FortiOS 5.6 Online Help Link FortiOS 5.4 Online Help Link FortiOS 5.2 Online Help Link FortiOS 5.0 Online Help Link

Home > Online Help

Configuring virtual clustering

Configuring virtual clustering is the same as configuring standard FCGP HA with the addition of VDOM partitioning. Using VDOM partitioning you can control the distribution of VDOMs, and the traffic they process, between the FortiGates in the cluster.

VDOM partitioning can be thought of in two parts. First there is configuring the distribution of VDOMs between two virtual clusters. By default, all VDOMS are in virtual cluster 1 and virtual cluster 1 is associated with the primary FortiGate. In this configuration, the primary FortiGate processes all traffic. If you want traffic to be processed by the backup FortiGate, you need to enable virtual cluster 2, move some of the VDOMs to it, and associate virtual cluster 2 with the backup FortiGate.

note icon Since there are only two virtual clusters, even in a virtual clustering configuration of three or four FortiGates only two of the FortiGates process traffic. The third and fourth FortiGates operate in standby mode and process traffic after a failover.

By default all VDOMS are in virtual cluster 1 and the primary FortiGate processes all traffic.

You associate a virtual cluster with a FortiGate using priorities. The FortiGate with the highest device priority is associated with virtual cluster 1. To associate a FortiGate with virtual cluster 2 you must enable virtual cluster 2 and set the virtual cluster 2 device priority. The FortiGate with the highest virtual cluster 2 device priority processes traffic for the VDOMs added to virtual cluster 2. (Reminder: device priorities are not synchronized.)

note icon If both FortiGates have the same device priority, virtual cluster 1 is associated with the primary FortiGate. If both FortiGates have the same virtual cluster 2 device priority, virtual cluster 2 is associated with the primary FortiGate.

Virtual clustering and the override setting

Enabling virtual cluster 2 also turns on the HA override setting. Enabling override is required for virtual clustering to function as configured. Enabling override causes the cluster to negotiate every time a failure occurs. If override is not enabled, the cluster will not negotiate after all failures. While more frequent negotiation may cause more minor traffic disruptions, with virtual clustering its more important to negotiate after any failure to make sure the correct traffic flows are maintained.

Example virtual clustering configuration

For example, consider a configuration that includes four VDOMs: root, Engineering, Marketing, and Finance. You can use the following configuration to send root and Engineering traffic to the primary FortiGate and Marketing and Finance traffic to the backup FortiGate.

First, on the primary FortiGate:

  • Set the device priority to 200
  • Enable virtual cluster 2 (vcluster2)
  • Set the virtual cluster 2 device priority (secondary-vcluster) to 50
  • Add the Marketing and Finance VDOMs to virtual cluster 2 (secondary-vcluster)
note icon When you enable multiple VDOMs, virtual cluster 2 is enabled by default. Even so the command to enable virtual cluster 2 is included in this example in case for some reason it has been disabled. Enabling virtual cluster 2 also enables override.

config global

config system ha

set mode a-p

set group-name mygroup

set password <password>

set priority 200

set vcluster2 enable

config secondary-vcluster

set vdom Marketing Finance

set priority 50

end

end

Then on the backup FortiGate:

  • Set the device priority to 50 (lower than the primary FortiGate)
  • Enable virtual cluster 2 (vcluster2)
  • Set the virtual cluster 2 device priority (secondary-vcluster) to 200 (higher than the primary FortiGate).

config global

config system ha

set mode a-p

set group-name mygroup

set password <password>

set priority 50

set vcluster2 enable

config secondary-vcluster

set priority 200

end

end

note icon Since the primary FortiGate has the highest device priority, the primary unit processes all traffic for the VDOMs in virtual cluster 1. Since the backup FortiGate has the highest virtual cluster 2 device priority, the backup FortiGate processes all traffic for the VDOMs in virtual cluster 2. The primary FortiGate configuration adds the VDOMs to virtual cluster 2. All you have to configure on the backup FortiGate for virtual cluster 2 is the virtual cluster 2 (or secondary-vcluster) device priority.

Adding a third FortiGate to the virtual cluster

You can add a third FortiGate to the virtual cluster and configure it so that if the primary FortiGate fails, the third FortiGate becomes the new primary FortiGate or if the backup FortiGate fails, the third FortiGate becomes the new backup FortiGate.

On the third FortiGate:

  • Set the device priority to 150 (lower than the primary FortiGate but higher than the backup FortiGate)
  • Enable virtual cluster 2 (vcluster2)
  • Set the virtual cluster 2 device priority (secondary-vcluster) to 100 (higher than the primary FortiGate but lower than the backup FortiGate)

config global

config system ha

set mode a-p

set group-name mygroup

set password <password>

set priority 150

set vcluster2 enable

config secondary-vcluster

set priority 100

end

end

Adding a fourth FortiGate to the virtual cluster

You can add a fourth FortiGate to the virtual cluster and configure it so that:

  • If the primary FortiGate fails, the third FortiGate becomes the new primary FortiGate, the backup FortiGate continues to operate as the backup FortiGate.
  • If the backup FortiGate fails, the fourth FortiGate becomes the new backup FortiGate.
  • If both the primary and backup FortiGates fail, the third FortiGate becomes the primary FortiGate and the fourth FortiGate becomes the backup FortiGate.

On the fourth FortiGate:

  • Set the device priority to 100 (lower than the primary and third FortiGate but higher than the backup FortiGate)
  • Enable virtual cluster 2 (vcluster2)
  • Set the virtual cluster 2 device priority (secondary-vcluster) to 150 (higher than the primary FortiGate and the third FortiGate but lower than the backup FortiGate)

config global

config system ha

set mode a-p

set group-name mygroup

set password <password>

set priority 100

set vcluster2 enable

config secondary-vcluster

set priority 150

end

end

Virtual clustering with four FortiGates recommended configuration

As described in the previous sections, here is a recommended device priority configuration for a virtual cluster consisting of four FortiGates. Other configurations are also supported depending on how you want the virtual cluster to respond to a failure.

FortiGate Device Priority Virtual Cluster 2 Device Priority
Primary 200 50
Backup 50 100
Third 150 200
Fourth 100 150

Virtual clustering GUI configuration

From the GUI, you configure virtual clustering from the Global menu by going to System > HA setting the Mode to Active-Passive and enabling VDOM Partitioning.