Hot!DR: How do you replicate FortiGate's configuration from site A to B?

Author
ninjalee
New Member
  • Total Posts : 6
  • Scores: 0
  • Reward points: 0
  • Joined: 2018/08/20 09:17:59
  • Status: offline
2021/03/16 09:58:56 (permalink)
0

DR: How do you replicate FortiGate's configuration from site A to B?

Hello,

I have a general question about replicating FortiGate's configuration.

In our environment, we are in the beginning stage of building a DR site. We plan to place a FortiGate 140D at sites A and B. Is there any way to automatically replicate FortiGate's configuration from site A to B? What are the best approach and best practices?
#1

1 Reply Related Threads

    emnoc
    Expert Member
    • Total Posts : 6160
    • Scores: 429
    • Reward points: 0
    • Joined: 2008/03/20 13:30:33
    • Location: AUSTIN TX AREA
    • Status: online
    Re: DR: How do you replicate FortiGate's configuration from site A to B? 2021/03/16 12:59:18 (permalink)
    0
    Two options that I've used in the past
     
    1> scripts uploaded via fortimager or even ansible  could do it
     
    2> API push for address/policy/addrgrp creations
     
    So in a env I worked at we took policy from WEST and push the same objects to the EAST  and the only difference was the octet was modify for the other side. So if you do things symmetrically this is easily done.
     
    e.g
    ntp-server01-west
    10.10.1.123
    ntp-server01-east
    10.10.2.123
     
    DNS01-west
    10.10.11.53
    DNS01-east
    10.10.12.53
     
    See the pattern? the odd is west and even is east for the 2nd DC. We did everything like that and had the VIP pre-builts. So we really where creating new address and adding them to address-groups that where already seeded in the policies. So we had a sync script that would ensure both WEST & EAST had the same host objects for that policy. This kept our WEST and EAST firewall synchronized.
     
     
    Even if tje said host was not published at the other DC in vmware, the policy was built for it regardless.
     
    Also in the above if the policyid  at  WEST was policyid 8888 , it was the exact same policyid at EAST policyid 8888, this helped so we knew exactly what the match was without thinking too much about ( yes we had junior and associate level folks dealing with policy ;) ) 
     
    We also generate policyid at 1024+ ( policyid numbers below 1024 where specific policys for that firewall )
     
    At another org we where even more lazy,  we put our WEST/EAST objects in  an address-group and push the address-group to both WEST/EAST even tho the other subnet did not exist. You can go that route also if you like.
     
    For a few  examples on the API calls reference for add/delete take a look at my post 
     
        http://socpuppet.blogspot.com/2018/07/howto-use-fortios-api-to-add-delete.html
     
    YMMV but if you have a strong  script writing or a strong dev-ops teams that can build front ends or scripts,  this is the way that I would go.
     
    Ken Felix
     
     

    PCNSE 
    NSE 
    StrongSwan  
    #2
    Jump to:
    © 2021 APG vNext Commercial Version 5.5