Fortigate High Availability – Active/Active – Part 2 – Implementation

In Part 1 we got the prerequisites sorted out for the HA (removed all PPPoE or DHCP address assignment from the FG boxes and VLANed a switch to split the inputs between both boxes). Part 2 is considerably easier, the cabling had been done for the VLANs now we had to designate 2x ports as our cluster comms ports, I chose port1 and port2 on each box, each given a weight of 50:...

February 16, 2014 Myles Gray

Fortigate High Availability – Active/Active – Part 1 – Preparation

Introduction I recently set up 2x Fortigate 200B units to run in HA Active/Active mode, this posed a number of challenges: HA doesn’t work if any interfaces use PPPoE or have an address assigned via DHCP How do I effectively split our network communications between both units? The PPPoE Problem The main problem was that both the internet connections used PPPoE for address assignment and auth - I had taken care of one of these previously as it was a simple ADSL link our Fortigate units didn’t allow for so we had a Cisco 837 ↗ box to terminate the PPPoE on a virtual interface and unnumber the static external IP to an internal interface....

February 11, 2014 Myles Gray

Changing Fortigate from Switch mode to Interface mode

Fortigate units (the big ones at least) come configured in what is called “switch mode” meaning it groups a number of interfaces together and makes them act as a switch, serves DHCP over these interfaces, etc. Most companies don’t like to use this - instead if we want to up our throughput for a given zone we’d create an 802.3ad aggregate link out of 2 or more of the interfaces....

February 11, 2014 Myles Gray

Enabling disk logging on a FortiGate

Fortigate’s logging typically isn’t the best - but it’s bad when you have no logs at all, which seems to be the default. To enable logging on fortigate models with an internal SSD/HDD use the following command: config log disk setting set status enable You can now collect and view your logs in the Log & Report section. N.B. As of FortiOS 5.2 this has been disabled on all SMB class (100D and below) units....

December 2, 2013 Myles Gray

Installing MegaRAID Storage Manager on openSUSE

Introduction Centrally managing your storage is nice - especially when you’ve just built your own SANs (or such). I created a synchronous replicating SAN cluster using LSI MegaRAID 9270-8i cards in 2x Dell R720XD chassis built on openSUSE 12.3 (more on that in another article soon). We are migrating from 2x Dell MD3000i to these beasts built on a pure-cli OS. Some people like GUIs and that’s okay - so for day-to-day admin, email reporting on problems and basic configuration and tasks LSI offer (free) MegaRAID Storage Manager ↗....

October 2, 2013 Myles Gray

Upgrading vCenter Server Appliance to vCSA 5.5

So you’ve downloaded all the new VMWare 5.5 goodies ↗ and you want to upgrade your vCSA install to v5.5 - this is a little more involved than you may think, however it is very much worth the effort: In vSphere 5.5, the vCenter Server Appliance limitations have been extremely raised when using the embedded database: Previous to vSphere 5.5, the limits were: 5 vSphere Hosts 50 Virtual Machines With vSphere 5....

September 23, 2013 Myles Gray

Syslogd on FortiOS 5.0.4

Again, Fortigate’s documentation falls down at the simplest of things, this time, syslogging - To get your Fortigate to log to a syslogger (like Kiwi/Splunk) you’ll need to go in via the CLI as they have removed this option from the GUI as of FortiOS v5.0. Log in via shell and enter the following: config log syslogd setting set status enable set server [ip.or.dns-name.here] end I have seen where people say you need to explicitly:...

September 18, 2013 Myles Gray

Veeam Hot-Add Mode Fails – Mismatching VMFS block size

Recently had a problem were Veeam was giving bother on one VM that had a dedicated datastore, not allowing hot-add virtual appliance mode to work. I originally thought it was a problem with CBT (changed block tracking) so I disabled that, with no luck, as it transpires there were a few (all datastore formatting related) problems: The Veeam proxy’s datastore was formatted in VFMS-3 with a 2MB block size and upgraded to VMFS-5 (retaining its 2MB block size of course - otherwise a reformat would be needed)....

September 17, 2013 Myles Gray

Change MTU to support Jumbo Frames in FortiOS

This info is quite hard to come across and Fortigate don’t have it in their GUI from FortiOS v5.0+, SSH into your Fortigate’s CLI and enter the following (it can be done on both software aggregated and standard interfaces): config system interface edit [interfacename] set mtu-override enable set mtu 9208 end end Confirm your MTU size change has worked on the given interface by plugging directly into it (test MTU in accordance to my guide here)....

September 9, 2013 Myles Gray

How to test if 9000 MTU/Jumbo Frames are working

Introduction Fairly straight forward this time, you’ve configured your MTU/jumbo frames to be 9000 on your client and destination devices (say a laptop/desktop/server/san/nas) and on ALL your switching devices in between - you’ve done that right? ;) Testing So the next step is, we want to test if our new 9000 byte MTU is actually working and we can reap the benefits of a larger packet size (whether it’s on iSCSI, LAN, whatever) being of course a higher latency but also higher throughput....

September 9, 2013 Myles Gray