FortiOS 6.0 Getting Started: High availability with two FortiGates

Source: Internet
Author: User
Keywords FortiOS 6.0 FortiGate
Tags getting started forticloud fortios fortigate fortios 6.0

Before you begin, make sure that the FortiGates are running the same FortiOS firmware version and interfaces are not configured to get their addresses from DHCP or PPPoE.

This recipe uses the FortiGate Clustering Protocol (FGCP) for HA. After you complete this recipe, the original FortiGate continues to operate as the primary FortiGate and the new FortiGate operates as the backup FortiGate.

For a more advanced HA recipe that includes CLI steps and involves using advanced options such as override to maintain the same primary FortiGate, see High Availability with FGCP (Expert).

1. Setting up registration and licensing

Make sure both FortiGates are running the same FortiOS firmware version. Register and apply licenses to the new FortiGate unit before you add it to the HA cluster.

This includes licensing for FortiCare Support, IPS, AntiVirus, Web Filtering, Mobile Malware, FortiClient, FortiCloud, and additional virtual domains (VDOMs).

All FortiGates in the cluster must have the same level of licensing for FortiGuard, FortiCloud, FortiClient, and VDOMs. You can add FortiToken licenses at any time because they’re synchronized to all cluster members.

You can also install any third-party certificates on the primary FortiGate before you form the cluster. Once the cluster is running, the FGCP synchronizes third-party certificates  to the backup FortiGate.

2. Configuring the primary FortiGate for HA

On the primary FortiGate, go to System > Settings and change the Host name to identify this as the primary FortiGate in the HA cluster.

Go to System > HA and set the Mode to Active-Passive. Set the Device priority to a higher value than the default (in the example, 250) to make sure this FortiGate will always be the primary FortiGate. Also, set a Group name and Password.

Make sure you select Heartbeat interfaces (in the example, port3 and port4). Set the Heartbeat Interface Priority for each interface to 50.

Since the backup FortiGate isn’t available, when you save the HA configuration, the primary FortiGate forms a cluster of one FortiGate but keeps operating normally.

If there are other FortiOS HA clusters on your network, you may need to change the cluster group ID, using this CLI command:

config system ha
    set group-id 25
 end

3. Connecting the backup FortiGate

Connect the backup FortiGate to the primary FortiGate and to the network, as shown in the network diagram at the top of this recipe.

Since these connections disrupt traffic, you should make the connections when the network isn’t processing a lot of traffic. If possible, make direct Ethernet connections between the heartbeat interfaces of the two FortiGate units.

You must use switches between the cluster and the Internet, and between the cluster and the internal networks, as shown in the network diagram. You can use any good quality switches to make these connections. You can also use one switch for all of these connections, as long as you configure the switch to separate traffic from the different networks.

4. Configuring the backup FortiGate for HA

Connect to the backup FortiGate GUI and go to System > Settings and change the Host name to identify this as the backup FortiGate.

Go to System > HA and duplicate the HA configuration of the primary FortiGate (except for the Device priority): set Mode to Active-Passive, and set the Device Priority to a lower value than the default to make sure this FortiGate is always the backup FortiGate. Also, set the same Group name and Password as you did for the primary FortiGate.

Make sure that you select the same two Heartbeat interfaces (port3 and port4) and set the Heartbeat Interface Priority for each to 50.

If you changed the cluster group ID of the primary FortiGate, change the cluster group ID for the backup FortiGate to match, using this CLI command:

config system ha
    set group-id 25
 end

When you save the HA configuration of the backup FortiGate, if the heartbeat interfaces are connected, the FortiGates will find each other and form an HA cluster. Network traffic may be disrupted for a few seconds while the cluster is negotiating.

5. Viewing the status of the HA cluster

Connect to the GUI of the primary FortiGate. The HA Status widget shows the cluster mode (Mode) and group name (Group).

It also shows the host name of the primary FortiGate (Master), which you can hover over to verify that the cluster is synchronized and operating normally. You can click on the widget to change the HA configuration or view a list of recently recorded cluster events, such as members joining or leaving the cluster.

To view the cluster status, click on the HA Status widget and select Configure settings in System > HA (or go to System > HA).

If the cluster is part of a Security Fabric, the FortiView Physical and Logical Topology views show information about the cluster status.

6. Results

Traffic is now passing through the primary FortiGate. However, if the primary FortiGate becomes unavailable, traffic should fail over and the backup FortiGate processes traffic.

A failover also causes the primary and backup FortiGate to reverse roles, even when both FortiGates are available again.

To test HA failover, ping an IP address on the Internet (in the example, 8.8.8.8) from a PC in the internal network.

After a short time interval, power off the primary FortiGate.* The ping results pause while traffic fails over to the backup FortiGate and the ping traffic resumes.

7. (Optional) Upgrading the firmware for the HA cluster

Upgrading the firmware on the primary FortiGate automatically upgrades the firmware on the backup FortiGate. Both FortiGates are updated with minimal traffic disruption.*

Always review the Release Notes before you instal new firmware.

Click the System Information widget and select Update firmware in System > Firmware. Back up the configuration and update the firmware from FortiGuard or upload a firmware image file. The firmware installs onto both the primary and backup FortiGates.

After the upgrade completes, verify that the System Information widget shows the new firmware version.

Related Article

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.