Two FortiGates in a VRRP domain

I still remember when I wrote the HSRP, VRRP and GLBP post. I was studying for the CCNP Route exam. In fact, this post is the most viewed in my blog. I learnt how these First Hop Redundancy Protocols (FHRP) work. I learnt VRRP works with the multicast IP address 224.0.0.18 and IP protocol number 112. It was great to know there were protocols for high-availability routing. Therefore, we can configure two routers with the same IP address, which is the default gateway for users, and if one of them fails, the other one takes over.

Last week, I’ve been configuring two FortiGates in a VRRP domain because I’ve needed high availability between different models of firewalls. I know the best architecture is a cluster with the same model of firewalls but when the project requires high availability with different model, we have to look for a solution. The configuration is easy. We have to enable vrrp-virtual-mac on the port, and set the Virtual IP address. In addition, we should set a higher priority number for the primary FortiGate and a lower priority number for the backup FortiGate.

Configuring two FortiGates in a VRRP domain

If we use FortiGate firewalls for secure services such as HTTP and HTTPS services, we’ll also want high availability for these services. Therefore, Virtual IPs will have to be configured in both firewalls. At first, if we configure the same Virtual IP in both firewalls, there will be IP duplicated and it doesn’t work properly. However, FortiOS 6.0 already supports failover of IPv4 firewall VIPs and IP Pools. Thanks to a new proxy ARP setting, we’ll be able to map VIP to each router’s Virtual MAC (VMAC).

Failover of IPv4 firewall VIPs

 

Another interesting setting is the VRRP load balancing, which is useful when we want both firewalls are processing traffic. Accordingly, one firewall is the primary router of one subnet and the other one is the primary router of the other subnet. However, if one firewall fails, all traffic fails over to the other one that is still operating. From my point of view, Active/Active configuration is not the best design but it could be useful in some architectures.

VRRP load balancing

All of these settings are configured using the CLI. There is no way to configure VRRP using the GUI in FortiGate. Consequently, the routing table have also to be got using the CLI. The command “get router info vrrp” show the status of VRRP. For instance, we can know what firewall is the master router and what is the backup router. We can also know the Virtual Router IP (vrip), the Virtual Router Group (vrgrp), etc, etc.

VRRP Routing Table

VRRP is a standard protocol thus we can also configure a VRRP domain between a firewall and a router. For example, we could configure a VRRP domain between a FortiGate firewall and a Cisco router. This is a great advantage of using standard protocols instead of private protocols such as HSRP or GLBP.

Your comments are welcome!!

F5 BIG-IP APM – SSO for Terminal Services

F5 BIG-IP APM is a good alternative to the deprecated Juniper SSL VPN, which has been sold to Pulse Secure, because APM unifies SSL VPN services and the management of authentication and user accesses, integrating SSO Authentication and federation of identities services into the same solution. Therefore, F5 BIG-IP APM can be used for telecommuting as well as for Virtual Desktop Infrastructures (VDI) due to the fact that APM supports native VDIs such as Microsoft, VMWare and Citrix and also supports most authentication mechanisms (NTLM, Kerberos, SAML, digital certificates, tokens, OTPs, etc).

I made a video last week about Portal Access & Webtops and I would like to share a new video this week about Single Sign-On for Terminal Services. You will watch, it’s easy to configure SSO for Terminal Services but it’s a useful feature in most organizations for employees and partners who work from home, airport or wherever.

I think, it’s important to highlight that some extensions are needed when creating the SSL Certificate for the SSL Profile (Client) because the VDI Profile generates a cryptographic signature based on the attached client SSL Profile. However, if the SSL Certificate doesn’t have these extensions, there will be a message error when we connect to the Remote Desktop.

"The digital signature of this RDP File cannot be verified. The remote connection cannot be started".

 APM - User Defined RDP in version 13 - digital signature issue

I hope this video is useful for you. Regards my friends! Keep learning!

F5 BIG-IP APM - Portal Access & Webtops

The last two weeks have been a little bit stressful but at the same time very rewarding. Firstly, I’ve had to make ready lots of F5 labs and slides because I’ve been the teacher of a F5 training. Secondly, it’s very rewarding because I’ve also learnt a lot thanks to the students’ questions. Actually, the first course week has been about F5 BIG-IP LTM Fundamentals while the second week has been about, three days of F5 BIG-IP LTM Advanced and two days of F5 BIG-IP APM.

We’ve talked about new technologies such as HTTP/2 and HSTS which could be interesting for new application deployments. We’ve also been speaking about advanced TCP options such as Multipath TCP, SACK, Long Fat Networks and the Nagle’s Algorithm. All of these concepts were new for students. They didn’t know anything about it. However, F5 BIG-IP has able to deliver applications with these TCP options. What’s more, F5 BIG-IP APM has able to deliver Access Portals with Single Sign-On (SSO) which is very useful for organizations who wants an unique web portal to access all internal applications with the same credentials. An access portal with SSO for applications is like Google does with all the applications.

Google Single Sign-On for Gmail Applications

I wrote about throw away your firewalls two summers ago when I read Google has an Access Portal with SSO for employees where they can work from Internet as they were inside the Google building. Therefore, we can watch in the next video how to configure an Access Portal, which can be configured along with SSO Authentication, where there are Webtops to access internal applications. F5 BIG-IP APM allows organizations to have an unique Access Portal with SSO Authentication to access all internal and external applications.

I hope this video is useful for you. I've learnt a lot!! Keep learning my friends!

F5 BIG-IP APM – SSO Authentication

It’s really beautiful and rewarding learn how to configure new services and technologies but it’s also really hard test configuration again and again till it’s work because it takes lot of time. This weekend, I’ve been more than 6 hours learning how to configure the Single Sign-On functionality with an application server that uses forms based authentication. Finally, I’m happy because I’ve learnt how to configure SSO in BIG-IP APM.

The most difficult configuration is the SSO Method Configuration because we have to know exactly how the application works to validate the username and password. I mean, we have to know what is the login page and the credential parameters. On the other hand, it’s really powerful the Visual Policy Editor where we can configure the logon page, the authentication database, SSO mapping, etc. We can configure almost everything.

Visual Policy Editor

 

I hope this video is useful for you. I've learnt a lot!! Keep learning my friends!