High Availability (5.6.1)

High Availability (5.6.1)

New High Availability features added to FortiOS 5.6.1.

HA cluster Uptime on HA Status dashboard widget (412089)

The HA Cluster dashboard widget now displays how long the cluster has been operating (Uptime) and the time since the last failover occurred (State Changed). You can hover over the State Changed time to see the event that caused the state change.

You can also click on the HA Status dashboard widget to configure HA settings or to get a listing of the most recent HA events recorded by the cluster.

FGSP with static (non-dialup) IPsec VPN tunnels and controlling IKE routing advertisement (402295)

Until FortiOS 5.6.1, the FortiGate Session Life Support Protocol (FGSP) only supported IPsec tunnel synchronization for dialup (or dynamic) IPsec VPN tunnels. FortiOS 5.6.1 now also supports IPsec tunnel synchronization for static IPsec VPN tunnels. No special FGSP or IPsec VPN configuration is required. You can configure static IPsec VPN tunnels normally and create a normal FGSP configuration.

An additional feature has been added to support some FGSP configurations that include IPsec VPNs. A new CLI option allows you to control whether IKE routes are added to the FGSP backup unit.

config system cluster-sync edit 0 set slave-add-ike-routes {enable | disable}

end

Enable to add IKE routes to the backup unit, disable if the IKE routes should not be added to the backup unit.

High Availability (5.6)

VRRP support for synchronizing firewall VIPs and IP Pools (0397824)

FortiOS VRRP HA now supports failover of firewall VIPs and IP Pools when the status of a virtual router (VR) changes. This feature introduces a new proxy ARP setting to map VIP and IP Pool address ranges to each VR’s Virtual MAC (VMAC). After failover, the IP Ranges added to the new primary VR will be routed to the new primary VR`s VMAC.

Use the following command to add a proxy ARP address range and a single IP address to a VR added to a FortiGate`s port5 interface. The address range and single IP address should match the address range or single IP for VIPs or IP Pools added to the port5 interface:

config system interface edit port5 config vrrp edit 1 config proxy-arp edit 1 set ip 192.168.62.100-192.168.62.200

next edit 2 set ip 192.168.62.225 end