Configuring HA settings on the FortiProxy-VMs
After the FortiProxy VMs are successfully deployed, configure active-active (config-sync) HA settings on the two VMs using CLI commands via SSH.
To configure FortiProxy-A using the CLI:
config router static
edit 1
set gateway 10.0.1.1
set device "port1"
next
end
config system interface
edit "port1"
set description public
set vdom "root"
set ip 10.0.1.11 255.255.255.0
set allowaccess ping https ssh http fgfm
set type physical
set explicit-web-proxy enable
set explicit-ftp-proxy enable
set snmp-index 1
set mtu-override enable
set mtu 9001
next
edit "port2"
set description hasync
set ip 10.0.2.11 255.255.255.0
set allowaccess ping https ssh snmp http telnet fgfm radius-acct probe-response fabric ftm speed-test
set type physical
set snmp-index 2
next
edit "port3"
set description mgmt
set ip 10.0.3.11 255.255.255.0
set allowaccess ping https ssh snmp http telnet fgfm radius-acct probe-response fabric ftm speed-test
set type physical
set snmp-index 3
next
edit "ssl.root"
set vdom "root"
set type tunnel
set alias "SSL VPN interface"
set snmp-index 4
next
end
config system ha
set group-id 11
set group-name "FPX-config-sync"
set mode config-sync-only
set hbdev "port2" 50
set ha-mgmt-status enable
config ha-mgmt-interfaces
edit 1
set interface "port3"
set gateway 10.0.3.1
next
end
set override disable
set priority 111
set ha-direct enable
set unicast-status enable
set unicast-gateway 10.0.2.1
config unicast-peers
edit 2
set peer-ip 10.0.12.11
next
end
end
To configure FortiProxy-B using the CLI:
config router static
edit 1
set gateway 10.0.11.1
set device "port1"
next
end
FPXVULTM23000083 # sh sys int
config system interface
edit "port1"
set description public
set vdom "root"
set ip 10.0.11.11 255.255.255.0
set allowaccess ping https ssh probe-response
set type physical
set explicit-web-proxy enable
set explicit-ftp-proxy enable
set snmp-index 1
set mtu-override enable
set mtu 9001
next
edit "port2"
set description hasync
set ip 10.0.12.11 255.255.255.0
set allowaccess ping https ssh
set type physical
set snmp-index 2
next
edit "port3"
set description mgmt
set ip 10.0.13.11 255.255.255.0
set allowaccess ping https ssh snmp fgfm radius-acct
set type physical
set snmp-index 3
next
edit "ssl.root"
set vdom "root"
set type tunnel
set alias "SSL VPN interface"
set snmp-index 4
next
end
FPXVULTM23000083 # sh sys ha
config system ha
set group-id 11
set group-name "FPX-config-sync"
set mode config-sync-only
set hbdev "port2" 50
set ha-mgmt-status enable
config ha-mgmt-interfaces
edit 1
set interface "port3"
set gateway 10.0.13.1
next
end
set override disable
set priority 12
set ha-direct enable
set unicast-status enable
set unicast-gateway 10.0.12.1
config unicast-peers
edit 1
set peer-ip 10.0.2.11
next
end
end
To check the HA status and function:
- In the login page, enter the default username and password:
admin/instance ID. - In the primary FortiProxy, go to System > HA. Check that the HA status is synchronized.
-
Configure FortiProxy-A as follows:
config web-proxy explicit-proxy edit "web-proxy" set status enable set interface "port1" set ftp-over-http enable set socks enable set http-incoming-port 8080 next end FPX-AA-A # sh fire pol 1 config firewall policy edit 1 set type explicit-web set uuid 3bd1a338-d81c-51ee-cb7c-ba6426788468 set dstintf "port1" set srcaddr "all" set dstaddr "all" set action accept set schedule "always" set service "webproxy" set explicit-web-proxy "web-proxy" set utm-status enable set logtraffic all set log-http-transaction all set extended-log enable set av-profile "default" set groups "<You_Group_Name>" next end - Log into FortiProxy-B and verify that the above configurations in FortiProxy-A are synchronized to FortiProxy-B.
-
Verify the HA cluster's explicit-web proxy by sending proxy requests via the elastic IP of the load balancer.