FortiGate Remote Link Monitoring for HA
Josh Varghese
Industrial (OT) Networking SME | Owner at Traceroute | Advisory Board Member
The link here describes combining Remote Link Monitoring with HA and it works.
In our case below we set a ping server of 10.10.1.13 and can get the Fortinet FortiGate HA to failover in a situation where ports 4 and 5 on switch 9 are down which would otherwise lead to no routing availability for the rest of the LAN (downstream of switch 12).
The only point of confusion and concern is the “pingserver-flip-timeout” described at the link which defaults to 60 minutes and on our 60F seems to have a minimum configurable value of 6 minutes. This means that after a failover from FG-A to FG-B, the HA can’t possibly fail back to FG-A (even if there is a ping server failure for B and the A situation is repaired) sooner than 6 minutes!
While I realize you don’t want a lot of FLIP FLOP this minimum is a bit surprising to me coming from a world of typically doing process VLAN routing at an OT L3 switch pair running VRRP or a proprietary variant of VRRP allowing this floor to be on the order of 4 seconds or even 400 milliseconds respectively.
A few months earlier I posed a question about the pros/cons of using NGFWs vs L3 switches for process VLAN routing and I think I may have just found a strong con.
领英推荐
Does this 6 minute “floor” surprise anyone? Is the floor similar on Palo Alto Networks? Do you have alternative suggestions on how we should consider facilitating the desired redundancy?
Worth noting we originally tried to facilitate through extra cross connections and Redundant Interface on the FGs but couldn’t quite figure out the right configuration.
We went multiple rounds with Forti support and an SE we know without any resolution.
Thanks in advance for the feedback ????
#industrialnetworking #otnetworking #redundancy
System Engineer at Integra Group
9 个月HA “override” parameter is enabled and the cluster “preferred” master is set with a higher “priority” value than the slave. “pingserver-slave-force-reset” variable is set to “disable” Remote link failure on the new master side can trigger a fail over immediately.
I secure networks.?????? | Solutions Consultant @ Palo Alto Networks 2xNSE7 CASP
9 个月PAN-OS to the rescue here. You can set it to 1ms if you would like but we recommend 500ms if you need it to be aggressive. We can also set 'Monitor Fail Hold Up Time' to stay on the active in the event of a flapping neighbor and set the 'Maximum No. of Flaps' threshold if the path fails to stay up for 10 min after becoming functional. Ref. https://docs.paloaltonetworks.com/pan-os/9-1/pan-os-admin/high-availability/ha-concepts/ha-timers
Field Service Alum | LV / MV Gear Fluent | Training the next SME
9 个月If only this customer service was available to all field personnel. This world be far more efficient.
Network Security Engineer | @gregabyte.io | USAF Veteran
9 个月I think this may still work in the way you want but I will have to test it out in my lab tomorrow. I think the flip timer is there for a natural fail back if everything remains fine on the secondary but in the instance where you then have an issue on the secondary it would/should start the negotiation of who is best to be primary. This is late speculation based on reading too many docs for the first time but it makes sense in my head. I'll try to lab it out to verify tomorrow.
Ben Scott, M.S. do you have any thoughts?