Fortinet black logo

FortiWeb-VM on VMware ESXi

Home FortiWeb Private Cloud FortiWeb-VM on VMware ESXi

Configuring vSwitches and vLANs to support an HA group on ESXi

Configuring vSwitches and vLANs to support an HA group on ESXi

To include FortiWeb-VM deployed on an ESXi hypervisor in a high availability (HA) group, ensure that the vSwitch and vLAN Promiscuous Mode, MAC Address Changes and Forged Transmits security policies are configured as shown in the following tables. The configurations allow the VM to become part of a group and process traffic correctly if there is a failover.

The following configurations apply to all ports except the ones for HA heartbeat and reserved management, because they use the MAC addresses and don't need to follow the Accept and Reject rules listed below.

Table 1: vSwitch and vLAN security policies when FortiWeb is deployed in Reverse Proxy operation mode

active-passive HA / active-active standard HA

active-active high volume HA
vSwitch vLAN vSwitch vLAN
Promiscuous mode Reject Reject Accept Accept
MAC Address Changes Accept Accept Accept Reject
Forged Transmits Accept Accept Accept Accept

Table 2: vSwitch and vLAN security policies when FortiWeb is deployed in True Transparent Proxy operation mode

active-passive HA / active-active standard HA
vSwitch vLAN
Promiscuous mode Reject Accept
MAC Address Changes Accept Accept
Forged Transmits Accept Accept

It's suggested to exactly follow the configurations listed in the tables above, especially for the Accept settings, because changing the settings from Accept to Reject will lead to traffic disruption.

However, it's allowed to change the settings from Reject to Accept because the traffic will not be affected in this way. Just keep in mind that it may compromise the security of the network.

  1. Log in to the vSphere Client and select the host from the inventory panel.
  2. Click the Configuration tab and click Networking.
  3. On the right side of the page, click Properties for the vSwitch to edit.
  4. Click the Ports tab.
  5. Select the vSwitch item in the Configuration list, and click Edit.
  6. Click the Security tab.
  7. For Promiscuous Mode, MAC Address Changes and Forged Transmits, configure them as shown in the tables above.
  8. Select the vLAN item and configure Promiscuous Mode, MAC Address Changes and Forged Transmits as specified.
  9. Click OK.
Previous
Next

Configuring vSwitches and vLANs to support an HA group on ESXi

To include FortiWeb-VM deployed on an ESXi hypervisor in a high availability (HA) group, ensure that the vSwitch and vLAN Promiscuous Mode, MAC Address Changes and Forged Transmits security policies are configured as shown in the following tables. The configurations allow the VM to become part of a group and process traffic correctly if there is a failover.

The following configurations apply to all ports except the ones for HA heartbeat and reserved management, because they use the MAC addresses and don't need to follow the Accept and Reject rules listed below.

Table 1: vSwitch and vLAN security policies when FortiWeb is deployed in Reverse Proxy operation mode

active-passive HA / active-active standard HA

active-active high volume HA
vSwitch vLAN vSwitch vLAN
Promiscuous mode Reject Reject Accept Accept
MAC Address Changes Accept Accept Accept Reject
Forged Transmits Accept Accept Accept Accept

Table 2: vSwitch and vLAN security policies when FortiWeb is deployed in True Transparent Proxy operation mode

active-passive HA / active-active standard HA
vSwitch vLAN
Promiscuous mode Reject Accept
MAC Address Changes Accept Accept
Forged Transmits Accept Accept

It's suggested to exactly follow the configurations listed in the tables above, especially for the Accept settings, because changing the settings from Accept to Reject will lead to traffic disruption.

However, it's allowed to change the settings from Reject to Accept because the traffic will not be affected in this way. Just keep in mind that it may compromise the security of the network.

  1. Log in to the vSphere Client and select the host from the inventory panel.
  2. Click the Configuration tab and click Networking.
  3. On the right side of the page, click Properties for the vSwitch to edit.
  4. Click the Ports tab.
  5. Select the vSwitch item in the Configuration list, and click Edit.
  6. Click the Security tab.
  7. For Promiscuous Mode, MAC Address Changes and Forged Transmits, configure them as shown in the tables above.
  8. Select the vLAN item and configure Promiscuous Mode, MAC Address Changes and Forged Transmits as specified.
  9. Click OK.
Previous
Next