飞塔防火墙双机-HA与会话同步

Click to edit Master title style,Click to edit Master text styles,Second level,Third level,Fourth level,Fifth level,*,HA,与会话同步,course 301,概念,FortiGate,高可用性集群功能通过消除了单点故障来提高了整个系统的可用性。,负载均衡通过在集群成员之间分配网络流量和安全服务以提高整体的性能。,需求,硬件保持一致,软件版本保持一致,FG50A,不可以做,HA,FG,300A,以上可以实现全拓扑,运行模式,Active-Active,负载均衡,提高可靠性和性能,同步配置,会话表,转发表,Active-Passive,热备份,提高可靠性,同步配置,会话表,转发表,虚拟集群,虚拟域的负载均衡,Master,选举,Master,基于以下因素进行选举,:,监控端口,系统运行时间,设备优先级,序列号,具有最少监控端口失败的设备将成为,master,具有比现主设备优先级高的设备在加入集群中时，将成为从设备,.,CLI,选项将跳过这个选项,意味着具有高优先级的设备将成为主设备。,同步,配置,(,sync-config),会话表,(session-pickup),转发信息库,(FIB),内核使用,FIB,(diag ip route list)(NAT/Route mode),在设备之间,FIB,是同步的,get router info routing table,在从设备上路由表是空的,心跳,物理的以太网接口,(hbdev),TCP,端口,702,心跳线 接口用于,HA,通信,Hello,间隔,200 ms,HA,地址,10.0.0.x,TCP,端口,23,用于 统计,配置和管理,占用相当大的带宽,交叉线连接,HA,配置,集群的属性,group-id,group-name,mode,password,心跳线接口,hbdev,心跳线的间隔和阈值,hb-interval,hb-lost-threshold,Hello/,工作状态,h,elo,-,holddown,FGCP,信息的传递和可信度,Encryption,Authentication,Routing,表同步,route-ttl,route-wait,route-hold,HA Configuration,Gratuitous ARPs,arps,Bounce Links,L,ink,失败信号,变化后重新协商,override,Unit,优先级,priority,监控接口,monitor,虚拟集群,vcluster2,虚拟域成员,vdom,非中断的升级,HA,集群可以进行平滑的升级而服务不中断,上传,Firmware,关掉负载均衡,从设备升级,新的主设备选举,前主设备升级,可能进行的新主设备选举,开启负载均衡,Master,选举,Master,基于以下因素进行选举,:,监控端口,系统运行时间,设备优先级,序列号,具有最少监控端口失败的设备将成为,master,具有比现主设备优先级高的设备在加入集群中时，将成为从设备,.,CLI,选项将跳过这个选项,意味着具有高优先级的设备将成为主设备。,负载均衡,(A-A),Active-Active(Mode),缺省状态下只有病毒扫描的会话将重新定向实现负载均衡。,病毒扫描会话将不进行切换,会话 拾起将应用于非病毒扫描的会话的同步,load-balance-all,将重新非配所有的,TCP,会话,A-A Schedulers,0.None,Hub,Least-connection,Round-robin(default),Weighted round-robin,Random,IP,IP+port,CLI:set schedule,负载均衡模式下,AV,会话过程,Syn,Master Internal,VMAC:09-01-01,PMAC:0b-a1-c0,Master External,VMAC:09-01-03,PMAC:0b-a1-c2,Slave Internal,PMAC:0b-a4-8c,Slave External,PMAC:0b-a4-8e,1.dstMAC 09-01-01,srcMAC X,TCP SYN dport 80,2.dstMAC 0b-a4-8c,srcMAC 0b-a1-c0,TCP SYN dport 80,3a.dstMAC Y,srcMAC 0b-a4-8e,TCP SYN dport 80,3b.dstMAC X,srcMAC 0b-a4-8c,TCP SYN ACK sport 80(from HTTP proxy),1,3a,2,3b,X,Y,负载均衡模式下,AV,会话,SYN,ACK ACK,Master Internal,VMAC:09-01-01,PMAC:0b-a1-c0,Master External,VMAC:09-01-03,PMAC:0b-a1-c2,Slave Internal,PMAC:0b-a4-8c,Slave External,PMAC:0b-a4-8e,4.dstMAC 09-01-01,srcMAC X,TCP ACK dport 80,5.dstMAC 0b-a4-8c,srcMAC 0b-a1-c0,TCP ACK dport 80,6.dstMAC 09-01-03,srcMAC Y,TCP SYN ACK sport 80,7.dstMAC 0b-a4-8e,srcMAC 0b-a1-c2,TCP SYN ACK sport 80,8.dstMAC Y,srcMAC 0b-a4-8e,TCP ACK dport 80,4,6,5,X,Y,7,8,负载均衡模式下主设备的会话表,session info:proto=6 proto_state=11 expire=3599 timeout=3600 flags=00000000 av_idx=4 use=5,bandwidth=0/sec guaranteed_bandwidth=0/sec traffic=0/sec prio=0 logtype=session,ha_id=0 hakey=49729,tunnel=/,state=redir,log local may_dirty,statistic(bytes/packets/err):org=1253/21/0 reply=1503/19/0 tuples=3,orgin-sink:org pre-post,reply pre-post oif=3/5 gwy=192.168.11.254/10.0.1.1,hook=post dir=org act=snat 10.0.1.1:2287-193.1.193.64,:21,(192.168.11.101:2287),hook=pre dir=reply act=dnat 193.1.193.64:21-192.168.11.101:2287(10.0.1.1:2287),hook=post dir=reply act=noop 193.1.193.64:21-10.0.1.1:2287(0.0.0.0:0),pos/(before,after)-233083355/(0,8),0/(0,0),misc=20004 domain_info=0 auth_info=0 ftgd_info=0 ids=0 x0 vd=0,serial=00005ae5,tos=ff/ff,session info:proto=6 proto_state=11 expire=3595 timeout=3600 flags=00000000 av_idx=4 use=6,bandwidth=0/sec guaranteed_bandwidth=0/sec traffic=0/sec prio=0 logtype=session,ha_id=1 hakey=49729,tunnel=/,state=redir,log may_dirty,statistic(bytes/packets/err):org=999/21/0 reply=1921/19/0 tuples=3,orgin-sink:org pre-post,reply pre-post oif=3/5 gwy=192.168.11.254/10.0.1.1,hook=post dir=org act=snat 10.0.1.1:2291-193.1.193.64,:21,(192.168.11.101:2291),hook=pre dir=reply act=dnat 193.1.193.64:21-192.168.11.101:2291(10.0.1.1:2291),hook=post dir=reply act=noop 193.1.193.64:21-10.0.1.1:2291(0.0.0.0:0),pos/(before,after)1555340173/(8,16),0/(0,0),misc=20004 domain_info=0 auth_info=0 ftgd_info=0 ids=0 x0 vd=0,serial=00005b07,tos=ff/ff,Cluster ID of device handing session,AV scan enabled for FTP,负载均衡模式主设备的会话表,(load-balance-all),session info:,proto=6,proto_state=01 expire=3564 timeout=3600 flags=00000000 av_idx=0 use=3,bandwidth=0/sec guaranteed_bandwidth=0/sec traffic=0/sec prio=0 logtype=session,ha_id=1 hakey=3328,tunnel=/,state=dirty may_dirty,statistic(bytes/packets/err):org=48/1/0 reply=0/0/0 tuples=2,orgin-sink:org pre-post,reply pre-post oif=0/3 gwy=0.0.0.0/0.0.0.0,hook=pre dir=org act=dnat 192.168.11.254:39044-192.168.11.102,:3389,(10.0.1.2:3389),hook=post dir=reply act=snat 10.0.1.2:3389-192.168.11.254:39044(192.168.11.102:3389),pos/(before,after)0/(0,0),0/(0,0),misc=0 domain_info=0 auth_info=0 ftgd_info=0 ids=0 x0 vd=0,serial=00000240,tos=ff/ff,session info,:proto=6,proto_state=01 expire=3361 timeout=3600 flags=00000000 av_idx=9 use=3,bandwidth=0/sec guaranteed_bandwidth=0/sec traffic=0/sec prio=0 logtype=session,ha_id=0 hakey=3327,tunnel=/,state=log dirty may_dirty,statistic(bytes/packets/err):org=85725/1434/0 reply=362915/1489/0 tuples=2,orgin-sink:org pre-post,reply pre-post oif=0/3 gwy=0.0.0.0/0.0.0.0,hook=pr