal"
        set dstintf "wan1"
        set srcaddr "all"
        set dstaddr "all"
        set action accept
        set schedule "always"
        set service "ALL"
        set nat enable <---
    next
end

# show | grep -f dhcp
config system interface
    edit "wan2"
        set vdom "root"
        set mode dhcp <---
        set allowaccess ping fgfm auto-ipsec
        set type physical
        set snmp-index 2
    next
    edit "wan1"
        set vdom "root"
        set mode dhcp <---
        set allowaccess ping fgfm auto-ipsec
        set type physical
        set snmp-index 3
    next
end
config system dhcp server <---
end

# show | grep virtual-switch

■firewallポリシーとdhcpクライアント設定の削除

# config firewall policy
    delete 1
  end
  config system interface
    edit wan1
    set mode static
    next
    edit wan2
    set mode static
    next
  end

■Transparentモードに変更。

# show full-configuration system settings | grep nat
    set opmode nat
    set sip-nat-trace enable

#  config system settings
    set admin-https-redirect disable
    set opmode transparent
    set manageip 172.31.31.249 255.255.255.0
    set gateway 172.31.31.252
  end
This operation might change settings of vap interfaces, virtual switches,
 software switch interfaces, managed switches, ppp vdom-link, loopback interfaces,
 interface auto-ipsec allowaccess and wccp-cache-engine.
Do you want to continue? (y/n)y

Changing to TP mode

■設定の確認

# show system settings 
config system settings
    set opmode transparent
    set manageip 172.31.31.249/255.255.255.0 
end

# get system status | grep ^Op
Operation Mode: Transparent

# show router static 
config router static
    edit 1
        set gateway 172.31.31.252
    next
end

■LANケーブルを差し替える。
 DMZポートは今回の変更に関係が無いので省略。

$ echo "[Client] -- eth2/internal --> { start: front,0; } [Fortigate-60C-2] \
                                -- wan1/internal --> [Fortigate-60C-1] \
                                -- wan1/LAN4 --> [Router]" | graph-easy

+--------+  eth2/internal   +-----------------+  wan1/internal   +-----------------+  wan1/LAN4   +--------+
| Client | ---------------> | Fortigate-60C-2 | ---------------> | Fortigate-60C-1 | -----------> | Router |
+--------+                  +-----------------+                  +-----------------+              +--------+

■トランスペアレントモードのFortigateからNATモードFortigateに疎通確認

# execute ping 172.31.31.252
PING 172.31.31.252 (172.31.31.252): 56 data bytes
64 bytes from 172.31.31.252: icmp_seq=0 ttl=255 time=4.3 ms
64 bytes from 172.31.31.252: icmp_seq=1 ttl=255 time=0.4 ms
64 bytes from 172.31.31.252: icmp_seq=2 ttl=255 time=0.4 ms
64 bytes from 172.31.31.252: icmp_seq=3 ttl=255 time=0.4 ms
64 bytes from 172.31.31.252: icmp_seq=4 ttl=255 time=0.4 ms

--- 172.31.31.252 ping statistics ---
5 packets transmitted, 5 packets received, 0% packet loss
round-trip min/avg/max = 0.4/1.1/4.3 ms

■NATモードFortigateからトランスペアレントモードに疎通確認

$ ssh admin@172.31.31.252
home-utm1 # execute ping 172.31.31.249
PING 172.31.31.249 (172.31.31.249): 56 data bytes
64 bytes from 172.31.31.249: icmp_seq=0 ttl=255 time=0.8 ms
64 bytes from 172.31.31.249: icmp_seq=1 ttl=255 time=0.4 ms
64 bytes from 172.31.31.249: icmp_seq=2 ttl=255 time=0.4 ms
64 bytes from 172.31.31.249: icmp_seq=3 ttl=255 time=0.4 ms
64 bytes from 172.31.31.249: icmp_seq=4 ttl=255 time=0.4 ms

--- 172.31.31.249 ping statistics ---
5 packets transmitted, 5 packets received, 0% packet loss
round-trip min/avg/max = 0.4/0.4/0.8 ms

■ルーティングの追加。

$ sudo route add -host 172.31.31.249 dev eth2
$ sudo route -n | awk '/172.31.31/{print}'
172.31.31.0     172.31.31.252   255.255.255.0   UG    0      0        0 eth2
172.31.31.0     0.0.0.0         255.255.255.0   U     0      0        0 eth2
172.31.31.249   0.0.0.0         255.255.255.255 UH    0      0        0 eth2

■ssh接続確認

$ ssh admin@172.31.31.249
# show system settings | grep op
    set opmode transparent
home-utm2 # exit

$ ssh admin@172.31.31.252
# show full-configuration system settings | grep op
    set opmode nat
# exit

■ところで、はてなブログのASCIIの崩れ方が半端無いので、PNGにしておく。
 w3m等テキストで見る分には問題無い。
 リッチなブラウザの人は以下の順で画像を並べておく。

 変更前のHA構成図
 モード視点での変更後構成図
 Interface視点での変更後構成図

$ echo "[Client] -- wrh2/internal --> { start: front,0; } [Fortigate-60C-2] \
                                -- wan1/internal --> [Fortigate-60C-1] \
                                -- wan1/LAN4 --> [Router]" | graph-easy -o 1.dot
$ echo "[Client] -- Transparent mode --> { start: front,0; } [Fortigate-60C-2] -- NAT mode --> [Fortigate-60C-1] \
                                --> { end: back,0; } [Router(WAN)],[Cisco892-J(DMZ)]" | graph-easy -o 2.dot

$ echo "[Client] -- eth2/internal --> { start: front,0; } [Fortigate-60C-2] \
                                 -- wan1/internal --> [Fortigate-60C-1] \
                                 -- wan1/LAN4 --> [Router]" | graph-easy -o 3.dot

$ seq 1 3 | awk '{print "dot -T png "$1".dot -o "$1".png"}' | sh

f:id:labunix:20150901012253p:plain
f:id:labunix:20150901011954p:plain
f:id:labunix:20150901012000p:plain