FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
Not applicable
Article Id 192517

 

Description This article describes how to configure HA heartbeat encryption and authentication.
Scope All FortiGate higher-end models.
Solution

It is possible to enable or disable HA heartbeat encryption and authentication to encrypt and authenticate HA heartbeat packets.

 

HA heartbeat packets should be encrypted and authenticated if the cluster interfaces that send HA heartbeat packets are also connected to the networks.

 

If HA heartbeat packets are not encrypted the cluster password will be exposed.

 

If HA heartbeat packets are not authenticated an attacker may be able to sniff HA pages to get cluster information.

 

Enabling HA encryption and authentication could reduce cluster performance.

 

Command syntax.

 

# config system ha
    set authentication {disable | enable}
    set encryption {disable | enable}
end

 

authentication {disable | enable}.

 

Enable/disable HA heartbeat message authentication. Enabling HA heartbeat message authentication prevents an attacker from creating false HA heartbeat messages.

False HA heartbeat messages could affect the stability of the cluster.

Authentication is disabled by default.

 

encryption {disable | enable}.

 

Enable/disable HA heartbeat message encryption. Enabling HA heartbeat message encryption prevents an attacker from sniffing HA packets to get HA cluster information.

Encryption is disabled by default.