System config

HA configuration

 

 

You can enable heartbeat communications for physical interfaces, but not for VLAN subinterfaces.

Enabling the HA heartbeat for more interfaces increases reliability. If an interface fails, the HA heartbeat can be diverted to another interface.

HA heartbeat traffic can use a considerable amount of network bandwidth. If possible, enable HA heartbeat traffic on interfaces only used for HA heartbeat traffic or on interfaces connected to less busy networks.

Table 5: Default heartbeat device configuration

FortiGate model

Default heartbeat device

Default priority

FortiGate-100A

External

50

 

 

 

 

DMZ 2

100

 

 

 

Change the heartbeat device priorities as required to control the interface that is used for heartbeat traffic and the interface to which heartbeat traffic reverts if the interface with the highest heartbeat priority fails or is disconnected.

Setting the heartbeat priority for more interfaces increases the reliability of the cluster. To optimize bandwidth use, you can route most heartbeat traffic to interfaces that handle less network traffic. You can also create a failover path by setting heartbeat priorities so that you can control the order in which interfaces are used for heartbeat traffic.

The heartbeat priority must be set for at least one cluster interface. If heartbeat communication is interrupted the cluster stops processing traffic.

Heartbeat device IP addresses

You do not need to assign IP addresses to the heartbeat device interfaces for them to be able to process heartbeat packets. In HA mode the cluster assigns virtual IP addresses to the heartbeat device interfaces. The primary cluster unit heartbeat device interface is assigned the IP address 10.0.0.1 and the subordinate unit is assigned the IP address 10.0.0.2. A third cluster unit would be assigned the IP address 10.0.0.3 and so on.

For best results, isolate each heartbeat device on its own network. Heartbeat packets contain sensitive information about the cluster configuration. Also, heartbeat packets may use a considerable amount of network bandwidth and it is preferable to isolate this traffic from your user networks. The extra bandwidth used by heartbeat packets could also reduce the capacity of the interface to process network traffic.

For most FortiGate models if you do not change the heartbeat device configuration, you would isolate the HA interfaces of all of the cluster units by connecting them all to the same switch. If the cluster consists of two FortiGate units you can connect the heartbeat device interfaces directly using a crossover cable.

HA heartbeat and data traffic are supported on the same FortiGate interface. In NAT/Route mode, if you decide to use the heartbeat device interfaces for processing network traffic or for a management connection, you can assign the interface any IP address. This IP address does not affect the heartbeat traffic. In Transparent mode, you can connect the interface to your network.

FortiGate-100A Administration Guide

01-28007-0068-20041203

89

Page 89
Image 89
Fortinet 100A manual Heartbeat device IP addresses

100A specifications

Fortinet 100A is a versatile network security device designed to provide comprehensive protection against various cyber threats while ensuring optimal network performance. As part of the FortiGate series, the 100A combines advanced security features with powerful hardware capabilities, making it suitable for small to medium-sized businesses.

One of the key features of the Fortinet 100A is its deep packet inspection technology. This capability allows the firewall to analyze both the header and payload of packets traversing the network, enabling it to detect and block malicious content effectively. The 100A can identify and mitigate a wide range of threats, including malware, intrusions, and application-layer attacks.

The FortiOS operating system powers the Fortinet 100A, offering a robust and user-friendly interface for configuration and management. With its unified security management console, administrators can efficiently monitor network traffic and enforce security policies across the organization. The system provides centralized logging and reporting features, enabling users to gain valuable insights into their security posture and respond swiftly to incidents.

The 100A supports multiple deployment modes, including transparent, NAT, and route modes. This flexibility allows organizations to integrate the device into their existing network architecture with ease. The firewall's high throughput capabilities ensure that network performance remains unaffected, even under heavy load from multiple users and devices.

Another notable aspect of the Fortinet 100A is its support for various VPN technologies, including IPsec and SSL VPN. This feature facilitates secure remote access for employees, enabling them to connect to the corporate network safely, regardless of their location. As remote work continues to be a norm in many sectors, this capability is critical for maintaining productivity and security.

In addition to these features, the Fortinet 100A provides comprehensive web filtering capabilities, protecting users from harmful websites and inappropriate content. This protection is essential for organizations looking to maintain a secure and productive environment.

With its combination of powerful security features, flexible deployment options, and robust performance, the Fortinet 100A stands out as an ideal solution for organizations seeking to bolster their cybersecurity measures while ensuring seamless connectivity for users. As cyber threats continue to evolve, investing in a capable device like the FortiGate 100A is crucial for maintaining a secure network infrastructure.