NSE4_FGT-6.4 Fortinet NSE 4 – FortiOS 6.4 – FortiGate Firewall V6.4 Part 16

59. Lecture-59:High Availability (HA) Theory.

Another topic is redundancy what is redundancy? Redundancy we call them failure. We call them Ha high Availability cluster Rate and Fault Tolerance all these things is the name of one thing one way or another way. I know there is some difference but altogether these words can be used for one specific thing which we call are them Redundancy either high Availability why we need a Redundancy? We need a backup solution. It can be hardware, it can be software, it can be combination of software. It can be workable, it can be anything. Even in our real life.

We need a redundancy. Normally we say we. Will do this course. And if it is something goes wrong, I will do this course either. I will apply here as well. If this job not being successful, I will apply here. I will apply to this university for this position either for this degree. And also I will apply to another university. Maybe if I didn’t get admission here then I will go to the other one. The same thing we do in the network is well redundancy. If a hardware is failed, software is failed, a link is failed, a device is failed, a hardware is failed, software is failed, virtual environment is failed. We have some backup solution and then makeup solution.

We call them redundancy. High availability ha cluster rate, fault to address and redundancy and it can be a link, it can be in a device, it can be a firewall, it can be a router, it can be a switches, it can be anything and everywhere you will see our attendance. Even I told you, in real life we do the same thing. So you can go through all these. What is this all mentioned? I will go straight away to show you. Even in every device, whenever you buy today from a Cisco device to any server, you will see two power supply. We call them redundant power supply. You plug one power supply and the other power supply. So it means here is a redundancy, high availability, fault tolerance. If one is paying, the other will work. So even in the device nowadays in every device, the network device is coming up. It is a Cisco switch or router. It is a firewall, it can be anything. You will see two power supply.

So it proves that everywhere is a redundancy to link every organization from small organization to big organization. They have two link. One is primary link and another is backup link. Primary link is normally like maybe a huge 200, 500, whatever they are using. And the backup link is normally like 20 MB or maybe 30 MB or 550 depend on authorization. And they are using different ISPs. So if one ISPs for some reason is down, so they have an alternative. So again, we are using Ha in the link as well. If you pick any server like HP and Dell, you will see red. Red is nothing redundant array of independent disk. And normally they configure red five or red 50 which is a mirroring. So if one device is failed, one hard drive is failed, just plug a new one and it will straight away it will work because they have a mirroring concept there and they will pull up from here.

So again and nowadays in every server we are using this concept. In Cisco Switch we have VSS, we are using Ether Channel, we have Bundling, we have so many other way. So if one interface is failed, the other is work between the switches. We are using GLBP, we are using VRRP, we are using HSRP. If one switch is down one router, one gateway is down, the other will work. So again we are using high availability. So what is High Availability and why we need and why is the demand of nowadays everywhere, nobody wants a single second downtime. We have a critical server which is 24 hours available. And we have a service, we providing a service which has to be on all the time, otherwise you have to pay your customer that if your services is not available. So that’s why in every scenario we need High Availability and High Availability is nothing availability, it has to be available your service all the time, whenever it’s required. We don’t need single point of failure. If you have a single point of failure, if this thing is down, everything is down.

So for that purpose we need a redundancy so that the business continue and the data is maintained and synchronized. So how the Haa will work? Basically, if one device is not working, the other will watch the device. When one is not available, the other will stay away. It will work. In this automatic scenario we call them High Availability. So two devices working in synchronization pace like if one suppose I’m not available tomorrow in office, I have to tell to my colleagues so that they can continue work either if I’m going on vacation. So I need someone to be available to provide the same service which I do. So this is called high availability. The same thing we do in 40 gate as well. 40 gate firewall. We deploy two firewall to work together and this work together concept is called High Availability. So how they will work and how this will be synchronized and how.

So there are two concept to use in 40 gate firewall as Ha. One is active passive, the other is active and active passive is the name suggest active and passive. Active is the device which receiving the data and forwarding. Passive is just listening the active one. So when for some reason the active device is not available, the pace of will take over automatically. And how they are using the concept of HL link which they are connected with each other, with the interface and they are listening with each other. So if the listening stops, it means they say the device is down and it can monitor the path as well it can monitor the system, it can monitor the link as well maybe the link is down automatically, it will take work. So in this one, we have one device is a master and the other one is like a slave. The master, we call them active. And the slave one, we call them paceive. How we choose. We will see that. In the lab. You can give more priority to the master one, so it will become active. And you can give less priority to your slave. It will become pacing.

But in this scenario, active pacing. One device will work. At the same time, not both the devices. It’s easy to configure, easy to deploy and easy to design. And most of the time you will see this type of scenario. We call them active passive. Another alternative solution is active where both the devices will work together, but it will load balance the traffic. So an active active. But it only for TCP session, not for UDP. And an active we we will never see in real world because it’s difficult to deploy, it difficult to maintain and difficult to troubleshoot.

And most of the time you will face the issue. That’s why all the time the student asking me why everywhere we can see active passive, but we never see active active scenario. Most of the department, most of the companies, even in enterprise network because active active you can utilize both the devices you can use both the devices all the time. Maybe in active passive one. Device has not been down for year and year. So means you are using one device is good for nothing, but it’s okay. But in Active Active, you can utilize both the device at the same time.

You can distribute the traffic you can maintain, but it is difficult to deploy and difficult to troubleshoot and difficult to maintain. And also in 40k only TCP station will be load balance. So what about UDP and ICMP and multicast and broadcast? No? So then why to do this one for TCP only I need to take a big risk to troubleshoot and deploy and divide the traffic to go there and divide the traffic to go another device what the hell is this? So that’s why you will never see such type of thing. Most of the time in real world you will see active pace but anyway it’s this concept if your organization wants such type of deployment so you can use both the device to work on the same time which we call them Active but to deploy Ha and 40 gate firewall there is some free requested both the device has to be on the same model both the device has to be on same interfaces both the device has same hardware model, same operating system, same for POS of version whatever same signature, same updated everything, same model, same format install it means it has to be same on everything, same license file the only thing which cannot be same as the host name and priority these two are the only thing which cannot be same and these are the only two things to identify it the horse name and definitely the priority because we have to give them one active so definitely we will give them more priority.

Rest of everything has to be similar to Ply two firewall as an Ha okay, it’s clear, it can be an Active active and it can be active passive in any combination. These thing has to be followed then otherwise you will face issue. Now can I monitor link as well? Maybe the device is up, but the link is down the lane interface. Either the lane interface we can do that one as well. Now the next thing how these firewall will know about each other if this device is not exist either down. Either the link is down, either the device is down. So they are using High Availability link which is between the two firewalls. You have to configure them, which we call them HL link as well. So basically on this h, a link they are sending hello hard beat and hello, heartbeat is just like a hard beat. Our one. If somebody is alive, their heart will beat. So the same thing on this hling which is between the two farewell. If I have somewhere like this one this is just used between these two far walls we call them HL link. They are sending hello and Hard. Beat on this interfaces with each other and they have some timer. And this hard beat has been sent which I will show you in wireshark. They are using TCP packet with these ether video. I will show you from wireshark when we do the name and heartbeat. Is sent after every 202nd millisecond sorry and they are using local IP we call them a PPA as well this IP 1 second whenever in Window operating system the system did not find any DHCP and either you did not assign any IP, so it will get this IP. We call them APA automatic Private IP addressing. So these hi link are using this IP to send and receive hardbeat hello packet. And between these two firewall we will use cross cable. We have two type. One of cable, state cable and cross cable.

And the Heartbeat priority range can be set again. I will show you. Andreal, when we do the So, when they are not receiving eight. Heart beat. So they will consider the other firewall is down and it will consider itself as active. And this is the way it works now. What about the station? Session will be translated. You will be not disconnected. Maybe. You already connected ten net SSH http and suddenly the device is down. The active one. Don’t worry, it will be. The station is already there as well. In the pace of as well. Now, before doing a cha, we need to know some terminologies failure. What is failure? Failure means when one device is not working for some reason and it’s not forwarding the traffic for some reason and maybe it’s down, maybe some other issue and the other device take work. So this method we call them failure. Failure the failed device has been over to take over. So this take over method we call them failure into hfair. So in this case, suppose this device was active in master, but for some reason it’s down and this device takes over because it was slave before, but now it’s active. So this method we call them failure.

Another is hard beat messages. What is hard beat message? Hardbeat message is nothing to just verify that the other device is active or not. The other device is available alive or not. To check the heart it is beating or not. If it is not, the person is dying the same thing they are sending and receiving which I show you non TCP packet, 100 200 millisecond with each other if they are not receiving, so they will consider the other device down link monitoring. Not only the device, maybe the device is up, but the lane interface or the vein interface is down, so we can monitor them as well. So if the vein interface is down, the other firewall will take over because the other firewall has another interface to vein. So you can do this one as well. Maybe the device is alive. So this type of thing we call them interface monitoring or port monitoring. Another terminology is priority. What is priority in two devices? You have to decide because both devices the same hardware, same interface, same operating system, same everything. So how you will make one device is active, so you have to use priority.

Priority is nothing, just a value. The more you give the value, it will become active and it will take a master role and the other will become automatically slave. So this type of thing when we need so we configure priority, which we call them priority. And priority is nothing, just a value, numerical value. Now, how it will work is numerical value. And if one device is down, if it is reboot, so what will happen? So suppose you have a master firewall and for some reason it’s down. So the lower number, the priority which I give you, numerical value, it will automatically become master. But if you want, if the master is baked, you can make them that automatically make them a master again. So it’s also possible in Palo Alto we call them preemption and also in sisku we call them preemption. Another thing in terminology is session pickup. What is station pickup? As I told you, maybe you are already connected through SSH TenneT Http, which is three way handshake is we’ve done in everything and you are connected. Suddenly the device is down. It’s okay.

The secundry device will keep the session. So whenever the primary device is down, secundry have already synchronized the session and this we call them session pickup and it will already be connected automatically. In simple world, you can configure them unicorn, ha, heartbeat. If you want, you can configure both the device not to use a broadcast for some reason if the broadcast is not supported on your environment or some other thing normally in virtual environment. So you can configure hat beat on unicast as well. It’s also possible that’s it and this methodology which we will use next time to primary n SEC country. We will create two firewall and we will make them as a ha. We will generate some traffic and build down one firewall that we have a session pickup or not. And then we will make some interface down to see the other stakeholder or not. These are the things which we will see in the lab. And these are some terminology before going to ha.

• Category: Uncategorized