随时保存配置
bash
config system global
set admintimeout 480
set alias "FortiGate-VM64-KVM"
set gui-auto-upgrade-setup-warning disable
set hostname "FG-Slave"
set revision-backup-on-logout enable
set revision-image-auto-backup enable
set timezone "Asia/Shanghai"
end因为不同 AZ 的地址段是不一样的,因此下面的配置不需要同步
bash
config system vdom-exception
edit 1
set object system.interface
next
edit 2
set object router.static
next
edit 3
set object firewall.vip
next
edit 4
set object firewall.ippool
next
end
FortiGate port1 是外网接口,对应的是由外向内的数据;
FortiGate port2 对应的是由内向外的数据,安全组要全放通;
FortiGate port3 是 HA 接口,互通的是 HA 交换的数据,安全组;
FortiGate port4 是 MGMT 接口,用于管理,放通 HTTPS,SSH 和 ICMP。
bash
config system ha
set group-id 10
set group-name "fgha"
set mode a-p
set password fortinet
set hbdev "port3" 50
set ha-mgmt-status enable
config ha-mgmt-interfaces
edit 1
set interface "port4"
set gateway 10.197.3.1
next
end
set override disable
set priority 200
set unicast-hb enable
set unicast-hb-peerip 10.197.12.11
end
config system ha
set group-id 10
set group-name "fgha"
set mode a-p
set password fortinet
set hbdev "port3" 50
set ha-mgmt-status enable
config ha-mgmt-interfaces
edit 1
set interface "port4"
set gateway 10.197.13.1
next
end
set override disable
set priority 100
set unicast-hb enable
set unicast-hb-peerip 10.197.2.11
end
