Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
ninjalee
New Contributor

DR: How do you replicate FortiGate's configuration from site A to B?

Hello, I have a general question about replicating FortiGate's configuration. In our environment, we are in the beginning stage of building a DR site. We plan to place a FortiGate 140D at sites A and B. Is there any way to automatically replicate FortiGate's configuration from site A to B? What are the best approach and best practices?

1 REPLY 1
emnoc
Esteemed Contributor III

Two options that I've used in the past

 

1> scripts uploaded via fortimager or even ansible  could do it

 

2> API push for address/policy/addrgrp creations

 

So in a env I worked at we took policy from WEST and push the same objects to the EAST  and the only difference was the octet was modify for the other side. So if you do things symmetrically this is easily done.

 

e.g

ntp-server01-west

10.10.1.123

ntp-server01-east

10.10.2.123

 

DNS01-west

10.10.11.53

DNS01-east

10.10.12.53

 

See the pattern? the odd is west and even is east for the 2nd DC. We did everything like that and had the VIP pre-builts. So we really where creating new address and adding them to address-groups that where already seeded in the policies. So we had a sync script that would ensure both WEST & EAST had the same host objects for that policy. This kept our WEST and EAST firewall synchronized.

 

 

Even if tje said host was not published at the other DC in vmware, the policy was built for it regardless.

 

Also in the above if the policyid  at  WEST was policyid 8888 , it was the exact same policyid at EAST policyid 8888, this helped so we knew exactly what the match was without thinking too much about ( yes we had junior and associate level folks dealing with policy ;) ) 

 

We also generate policyid at 1024+ ( policyid numbers below 1024 where specific policys for that firewall )

 

At another org we where even more lazy,  we put our WEST/EAST objects in  an address-group and push the address-group to both WEST/EAST even tho the other subnet did not exist. You can go that route also if you like.

 

For a few  examples on the API calls reference for add/delete take a look at my post 

 

    http://socpuppet.blogspot.com/2018/07/howto-use-fortios-api-to-add-delete.html

 

YMMV but if you have a strong  script writing or a strong dev-ops teams that can build front ends or scripts,  this is the way that I would go.

 

Ken Felix

 

 

PCNSE 

NSE 

StrongSwan  

PCNSE NSE StrongSwan
Labels
Top Kudoed Authors