2.5.1 Ensure High Availability Configuration

Warning! Audit Deprecated

This audit has been deprecated and will be removed in a future update.

View Next Audit Version

Information

Ensure that FortiGate devices are configured for High Availability (HA).

Rationale:

Configuring High Availability (HA) increases system availability as well as decreases impact of routine maintenance (Firmware updates, cable moves, etc.) and the the impact of device failure.

Impact:

Not having High Availability (HA) configured correctly and synced properly impacts the availability of the FortiGate devices as well as any systems that require traversing the FortiGates. With properly configured HA in place outages can be minimized during firmware updates as well as if there are power outages or device failures.

NOTE: Nessus has provided the target output to assist in reviewing the benchmark to ensure target compliance.

Solution

In GUI:

Navigate to 'System' and then 'HA'
Ensure 'Mode' is set to proper setting 'Active-Active' or 'Active-Passive'
Review Configuration settings
'Cluster Name' must match on devices
'Password' Must match on devices
'Heartbeat Interfaces' need to be defined on devices
Click 'OK' to save changes and exit

In CLI:

FGT1 # config system ha
FGT1 (ha) # set mode a-p ###(Active-Passive)
FGT1 (ha) # set group-name 'FGT-HA' ###(Set cluster name)
FGT1 (ha) # set password ******* ###(Set password)
FGT1 (ha) # set hbdev port10 50###(Set Heartbeat Interface and priority)
FGT1 (ha) # end

To review configuration in CLI

FGT1 # config system ha
FGT1 (ha) # show
config system ha
set group-name 'FGT-HA'
set mode a-p
set password ENC enrwD467hJmO6j6YW/l6FEOa1YNVYdo8Z5mCcTDEKUFpOVXcNYnPBmQDGX//ViXk6TkwNH0il5aJr/fZY25lq+husndQHZVWp2LIlXmCv/n81U43nkZUWaIKvqkellGFbhv0/IHoOLzQPCsVcBbyrsgoprYMvh6w7F06+nRriBtMNQxpOV5V+e388EcwsOOMsXBZOw==
set hbdev 'port10' 50
set override disable
end

Default Value:

N/A

See Also

https://workbench.cisecurity.org/files/4077