Author Archives: mtu9001

About mtu9001

I'm a Husband and father who happens to be a network/security engineer, python automator, photographer, and amateur chef.

Fortinet three member cluster

Tonight I will be adding a third node to an existing Fortigate 3700D two node cluster.

Their information says it’s an easy job:

Usually all things Fortinet are as easy as they present, I’m cautiously hopeful this cutover will be also.

Well. Turns out they don’t react like a cluster because they aren’t clustered. All nodes as standalone.
Brilliant. Let’s verify:

node_1 (global) # get system ha status
Model: FortiGate-3700D
Mode: standalone
Group: 0
Debug: 0
ses_pickup: disable
number of vcluster: 0

Hmm… that mode doesn’t look right, on to number two

node_2 (global) # get system ha status
Model: FortiGate-3700D
Mode: standalone
Group: 0
Debug: 0
ses_pickup: disable
number of vcluster: 0

Yup. Not in a cluster. Back to the drawing board, as soon as I’m done drafting my findings and sending it in.
/me sighs

That feeling when your VM bites the dust…

and you don’t have a current backup.

Thankfully it was only a vSRX image as a test unit and not some super high impact virtual machine processing credit cards or anything. Let this be a warning to everyone who runs VMWare Fusion/Workstation/VirtualBox/etc., shut the machines down properly; as appliances they should gracefully recover, but there are NO GUARANTEES with VMs.

Now back to your regularly scheduled network outage.

Juniper Networks oddities

When putting a VC together with four or five EX4300 switches, I have found that there are times when the configuration has all interfaces it can currently support, not just the interfaces that exist. This can be troublesome, especially for RSTP.

I’ve gotten into the habit of deleting all interfaces first, and only creating the interfaces needed:

root@lab.local# delete interfaces
root@lab.local# delete protocols rstp
root@lab.local# wildcard range set interfaces xe-[0-1]/0/[0-47]
root@lab.local# wildcard range set interfaces et-0/0/[48-49]
root@lab.local# set protocols rstp interface all

I don’t know if anyone else has reproduced this, I’m waiting on DACs for my lab in order to reproduce and submit a patch.

Changes are coming . . .

I know there are no readers here, hopefully that will be what is changing. I’m going to start dropping tidbits of knowledge, funnies, and tips more frequently.

With a little luck, some skill, and help from this amazing community, this is about to take off.

Now, time to secure this thing, find a most excellent theme, and start tweaking.