FortiOS 5.6 Online Help Link FortiOS 5.4 Online Help Link FortiOS 5.2 Online Help Link FortiOS 5.0 Online Help Link

Home > Online Help

> Chapter 15 - High Availability > An introduction to the FGCP > Configuring FortiGate units for FGCP HA operation

Configuring FortiGates for FGCP HA operation

Each FortiGate in the cluster must have the same HA configuration. Once the cluster is connected, you can configure it in the same way as you would configure a standalone FortiGate. The following example sets the HA mode to active-passive and the HA password to HA_pass.

note icon Make sure your FortiGate interfaces are configured with static IP addresses. If any interface gets its address using DHCP or PPPoE you should temporarily switch it to a static address and enable DHCP or PPPoE after the cluster has been established.

Make sure both FortiGates are running the same FortiOS firmware version. Register and apply licenses to both FortiGates before adding them to the cluster. This includes FortiCloud activation and FortiClient licensing, and entering a license key if you purchased more than 10 Virtual Domains (VDOMS). All of the FortiGates in a cluster must have the same level of licensing.

You can also install any third-party certificates on the primary FortiGate before forming the cluster. Once the cluster is formed third-party certificates are synchronized to the backup FortiGate.
We recommend that you add FortiToken licenses and FortiTokens to the primary unit after the cluster has formed.

To configure a FortiGate for HA operation - GUI
  1. Power on the FortiGate to be configured.
  2. Log into the GUI.
  3. On the Dashboard System Information dashboard widget, beside Host Name select Change.
  4. Enter a new Host Name for this FortiGate.
    Changing the host name makes it easier to identify individual cluster units when the cluster is operating.
  5. Go to System > HA and change the following settings:
Mode Active-Passive
Group Name Example_cluster
Password HA_pass

The password must be the same for all FortiGates in the cluster.

You can accept the default configuration for the remaining HA options and change them later, once the cluster is operating.

  1. Select OK.
    The FortiGate negotiates to establish an HA cluster. When you select OK you may temporarily lose connectivity with the FortiGate as the HA cluster negotiates and the FGCP changes the MAC address of the FortiGate interfaces. To be able to reconnect sooner, you can update the ARP table of your management PC by deleting the ARP table entry for the FortiGate (or just deleting all ARP table entries). You may be able to delete the ARP table of your management PC from a command prompt using a command similar to arp -d.
  2. Power off the FortiGate.
  3. Repeat this procedure for all of the FortiGates in the cluster.
    Once all of the units are configured, continue by connecting the FortiGate HA cluster below.
To configure a FortiGate for HA operation - CLI
  1. Power on the FortiGate to be configured.
  2. Log into the CLI.
  3. Enter the following command to change the FortiGate host name.

config system global

set hostname Example1_host

end

Changing the host name makes it easier to identify individual cluster units when the cluster is operating.

  1. Enter the following command to enable HA:

config system ha

set mode active-passive

set group-name Example_cluster

set password HA_pass

end

You can accept the default configuration for the remaining HA options and change them later, once the cluster is operating.

The FortiGate negotiates to establish an HA cluster. You may temporarily lose connectivity with the FortiGate as the HA cluster negotiates and because the FGCP changes the MAC address of the FortiGate interfaces. To be able to reconnect sooner, you can update the ARP table of your management PC by deleting the ARP table entry for the FortiGate (or just deleting all arp table entries). You may be able to delete the arp table of your management PC from a command prompt using a command similar to arp -d.

  1. Power off the FortiGate.
  2. Repeat this procedure for all of the FortiGates in the cluster.
    Once all of the units are configured, continue with connecting the FortiGate HA cluster.

Connecting a FortiGate HA cluster

Use the following procedure to connect a cluster. Connect the cluster units to each other and to your network. You must connect all matching interfaces in the cluster to the same switch, then connect these interfaces to their networks using the same switch.

Although you can use hubs, Fortinet recommends using switches for all cluster connections for the best performance.

Connecting an HA cluster to your network temporarily interrupts communications on the network because new physical connections are being made to route traffic through the cluster. Also, starting the cluster interrupts network traffic until the individual cluster units are functioning and the cluster completes negotiation. Cluster negotiation is automatic and normally takes just a few seconds. During system startup and negotiation all network traffic is dropped.

This section describes how to connect the cluster shown below, which consists of two FortiGate-100D units to be connected between the Internet and a head office internal network. The wan1 interfaces of the FortiGate connect the cluster to the Internet and the internal interfaces connect the cluster to the internal network. The ha1 and ha2 interfaces are used for redundant HA heartbeat links.

Example cluster connections

To connect a FortiGate HA cluster
  1. Connect the WAN1 interfaces of each cluster unit to a switch connected to the Internet.
  2. Connect the Port1 interfaces of each cluster unit to a switch connected to the internal network.
  3. Connect the HA1 interfaces of the cluster units together. You can use a crossover Ethernet cable or a regular Ethernet cable. (You can also connect the interfaces using Ethernet cables and a switch.)
  4. Connect the HA2 interfaces of the cluster units together. You can use a crossover Ethernet cable or a regular Ethernet cable. (You can also connect the interfaces using Ethernet cables and a switch.)
  5. Power on both of the FortiGates.

As the cluster units start, they negotiate to choose the primary unit and the subordinate unit. This negotiation occurs with no user intervention and normally just takes a few seconds.

At least one heartbeat interface should be connected together for the cluster to operate.

Do not use a switch port for the HA heartbeat traffic. This configuration is not supported.

You could use one switch to connect all four heartbeat interfaces. However, this is not recommended because if the switch fails both heartbeat interfaces will become disconnected.

  1. You can now configure the cluster as if it is a single FortiGate.

Verifying the cluster status from the Unit Operation dashboard widget

The Unit Operation dashboard widget includes the serial number and hostname of all of the FortiGates in the cluster as well as an indication of the sync status of each cluster member.