FortiOS 5.6 Online Help Link FortiOS 5.4 Online Help Link FortiOS 5.2 Online Help Link FortiOS 5.0 Online Help Link

Home > Online Help

> Chapter 15 - High Availability > FGCP configuration examples and troubleshooting > Example converting a standalone FortiGate unit to a cluster

Converting a standalone FortiGate to a cluster

In this recipe, a backup FortiGate will be installed and connected to a FortiGate that has previously been installed to provide redundancy if the primary FortiGate fails.

1. Adding the backup FortiGate and configuring HA

If the FortiGates in the cluster will be running FortiOS Carrier, apply the FortiOS Carrier license before configuring the cluster (and before applying other licenses). Applying the FortiOS Carrier license sets the configuration to factory defaults, requiring you to repeat steps performed before applying the license.
If you have not already done so, register the primary FortiGate and apply licenses to it before setting up the cluster. This includes FortiCloud activation and FortiClient licensing, and entering a license key if you purchased more than 10 Virtual Domains (VDOMs). All of the FortiGates in a cluster must have the same level of licensing. You can also install any third-party certificates on the primary FortiGate before forming the cluster. Once the cluster is formed third-party certificates are synchronized to the backup FortiGate.
We recommend that you add FortiToken licenses and FortiTokens to the primary unit after the cluster has formed.

  • Connect your network as shown in the initial diagram, with Ethernet cables connecting the HA heartbeat interfaces of the two FortiGates. If your FortiGate does not have dedicated HA heartbeat interfaces, you can use different interfaces, provided they are not used for any other function.

    A switch must be used between the FortiGates and Internet, and another is required between the FortiGates and the internal network, as shown in the network diagram for this recipe.
    Connect to the primary FortiGate and go to System > Dashboard > Status and locate the System Information widget.

    Change the unit's Host Name to identify it as the primary FortiGate.
    In the System Information widget, configure HA Status. Set the Mode to Active-Passive and set a Group Name and Password.

    Ensure that the two Heartbeat Interfaces are selected and their priorities are both set to 50.
    Connect to the backup FortiGate and go to System > Dashboard > Status.

    Change the unit's Host Name to identify it as the backup FortiGate.
    Configure HA Status and set the Mode to Active-Passive.

    Set the Device Priority to be lower than the primary FortiGate. Ensure that the Group Name and Password match those on the primary FortiGate.

    Ensure that the two Heartbeat Interfaces are selected and their priorities are both set to 50.
    Connect to the primary FortiGate and go to System > HA to view the cluster information.
    Select View HA Statistics for more information on how the cluster is operating and processing traffic.

    2. Results

    Normally, traffic should now be flowing through the primary FortiGate. However, if the primary FortiGate is unavailable, traffic should failover and the backup FortiGate will be used. Failover will also cause the primary and backup FortiGates to reverse roles, even when both FortiGates are available again.
    To test this, ping the IP address using a PC on the internal network. After a moment, power off the primary FortiGate. You will see a momentary pause in the Ping results, until traffic diverts to the backup FortiGate, allowing the Ping traffic to continue.

    If you are using port monitoring, you can also unplug the primary FortiGate's Internet-facing interface to test failover.