Information
Ensure that FortiGate devices are configured for High Availability (HA).
Configuring High Availability (HA) increases system availability as well as decreases impact of routine maintenance (Firmware updates, cable moves, etc.) and the the impact of device failure.
NOTE: Nessus has provided the target output to assist in reviewing the benchmark to ensure target compliance.
Solution
In GUI:
1. Navigate to "System" and then "HA"
2. Ensure "Mode" is set to proper setting "Active-Active" or "Active-Passive"
3. Review Configuration settings:
- "Cluster Name" must match on devices
- "Password" Must match on devices
- "Heartbeat Interfaces" need to be defined on devices
4. Click "OK" to save changes and exit
In CLI:
FGT1 # config system ha
FGT1 (ha) # set mode a-p ###(Active-Passive)
FGT1 (ha) # set group-name "FGT-HA" ###(Set cluster name)
FGT1 (ha) # set password ******* ###(Set password)
FGT1 (ha) # set hbdev port10 50 ###(Set Heartbeat Interface and priority)
FGT1 (ha) # end
To review configuration in CLI:
FGT1 # config system ha
FGT1 (ha) # show
config system ha
set group-name "FGT-HA"
set mode a-p
set password ENC enrwD467hJmO6j6YW/l6FEOa1YNVYdo8Z5mCcTDEKUFpOVXcNYnPBmQDGX//ViXk6TkwNH0il5aJr/fZY25lq+husndQHZVWp2LIlXmCv/n81U43nkZUWaIKvqkellGFbhv0/IHoOLzQPCsVcBbyrsgoprYMvh6w7F06+nRriBtMNQxpOV5V+e388EcwsOOMsXBZOw==
set hbdev "port10" 50
set override disable
end
Impact:
Not having High Availability (HA) configured correctly and synced properly impacts the availability of the FortiGate devices as well as any systems that require traversing the FortiGates. With properly configured HA in place outages can be minimized during firmware updates as well as if there are power outages or device failures.