925-201b Principles of Network Security and FortiGate Configurations Exam Actual Test

Demo Question 16.

Answer: C

Explanation: Heartbeat devices A heartbeat device is an Ethernet network interface in a cluster that is used by the FGCP for HA heartbeat communications between cluster units. You can configure multiple network interfaces to be heartbeat devices. An interface becomes a heartbeat device when it is assigned a heartbeat device priority. The HA configuration in Figure 2 shows port3 and port4/ha configured as heartbeat devices. Figure 2: Example FortiGate-3000 heartbeat device configuration The heartbeat device with the highest priority is the active heartbeat device. In Figure 2, port4/ha is the active heartbeat device. The active heartbeat device sends and receives all heartbeat communications. If the active heartbeat device fails or is disconnected on one or more of the cluster units, the heartbeat device with the next highest priority becomes the active heartbeat device. This is called heartbeat device failover. Heartbeat device failover occurs transparently, without interrupting the communication sessions being processed by the cluster and without affecting cluster synchronization. By default, for all FortiGate units, two interfaces are configured to be heartbeat devices. The active heartbeat device has a priority of 100. A second, or backup heartbeat device has a priority of 50. The fortiGate-300,400,500,800,1000,3000,and 3600 HA interfaces has the highest heartbeat device priority. The fortiGate-60,100,200,and the Fortiwifi60 DMZ interface has the highest interfaces has the highest heartbeat device priority. The FortiGate-100A and 200A DMZ2 interface has the highest heartbeat device priority. The FortiGate-300A and 400A, and500A port4 interface has the highest heartbeat device priority. The FortiGate-4000 out of band management interface has the highest heartbeat device priority. The FortiGate-5000 has two dedicated HA heartbeat device (Port 9 and Port 10). Port 10 has the highest heartbeat device priority. You can change the heartbeat device configuration as required. All interfaces can be assigned different heartbeat priorities. You can also configure only one interface to be a heartbeat device. You can set the heartbeat device priority for each interface to any number between 1 and 512. In all cases, the heartbeat device with the highest priority is used for all HA heartbeat communication. If this interface fails or becomes disconnected, the interface with the next highest priority handles all of the heartbeat traffic. For the HA cluster to function correctly, at least one interface must be a heartbeat device. Also the heartbeat devices of all cluster units must be connected together. If heartbeat communication is interrupted and cannot fail over to a second heartbeat device, the cluster stops processing traffic. Heartbeat device IP addresses You do not need to assign IP addresses to the heartbeat device interfaces for them to be able to process heartbeat packets. The FGCP assigns virtual IP addresses to the heartbeat device interfaces. The primary unit heartbeat device IP address is 10.0.0.1. Subordinate units are assigned heartbeat device IP addresses 10.0.0.2, 10.0.0.3, and so on. For best results, isolate the heartbeat devices from your user networks by connecting the heartbeat devices to a separate switch that is not connected to any network. If the cluster consists of two FortiGate units you can connect the heartbeat device interfaces directly using a crossover cable. Heartbeat packets contain sensitive information about the cluster configuration. Heartbeat packets may also use a considerable amount of network bandwidth. For these reasons, it is preferable to isolate heartbeat packets from your user networks. Both HA heartbeat and data traffic are supported on the same FortiGate interface. In NAT/Route mode, if you decide to use the heartbeat device interfaces for processing network traffic or for a management connection, you can assign the interface any IP address. In Transparent mode, you can connect the interface to your network and configure management access to it. These configurations do not affect heartbeat traffic or the heartbeat device IP addresses.