Fortinet Version 3.0 manual Example FortiGate HA cluster FortiBridge application

Page 15


FortiBridge operating principles	Example FortiGate HA cluster FortiBridge application

Example FortiGate HA cluster FortiBridge application

A FortiBridge unit can provide fail open protection for a FortiGate HA cluster operating in transparent mode in much the same way as for a standalone FortiGate unit. To provide fail open protection for an HA cluster, connect the FortiBridge unit to the switches that connect the internal and external interfaces of the cluster. Use the following steps to connect a FortiBridge unit to the HA cluster, as shown in Figure 7:

Figure 7: FortiBridge unit providing fail open protection for a FortiGate HA cluster

(Normal mode)
Internal network
INT 1	EXT 1	Internet
INT 2	EXT 2	Router
Internal	External	Probe packets
		Probe packets
	HA cluster

(Transparent mode)

The network configuration and FortiBridge configuration are the same for a cluster and for a standalone FortiGate unit. In normal mode, packets pass through the FortiBridge unit and through the FortiGate HA cluster and back through the FortiBridge unit. For the cluster to process this traffic, you must add

Internal ->External firewall policies to the cluster configuration. If a failure occurs and the cluster no longer processes traffic, the FortiBridge unit switches to bypass mode, bypassing the cluster.

The connection procedure is different depending on whether the FortiBridge unit uses copper gigabit ethernet network connections or fiber gigabit ethernet network connections. This section includes the following connection procedures:

•Connecting the FortiBridge-1000 (copper gigabit ethernet)

•Connecting the FortiBridge-1000F (fiber gigabit ethernet)

Connecting the FortiBridge-1000 (copper gigabit ethernet)

The FortiBridge-1000 unit contains 4 auto-sensing 10/100/1000 Ethernet interfaces that connect to the internal and external networks and to the cluster interfaces that were connected to these networks. Use the following steps to connect a FortiBridge-1000 unit to the network as shown in Figure 7.

Note: Normally, you would use straight-through ethernet cables to connect the FortiBridge-1000 unit to the FortiGate unit and to your networks. However, for some connections you may need a crossover ethernet cable (for example, for compatibility with network devices that do not support Auto MDI/MDIX).

FortiBridge Version 3.0 Administration Guide	15
09-30000-0163-20061109

Image 15

Contents M i n i s t r a t i o n G u i d e Regulatory compliance TrademarksContents Configuration and operating procedures Using the CLIConfig CLI commands Index Execute CLI commandsPage About this document About FortiBridgeFortinet Knowledge Center Customer service and technical supportFortinet documentation Fortinet tools and documentation CDExample FortiBridge application FortiBridge operating principlesConnecting the FortiBridge-1000 copper gigabit ethernet Connecting the FortiBridge unitNormal mode operation Connecting the FortiBridge-1000F fiber gigabit ethernetHow the FortiBridge unit monitors the FortiGate unit Probes and FortiGate firewall policies Normal mode operationEnabling probes to detect FortiGate hardware failure Enabling probes to detect FortiGate software failureProbe interval and probe threshold FortiBridge power failure Bypass mode operationExample FortiGate HA cluster FortiBridge application Example configuration with other FortiGate interfaces Example configuration with other FortiGate interfaces Example configuration with other FortiGate interfaces FortiBridge unit basic information FortiBridge-1000 Package contentsMounting instructions FortiBridge-1000F Package contentsLED indicators Technical specificationsFactory default configuration ConnectorsConnecting and turning on the FortiBridge-1000 unit Connecting and turning on the FortiBridge unitConnecting and turning on the FortiBridge-1000F unit To connect and turn on the FortiBridge-1000 unitTo connect and turn on the FortiBridge-1000F unit To connect to the FortiBridge console for the first time Connecting to the command line interface CLIConnecting to the FortiBridge console FortiBridge-1000 loginWelcome FortiBridge-1000 # Completing the basic FortiBridge configurationConnecting to the FortiBridge CLI using Telnet To connect to the CLI using TelnetTo change the management IP address Adding an administrator passwordTo add an administrator password Changing the management IP addressTo add static routes Changing DNS server IP addressesAdding static routes To change DNS server IP addressesAllowing management access to the EXT 1 interface Adding administrator accountsChanging the system time and date Resetting to the factory default configuration Installing FortiBridge unit firmwareTo reset to factory defaults from the FortiBridge CLI Upgrading to a new firmware version To upgrade to a new firmware versionExecute restore image namestr tftpip Execute restore image FBG1000-v10-build010-FORTINET.outTo revert to a previous firmware version Reverting to a previous firmware versionEnter Tftp server address Installing firmware from a system rebootTo install firmware from a system reboot Hit any key to stop autobootGet system status Enter firmware image file image.outExample network settings Configuration and operating proceduresConfiguring FortiBridge probes Configuring FortiBridge probesTo configure probe settings Probe settingsTo enable and configure FortiBridge probes Config probe probelist ping set status enable EndEnabling probes Go to System Status Session Config probe probelist Imap set status enable EndVerifying that probes are functioning To verify that probes are functioningTuning the failure threshold and probe interval Configuring FortiBridge alertsFortiBridge syslog To configure alert emailConfig alertemail setting set server mail.myorg.com End FortiBridge alert emailTo configure FortiBridge syslog Config log syslogd setting set server EndFortiBridge Snmp To resume normal operation from bypass mode Recovering from a FortiGate failureTo add and enable an Snmp community Config system snmp community edit Set name snmp1 EndTo back up the FortiBridge configuration Manually switching between FortiBridge operating modesBacking up and restoring the FortiBridge configuration Execute switch-modeBacking up and restoring the FortiBridge configuration Backing up and restoring the FortiBridge configuration CLI basics Connecting to the FortiBridge CLI using SSH or TelnetSetting administrative access for SSH or Telnet To use the CLI to configure SSH or Telnet accessGet system interface namestr Other access methodsConnecting to the FortiBridge CLI using SSH Set allowaccess ping telnet sshTo connect to the CLI using SSH Connecting to the FortiBridge CLI using SSH or Telnet Config CLI commands Alertemail setting Command syntax patternExamples Related Commands Example Log syslogd settingShow probe probelist Probe probelist ping http ftp pop3 smtp imapGet probe probelist Get probe probelist httpSyslog Probe settingRw w System accprofileGet system accprofile Get system accprofile policyprofileShow system accprofile Password passwordstr System adminGet system admin Get system admin newadminShow system admin Show system console Config system console set EndSystem console Get system consoleSystem dns Get system dnsShow system dns Get system status Failbypass System failcloseSystem failclose Minutesinteger System globalShow system global Get system globalSystem interface internal external Get system interface internalShow system interface internal System manageip Config system manageip Set ip 192.168.2.80 255.255.255.0 endDistanceinteger System routeSystem snmp community Config hostsShow system snmp community Get system snmp communityExecute CLI commands Execute backup config fbdg.cfg BackupCommand syntax Execute backup config filenamestr tftp-serveripv4Date Execute date datestr datestr has the form mm/dd/yyyy, whereExecute date 09/17/2004 Execute factoryreset FactoryresetExecute ping addressipv4 host-namestr PingExecute reboot RebootExecute restore config backupconfig RestoreSwitch-mode Execute time timestr TimeTime Index 09-30000-0163-20061109 Snmp SSH