Configuring HA settings on the FortiProxy-VMs
After the FortiProxy VMs are successfully deployed, configure active-active (config-sync) HA settings on the two VMs using CLI commands via SSH.
To configure FortiProxy-A using the CLI:
config router static edit 1 set gateway 10.0.1.1 set device "port1" next end config system interface edit "port1" set description public set vdom "root" set ip 10.0.1.11 255.255.255.0 set allowaccess ping https ssh http fgfm set type physical set explicit-web-proxy enable set explicit-ftp-proxy enable set snmp-index 1 set mtu-override enable set mtu 9001 next edit "port2" set description hasync set ip 10.0.2.11 255.255.255.0 set allowaccess ping https ssh snmp http telnet fgfm radius-acct probe-response fabric ftm speed-test set type physical set snmp-index 2 next edit "port3" set description mgmt set ip 10.0.3.11 255.255.255.0 set allowaccess ping https ssh snmp http telnet fgfm radius-acct probe-response fabric ftm speed-test set type physical set snmp-index 3 next edit "ssl.root" set vdom "root" set type tunnel set alias "SSL VPN interface" set snmp-index 4 next end config system ha set group-id 11 set group-name "FPX-config-sync" set mode config-sync-only set hbdev "port2" 50 set ha-mgmt-status enable config ha-mgmt-interfaces edit 1 set interface "port3" set gateway 10.0.3.1 next end set override disable set priority 111 set ha-direct enable set unicast-status enable set unicast-gateway 10.0.2.1 config unicast-peers edit 2 set peer-ip 10.0.12.11 next end end
To configure FortiProxy-B using the CLI:
config router static edit 1 set gateway 10.0.11.1 set device "port1" next end FPXVULTM23000083 # sh sys int config system interface edit "port1" set description public set vdom "root" set ip 10.0.11.11 255.255.255.0 set allowaccess ping https ssh probe-response set type physical set explicit-web-proxy enable set explicit-ftp-proxy enable set snmp-index 1 set mtu-override enable set mtu 9001 next edit "port2" set description hasync set ip 10.0.12.11 255.255.255.0 set allowaccess ping https ssh set type physical set snmp-index 2 next edit "port3" set description mgmt set ip 10.0.13.11 255.255.255.0 set allowaccess ping https ssh snmp fgfm radius-acct set type physical set snmp-index 3 next edit "ssl.root" set vdom "root" set type tunnel set alias "SSL VPN interface" set snmp-index 4 next end FPXVULTM23000083 # sh sys ha config system ha set group-id 11 set group-name "FPX-config-sync" set mode config-sync-only set hbdev "port2" 50 set ha-mgmt-status enable config ha-mgmt-interfaces edit 1 set interface "port3" set gateway 10.0.13.1 next end set override disable set priority 12 set ha-direct enable set unicast-status enable set unicast-gateway 10.0.12.1 config unicast-peers edit 1 set peer-ip 10.0.2.11 next end end
To check the HA status and function:
- In the login page, enter the default username and password:
admin
/instance ID
. - In the primary FortiProxy, go to System > HA. Check that the HA status is synchronized.
-
Configure FortiProxy-A as follows:
config web-proxy explicit-proxy edit "web-proxy" set status enable set interface "port1" set ftp-over-http enable set socks enable set http-incoming-port 8080 next end FPX-AA-A # sh fire pol 1 config firewall policy edit 1 set type explicit-web set uuid 3bd1a338-d81c-51ee-cb7c-ba6426788468 set dstintf "port1" set srcaddr "all" set dstaddr "all" set action accept set schedule "always" set service "webproxy" set explicit-web-proxy "web-proxy" set utm-status enable set logtraffic all set log-http-transaction all set extended-log enable set av-profile "default" set groups "<You_Group_Name>" next end
- Log into FortiProxy-B and verify that the above configurations in FortiProxy-A are synchronized to FortiProxy-B.
-
Verify the HA cluster's explicit-web proxy by sending proxy requests via the elastic IP of the load balancer.