Virtual clustering overview
Virtual clustering is an extension of the FGCP that provides failover protection between two instances of one or more VDOMs operating on two FortiGates in a virtual cluster.
A standard virtual cluster consists of up to four FortiGates operating in active-passive or active-active HA mode with multiple VDOMS enabled.
Active-passive virtual clustering uses VDOM partitioning to send traffic for some VDOMs to the primary FortiGate and traffic for other VDOMs to the backup FortiGate. Traffic distribution between both FortiGates can potentially improve throughput. If a failure occurs and only one FortiGate continues to operate, all traffic fails over to that FortiGate, similar to normal HA. If the failed FortiGates restart, the configured traffic distribution is restored.
Active-active virtual clustering operates just the same as standard FGCP active-active HA, distributing traffic to all of the FortiGates in the cluster using FGCP load balancing.
In an active-passive virtual cluster of two FortiGates, the primary and backup FortiGates share traffic processing according to the VDOM partitioning configuration. If you add a third or fourth FortiGate, the primary and first backup FortiGate process all traffic and the other one or two FortiGates operate in standby mode. If the primary or first backup FortiGate fails, one of the other FortiGates becomes the new primary or backup FortiGate and begins processing traffic.
The figure below shows an example virtual cluster configuration consisting of two FortiGates. The virtual cluster has two VDOMs, root and Eng_vdm.
Example virtual cluster
The root VDOM includes the port1 and port2 interfaces. The Eng_vdm VDOM includes the port5 and port6 interfaces. The port3 and port4 interfaces (not shown in the diagram) are the HA heartbeat interfaces.
|If you don't want active-passive virtual clustering to distribute traffic between FortiGates, you can configure VDOM partitioning to send traffic for all VDOMs to the primary unit. The result is the same as standard active-passive FCGP HA, all traffic is processed by the primary FortiGate.|
Separation of VDOM traffic
Virtual clustering creates a cluster between instances of each VDOM on the two FortiGates in the virtual cluster. All traffic to and from a given VDOM is sent to one of the FortiGates where it stays within its VDOM and is only processed by that VDOM. One FortiGate is the primary FortiGate for each VDOM and one FortiGate is the backup FortiGate for each VDOM. The primary FortiGate processes all traffic for its VDOMs. The backup FortiGate processes all traffic for its VDOMs.
|If your cluster has a VLAN that is part of a different VDOM than the physical interface that the VLAN has been added to, then you must configure VDOM partitioning to keep traffic for both of these VDOMs on the same FortiGate.|
Virtual clustering and heartbeat interfaces
The HA heartbeat provides the same HA services in a virtual clustering configuration as in a standard HA configuration. One set of HA heartbeat interfaces provides HA heartbeat services for all of the VDOMs in the cluster. You do not have to add a heartbeat interface for each VDOM.
Virtual clustering and load balancing
There are two ways to configure load balancing for virtual clustering. The first is to set the HA mode to active-active. The second is to configure VDOM partitioning. For virtual clustering, setting the HA Mode to active-active has the same result as active-active HA for a cluster without virtual domains. The primary FortiGate receives all sessions and load balances them among the cluster units according to the load balancing schedule. All cluster units process traffic for all virtual domains.
In an active-passive virtual clustering configuration, you can configure a form of load balancing by using VDOM partitioning to distribute traffic between the primary and backup FortiGates. While a cluster is operating, you can change the VDOM partitioning configuration to change the distribution of traffic between the cluster units. For example, if you have two VDOMs with high traffic volume you can set up VDOM partitioning so that different FortiGates process the traffic for each high-volume VDOM. If over time traffic patterns change you can dynamically re-adjust VDOM partitioning to optimize traffic throughput. VDOM partitioning can be changed at any time with only minor traffic disruptions.