3. CAPITAL FÍSICO CONSTRUIDO
3.2. INFRAESTRUCTURAS DE COMUNICACIÓN
In this exercise, you will configure a spare interface of the cluster to be a non-synchronizing management interface. This will allow both FortiGates to be reachable for SNMP and management purposes only.
If management interface is not configured, you will have access to the GUI for only the primary FortiGate in the cluster. However, you can connect to the secondary FortiGate through the primary FortiGate's CLI.
Accessing the Secondary FortiGate through the Primary
FortiGate CLI
You will be connecting to the secondary FortiGate through the primary FortiGate's CLI.
To access the secondary FortiGate through the primary FortiGate CLI
1. From the Local-Windows VM, open PuTTY and connect to the LOCAL-FORTIGATE saved session (connect over SSH).
2. Log in as admin.
3. Type the following command to access the secondary FortiGate CLI through the primary’s HA link: execute ha manage <id> (use ? to list the id values)
4. Log in as admin.
5. Run the following command to get the status of the secondary FortiGate. get system status
View the Current HA mode line. You will notice that the Remote-FortiGate device is a-a backup.
6. To return to the CLI of Local-FortiGate, run the command below: exit (to return to the primary)
Setting up a Management Interface
LAB 4 –High Availability
interface. This allows you to configure a different IP address for this interface for each FortiGate in the HA cluster.
To setup a management interface
1. From the Local-Windows VM, open a browser and log in as admin to the Local-FortiGate GUI (normally the primary) at 10.0.1.254.
2. Go to System > HA. 3. Edit the Local-FortiGate.
4. Select Reserve Management Port for Cluster Member and choose port7. 5. Click Apply.
Note: Port7 connects to the same LAN segment as port3.
Configuring and Accessing Using the Management
Interface for the Primary FortiGate
You will be configuring and verifying access to primary FortiGate using management interface.
To configure and verify access using the management interface for the primary FortiGate
1. Go to the Local-FortiGate console.2. Log in as admin.
3. Configure the port7 as following: config system interface edit port7
set ip 10.0.1.253/24
set allowaccess http snmp ping ssh end
Note: Even though this address overlaps with port3, and would not be normally allowed (FortiGate does not allow overlapping subnets), it is allowed here because the interface now has a special purpose, and is excluded from the routing table.
4. From the Local-Windows, open a web browser and log in as admin to the Local-FortiGate GUI at 10.0.1.253.
This will verify connectivity to port7.
Configuring and Accessing Using the Management
Interface for the Secondary FortiGate
You will be configuring and verifying access to secondary FortiGate using the management interface.
To configure and verify access using the management interface for the secondary FortiGate
1. Go to the Remote-FortiGate console.2. Log in as admin.
3. Verify that the non-synchronizing interface settings have been synced to the secondary. show system ha
Look for ha-mgmt-status and ha-mgmt-interface. These should be set.
4. In the Remote-FortiGate console, verify that port7 has no configuration by running the following command:
show system interface 5. Configure port7 through the CLI:
config system interface edit port7
set ip 10.0.1.252/24
set allowaccess http ping ssh snmp end
6. From the Local-Windows, open a web browser and log in as admin to the Remote-FortiGate GUI at 10.0.1.252.
This will verify connectivity to port7.
Each device in the cluster now has its own management IP address for monitoring purposes.
Disconnecting FortiGate from the Cluster
You will be disconnecting the Remote-FortiGate from the cluster. FortiGate will prompt you to configure an IP address on any port on FortiGate so that you can access it after disconnecting.
LAB 4 –High Availability
To disconnect FortiGate from the cluster
1. From the Local-Windows, open a browser and log in as admin to the Local-FortiGate GUI at 10.0.1.254.
2. Go to System > HA.
3. For the Remote-FortiGate, click the Disconnect from cluster icon. This will remove the FortiGate from the HA cluster.
4. When prompted, configure port3 with the IP address of 10.0.1.251/24.
Restoring the Remote-FortiGate Configuration
Now you will restore the Remote-FortiGate configuration so that you can use the Remote-FortiGate in the next labs.
Note: Failure to do these steps will prevent you from doing the next exercise.
To restore the Remote-FortiGate configuration
1. In the Local-Windows, open a browser and log in as admin to the Remote-FortiGate GUI at 10.0.1.251.
2. Go to Dashboard, and from the System Information widget click Restore.
© FORTINET
3. From your local PC (Local-Windows), click Upload and browse to Desktop > Resources > FortiGate-I > Introduction and select remote-initial.conf.
4. Click OK. 5. Click OK.
LAB 5–Advanced IPsec VPN
LAB 5–Advanced IPsec VPN
In this lab, you will configure redundant VPN tunnels with failover capability between two FortiGates. You will also create a dial-up VPN between a FortiGate and FortiClient.
Objectives
Deploy a dialup VPN between two FortiGates. Deploy a dialup VPN for FortiClient.
Configure redundant VPNs between two FortiGates.
Time to Complete
Estimated: 60 minutes
Prerequisites
Before beginning this lab, you must restore configuration files to the Local-FortiGate and Remote- FortiGate.
To restore the Remote-FortiGate configuration file
1. From the Local-Windows VM, open a browser and log in as admin to the Remote-FortiGate GUI at 10.200.3.1.
2. Go to Dashboard, and from the System Information widget click Restore.
3. Select to restore from Local PC and click Upload.
© FORTINET
4. Browse to Desktop > Resources > FortiGate-II > Advanced-IPsec and select remote- advanced-ipsec.conf.
5. Click OK.
6. Click OK to reboot.
To restore the Local-FortiGate configuration file
1. From the Local-Windows VM, open a browser and log in as admin to the Local-FortiGate GUI at 10.0.1.254.
2. Go to Dashboard, and from the System Information widget click Restore.
3. Select to restore from Local PC and click Upload.
4. Browse to Desktop > Resources > FortiGate-II > Advanced-IPsec and select local- advanced-ipsec.conf.
5. Click OK.
LAB 5–Advanced IPsec VPN