Firewall in Cluster HA

[zzbbaqe]

Hi,
firstly I would like to thank you for this tool.
This tool works fine with a single Firewall. How can I make it work with the Firewall in the Cluster(HA)?

Thank you in advance,

[tmorris-ftnt]

I'll need to add support for that. When i first created this FortiManager didn't support it well but it does now so it should be doable. I'll look into it soon.

[zzbbaqe]

Hi,
to add this feature I think you have to change the codes, is it take so much time to have the new version?
Thank you in advance.

[tmorris-ftnt]

I'm not sure how much time it will take.

There is also now a feature in FMG 7.2 which will make this tool redundant.

https://docs.fortinet.com/document/fortimanager/7.2.0/new-features/673597/device-blueprints

Unfortunately this doesn't support HA model or some existing features of ZTP tool such as populating dynamic address object mappings.

When would you need an update for your project?

[zzbbaqe]

Hi,
my project starts next week and I would really appreciate it if you could give me an update.

[tmorris-ftnt]

I've done the initial implementation but with very limited testing at this point. You can get the build here https://tmorris-ftnt.github.io/ztptool-v1.0.15ha-preview-win.zip

Are you able to run from the source code? this will just make it easier/quicker to fix anything if something doesn't quite work right.

There is an example xlsx included in the build for an HA device.

There are a few new columns you can add for an HA device now.

• "HA_SN" - this will be the serial number of the secondary unit in the HA cluster - if this is present it will try to build the HA device (this is a bit of a mistake as you wont be able to mix HA and non HA devices in the same xlsx currently, i'll fix it in the next release so that it needs to have a SN in there for it to trigger).
• "HA_Password" - password for the ha cluster
• "HA_ClusterName" - name of the HA cluster
• "HA_GroupID" - id of the HA cluster

Notes: This should be the same as creating an HA model cluster as per https://docs.fortinet.com/document/fortimanager/7.0.3/administration-guide/334482/adding-a-model-fortigate-ha-cluster

Currently the Priority is hard coded to 255 for the primary and 128 for the secondary... I'll make options for this in a future build.

I've only tested it in FMG 7.0.3 and only to the point of creating the model device with the HA members as per the link above.

Let me know if you have any issues with it. I'll try to do some more testing on this over the weekend.

[kevingufler]

Hello,
i just wanted to test the new functionallity, but i somehow cant seem to find the source code.
Would it be possible to release the source code too, please ?

Thank you very much for this nice tool ❤️

[tmorris-ftnt]

sure, i've made a branch for it here (https://github.com/tmorris-ftnt/ztptool/tree/hamodel)

[kevingufler]

So i might have found some bugs:
on line 622: %s does not get resolved and i think you might want to put the device name there, its strange that the api call still returns with 200 OK ... i.e.: "url": "/pm/config/device/"+devicename+"/global/system/ha",
on line 1673: "HA_SN" is allways in the dict since it is in the xlsx, there should be a check if its length is greater then 0 i.e.: 'and len(devicedata["HA_SN"]) > 0' otherwise it will always try to run add_ha_model_device. At the moment this leads for non HA devices to not set up correctly

[tmorris-ftnt]

Thanks for the feedback, the %s is a bit weird, its not supposed to be a replacement - when you do the action on the GUI the API call it has that %s -- i had just copied what it did and it worked so didn't look at it any more.

you're right about the HA_SN needing to check if its actually filled in - i mentioned above that i need to fix this.

In some more testing and research the 7.0 HA model device is a little troublesome - in FMG 7.2 this process has been completely changed. I think i will have to target 7.2 for this feature.

Also planning to support template groups as well.

[kevingufler]

In my expercience the API itself often gives a response 200 OK even if nothing really is ok ... so you think the %s should stay ?

[tmorris-ftnt]

Yes, I believe its correct. I've checked another example and it has the same %s used in the URL.

[kevingufler]

Okay, it does seem a little strange ...
In the meantime i found something else, on line 604, you try to change the name of the primary, but somehow the name for the primary does not get set but it works for the secondary. i.e.: the "-0" as a postfix is not getting set.

[tmorris-ftnt]

Hi, it does the same thing if you do it via the GUI. I think its just how FortiManager works. I'll hopefully get some time to test this more soon.

[kevingufler]

Hello,
were you able to do some testing ?
We are observing some strange behaviour when deploying the machines.
The HA-machines are registering themselfs but are not able to retrieve the configuration and show instead Config-State:Conflict inside the fortimanager.
Upon reboot of the firewall, inside the fortimgr when observing the config of said HA-machine the ha configuration gets doubled on shows twice the primary and secondary.

[tmorris-ftnt]

Hi Kevin,

are you able to successfully deploy the HA cluster when configuring it from the FortiManager GUI?

I now have two of the same FortiGate units here now so I can test them. I was trying with VM's before but that introduced some extra complications.

[zzbbaqe]

Hi,
Me and Kevin,we have tried to deploy two FortiGate VM.
We have the following issue:
The Firewalls register to the FortiManager but cannot download the config.
When I reboot the Firewall in the cluster member we see duplicated Entry. For example, we see the Primary Firewall and secondary twice with the same Serial,Priority, rule .
I have the Demo and if you would like we can have a quick remote session in order to share our ideas?

[zzbbaqe]

here is the example:
https://prnt.sc/pHKxPK9WPk1r