■Fortigate-60CのHA構成を外してトランスペアレントに変更する。 現状の自宅の評価セグメントは以下のような一般的な階層型になっている。 $ echo "[Client] --> [WS2970G(Intra-VLAN)] -- HA(a-p) --> { start: front,0; } [Fortigate-60C-1],[Fortigate-60C-2] \ --> { end: back,0; } [Router(WAN)],[Cisco892-J(DMZ)]" | graph-easy +------------------------------------------------+ | | +--------+ +---------------------+ HA(a-p) +-----------------+ +-----------------+ | | Client | --> | WS2970G(Intra-VLAN) | ------+------------> | Fortigate-60C-1 | ------+-> | Cisco892-J(DMZ) | | +--------+ +---------------------+ | +-----------------+ | +-----------------+ | | | | | | | | | | | HA(a-p) +-----------------+ | | +------------> | Fortigate-60C-2 | ------+ | +-----------------+ | | | | | | | | | +-----------+------------------------------------------------+ | | +-----------------+ +-------> | Router(WAN) | +-----------------+ ■Fortigate-60Cはメモリが少ないのもあって、 冗長化構成よりは以下の構成の方が良いかも知れない。 $ echo "[Client] -- Transparent mode --> { start: front,0; } [Fortigate-60C-2] -- NAT mode --> [Fortigate-60C-1] \ --> { end: back,0; } [Router(WAN)],[Cisco892-J(DMZ)]" | graph-easy +--------+ Transparent mode +-----------------+ NAT mode +-----------------+ +-----------------+ | Client | ------------------> | Fortigate-60C-2 | ----------> | Fortigate-60C-1 | --> | Cisco892-J(DMZ) | +--------+ +-----------------+ +-----------------+ +-----------------+ | +------------+ | | +-----------------+ +--------> | Router(WAN) | +-----------------+ ■バックアップの取得。 ■2号機のシリアルナンバーを控えてシャットダウン。 $ ssh admin@172.31.31.252 home-utm1 # execute ha manage ? <id> please input peer box index. <0> Subsidary unit FGT60CXXXXXXXXXX # execute ha manage 0 $ get system status | grep ^Serial Serial-Number: FGT60CXXXXXXXXXX $ execute shutdown This operation will shutdown the system ! Do you want to continue? (y/n)y ■1号機をStandaloneに変更。 # show system ha | grep -v password config system ha set group-name "home-utm" set mode a-p set hbdev "dmz" 50 set override disable set monitor "dmz" "wan1" end # config system ha set mode standalone end ■2号機のLANケーブルをすべて外し、電源ON。 初期化前に一応standaloneにしてから初期化コマンド投入。 ... login: admin Password: # config system ha set mode standalone end # execute factoryreset This operation will reset the system to factory default! Do you want to continue? (y/n)y System is resetting to factory default... ■2号機の初期設定 ... login: admin Password: # config system global set hostname home-utm2 set timezone 60 set language japanese end ■変更するべき箇所は以下のfirewallポリシー、dhcp server、virtual-switch。 dhcp serverには設定が無く、virtual-switchが設定されているモデルではない。 # show firewall policy | grep -f nat config firewall policy edit 1 set srcintf "internal" set dstintf "wan1" set srcaddr "all" set dstaddr "all" set action accept set schedule "always" set service "ALL" set nat enable <--- next end # show | grep -f dhcp config system interface edit "wan2" set vdom "root" set mode dhcp <--- set allowaccess ping fgfm auto-ipsec set type physical set snmp-index 2 next edit "wan1" set vdom "root" set mode dhcp <--- set allowaccess ping fgfm auto-ipsec set type physical set snmp-index 3 next end config system dhcp server <--- end # show | grep virtual-switch ■firewallポリシーとdhcpクライアント設定の削除 # config firewall policy delete 1 end config system interface edit wan1 set mode static next edit wan2 set mode static next end ■Transparentモードに変更。 # show full-configuration system settings | grep nat set opmode nat set sip-nat-trace enable # config system settings set admin-https-redirect disable set opmode transparent set manageip 172.31.31.249 255.255.255.0 set gateway 172.31.31.252 end This operation might change settings of vap interfaces, virtual switches, software switch interfaces, managed switches, ppp vdom-link, loopback interfaces, interface auto-ipsec allowaccess and wccp-cache-engine. Do you want to continue? (y/n)y Changing to TP mode ■設定の確認 # show system settings config system settings set opmode transparent set manageip 172.31.31.249/255.255.255.0 end # get system status | grep ^Op Operation Mode: Transparent # show router static config router static edit 1 set gateway 172.31.31.252 next end ■LANケーブルを差し替える。 DMZポートは今回の変更に関係が無いので省略。 $ echo "[Client] -- eth2/internal --> { start: front,0; } [Fortigate-60C-2] \ -- wan1/internal --> [Fortigate-60C-1] \ -- wan1/LAN4 --> [Router]" | graph-easy +--------+ eth2/internal +-----------------+ wan1/internal +-----------------+ wan1/LAN4 +--------+ | Client | ---------------> | Fortigate-60C-2 | ---------------> | Fortigate-60C-1 | -----------> | Router | +--------+ +-----------------+ +-----------------+ +--------+ ■トランスペアレントモードのFortigateからNATモードFortigateに疎通確認 # execute ping 172.31.31.252 PING 172.31.31.252 (172.31.31.252): 56 data bytes 64 bytes from 172.31.31.252: icmp_seq=0 ttl=255 time=4.3 ms 64 bytes from 172.31.31.252: icmp_seq=1 ttl=255 time=0.4 ms 64 bytes from 172.31.31.252: icmp_seq=2 ttl=255 time=0.4 ms 64 bytes from 172.31.31.252: icmp_seq=3 ttl=255 time=0.4 ms 64 bytes from 172.31.31.252: icmp_seq=4 ttl=255 time=0.4 ms --- 172.31.31.252 ping statistics --- 5 packets transmitted, 5 packets received, 0% packet loss round-trip min/avg/max = 0.4/1.1/4.3 ms ■NATモードFortigateからトランスペアレントモードに疎通確認 $ ssh admin@172.31.31.252 home-utm1 # execute ping 172.31.31.249 PING 172.31.31.249 (172.31.31.249): 56 data bytes 64 bytes from 172.31.31.249: icmp_seq=0 ttl=255 time=0.8 ms 64 bytes from 172.31.31.249: icmp_seq=1 ttl=255 time=0.4 ms 64 bytes from 172.31.31.249: icmp_seq=2 ttl=255 time=0.4 ms 64 bytes from 172.31.31.249: icmp_seq=3 ttl=255 time=0.4 ms 64 bytes from 172.31.31.249: icmp_seq=4 ttl=255 time=0.4 ms --- 172.31.31.249 ping statistics --- 5 packets transmitted, 5 packets received, 0% packet loss round-trip min/avg/max = 0.4/0.4/0.8 ms ■ルーティングの追加。 $ sudo route add -host 172.31.31.249 dev eth2 $ sudo route -n | awk '/172.31.31/{print}' 172.31.31.0 172.31.31.252 255.255.255.0 UG 0 0 0 eth2 172.31.31.0 0.0.0.0 255.255.255.0 U 0 0 0 eth2 172.31.31.249 0.0.0.0 255.255.255.255 UH 0 0 0 eth2 ■ssh接続確認 $ ssh admin@172.31.31.249 # show system settings | grep op set opmode transparent home-utm2 # exit $ ssh admin@172.31.31.252 # show full-configuration system settings | grep op set opmode nat # exit ■ところで、はてなブログのASCIIの崩れ方が半端無いので、PNGにしておく。 w3m等テキストで見る分には問題無い。 リッチなブラウザの人は以下の順で画像を並べておく。 変更前のHA構成図 モード視点での変更後構成図 Interface視点での変更後構成図 $ echo "[Client] -- wrh2/internal --> { start: front,0; } [Fortigate-60C-2] \ -- wan1/internal --> [Fortigate-60C-1] \ -- wan1/LAN4 --> [Router]" | graph-easy -o 1.dot $ echo "[Client] -- Transparent mode --> { start: front,0; } [Fortigate-60C-2] -- NAT mode --> [Fortigate-60C-1] \ --> { end: back,0; } [Router(WAN)],[Cisco892-J(DMZ)]" | graph-easy -o 2.dot $ echo "[Client] -- eth2/internal --> { start: front,0; } [Fortigate-60C-2] \ -- wan1/internal --> [Fortigate-60C-1] \ -- wan1/LAN4 --> [Router]" | graph-easy -o 3.dot $ seq 1 3 | awk '{print "dot -T png "$1".dot -o "$1".png"}' | sh
