Fortinet black logo

Admin Guide

Home FortiExtender 4.1.2 Admin Guide

Redundant with FGT in IP Pass-through mode

4.1.2
4.2.2
4.2.1
4.2.0
4.1.3
4.1.2
4.1.1
4.0.2
4.0.0
Copy Link
Copy Doc ID f815156d-f108-11e9-8977-00505692583a:559831
Download PDF

Redundant with FGT in IP Pass-through mode

Tooltip

This feature applies to FEX-201E, FEX-202E, FEX-211E, and FEX-212E only.

A Virtual Router Redundancy Protocol (VRRP) configuration can be used as a high-availability (HA) solution to ensure network connectivity in the event the default router for the network fails. With VRRP, If a router or FortiGate on your network fails, all traffic will transparently fail over to another router or FortiGate. When the failed router or FortiGate is restored, it will once again take over processing traffic for the network. For more information about VRRP, see RFC 3768.

The most common application of VRRP is to provide redundant default routers between an internal network and the internet. The default routers can be FortiGates and or any routers like FortiExtenders that support VRRP.

General configuration procedures
  1. Add a virtual VRRP router to the internal interface of each of the FortiGates and FortiExtender. This adds the FortiGate and FortiExtender to the same VRRP domain.
  2. Set the VRRP IP address of the domain to the internal network default gateway IP address.
  3. Give one of the VRRP domain members the highest priority so it becomes the primary (or master) router and give the others lower priorities (such as FortiExtender) so they become backup routers.

In normal operations, all traffic from the internal network to the internet passes through the primary VRRP router, i.e., FortiGate. The primary router also sends VRRP advertisement messages to the backup router, i.e., FortiExtender. The backup FortiExtender will not attempt to become a primary router while receiving these messages. If the primary router fails, the backup FortiExtender with the highest priority becomes the new primary router after a brief delay, during which the new primary router sends gratuitous ARP packets to the network to map the default route IP address of the network to the MAC address of the new primary router. All packets sent to the default route are now being sent to the new primary router, i.e., FortiExtender. If the new primary router is a FortiGate, the network will continue to benefit from FortiOS security features. If it is a regular router, traffic will continue to flow, but the FortiOS security features will not be available until the FortiGate is back online.

During a VRRP failover with a FortiGate as the backup router, the FortiGate will not have session information for all of the failed-over in-progress sessions. So it would normally not be able to forward in-progress session traffic. To solve this issue, the FortiGate acting as the new primary router will operate with asymmetric routing enabled immediately after a failover and for a short time (called the start time). This enables the FortiGate to re-create all of the in-progress sessions and add them to its session table.

While operating with asymmetric routing enabled, the FortiGate cannot apply security functions. When the start time ends, the FortiGate disables asymmetric routing and returns to normal operation (including applying security functions).

To enable VRRP on the interface attached to the LAN port on FortiGate:

FortiOS# config system interface

FortiOS (interface) # edit <port num>

edit <port num>

set vdom "root"

set ip <ip> <subnet mask>

set allowaccess ping

set type physical

set vrrp-virtual-mac enable

config vrrp

edit <vrrp id>

set vrip <vrrp IP>

set priority <priority>

next

end

end

To enable VRRP on FortiExtender:
config system management
set discovery-type fortigate
	config fortigate-backup
		vrrp-interface <vrrp interface i.e por1>
		status enable
	end
end

 
config system interface wan vrrp
    set status enable
    set version 2 <only 2 is supported currently>
    set ip <IP of virtual router>
    set id <vrrp id>
    set priority <priority>
    set adv-interval <advertisement interval in seconds>
    set start-time <initialization timer for backup router, typically 1>
    set preempt <enable | disable> (preempting master typically disable)
end

The VRRP interfaces on FortiGate and FortiExtender must be individual ports, and must not be part of a LAN switch with static IP address configuration. Devices reliant on the Internet from FortiGate or FortiExtender must also have a static IP configured.
To display the status of virtual router on FortiExtender:
get router info vrrp
Previous
Next

Redundant with FGT in IP Pass-through mode

Tooltip

This feature applies to FEX-201E, FEX-202E, FEX-211E, and FEX-212E only.

A Virtual Router Redundancy Protocol (VRRP) configuration can be used as a high-availability (HA) solution to ensure network connectivity in the event the default router for the network fails. With VRRP, If a router or FortiGate on your network fails, all traffic will transparently fail over to another router or FortiGate. When the failed router or FortiGate is restored, it will once again take over processing traffic for the network. For more information about VRRP, see RFC 3768.

The most common application of VRRP is to provide redundant default routers between an internal network and the internet. The default routers can be FortiGates and or any routers like FortiExtenders that support VRRP.

General configuration procedures
  1. Add a virtual VRRP router to the internal interface of each of the FortiGates and FortiExtender. This adds the FortiGate and FortiExtender to the same VRRP domain.
  2. Set the VRRP IP address of the domain to the internal network default gateway IP address.
  3. Give one of the VRRP domain members the highest priority so it becomes the primary (or master) router and give the others lower priorities (such as FortiExtender) so they become backup routers.

In normal operations, all traffic from the internal network to the internet passes through the primary VRRP router, i.e., FortiGate. The primary router also sends VRRP advertisement messages to the backup router, i.e., FortiExtender. The backup FortiExtender will not attempt to become a primary router while receiving these messages. If the primary router fails, the backup FortiExtender with the highest priority becomes the new primary router after a brief delay, during which the new primary router sends gratuitous ARP packets to the network to map the default route IP address of the network to the MAC address of the new primary router. All packets sent to the default route are now being sent to the new primary router, i.e., FortiExtender. If the new primary router is a FortiGate, the network will continue to benefit from FortiOS security features. If it is a regular router, traffic will continue to flow, but the FortiOS security features will not be available until the FortiGate is back online.

During a VRRP failover with a FortiGate as the backup router, the FortiGate will not have session information for all of the failed-over in-progress sessions. So it would normally not be able to forward in-progress session traffic. To solve this issue, the FortiGate acting as the new primary router will operate with asymmetric routing enabled immediately after a failover and for a short time (called the start time). This enables the FortiGate to re-create all of the in-progress sessions and add them to its session table.

While operating with asymmetric routing enabled, the FortiGate cannot apply security functions. When the start time ends, the FortiGate disables asymmetric routing and returns to normal operation (including applying security functions).

To enable VRRP on the interface attached to the LAN port on FortiGate:

FortiOS# config system interface

FortiOS (interface) # edit <port num>

edit <port num>

set vdom "root"

set ip <ip> <subnet mask>

set allowaccess ping

set type physical

set vrrp-virtual-mac enable

config vrrp

edit <vrrp id>

set vrip <vrrp IP>

set priority <priority>

next

end

end

To enable VRRP on FortiExtender:
config system management
set discovery-type fortigate
	config fortigate-backup
		vrrp-interface <vrrp interface i.e por1>
		status enable
	end
end

 
config system interface wan vrrp
    set status enable
    set version 2 <only 2 is supported currently>
    set ip <IP of virtual router>
    set id <vrrp id>
    set priority <priority>
    set adv-interval <advertisement interval in seconds>
    set start-time <initialization timer for backup router, typically 1>
    set preempt <enable | disable> (preempting master typically disable)
end

The VRRP interfaces on FortiGate and FortiExtender must be individual ports, and must not be part of a LAN switch with static IP address configuration. Devices reliant on the Internet from FortiGate or FortiExtender must also have a static IP configured.
To display the status of virtual router on FortiExtender:
get router info vrrp
Previous
Next