Configuring FortiLink for FortiGate HA
With FortiOS 5.4.0 and later releases, a FortiGate operating in HA mode can use FortiLink (to FortiSwitches running FortiSwitchOS 3.3.0 or later release).
To use FortiLink mode with a pair of FortiGate units in a high-availability cluster, you must connect FortiLink from the switch to both of the FortiGate units.
Highlights of this configuration:
- No console port or direct management is required on the FortiSwitch.
- All the actions described here can be performed from FortiCloud if needed
- All FortiSwitch internal state and counters are visible when in FortiLink managed mode
The LAN and WAN links connect to FortiSwitch ports. The FortiSwitch connects to the active and standby FortiGate units. If the standby FortiGate (for example, FGT2) becomes active, this is transparent to the LAN and WAN ports. FortiLink is automatically established to FGT2, and the active traffic path becomes LAN <-> FGT2<-> WAN.
Note the following points:
- FortiSwitch connects with FortiLink to both of the FortiGate units.
- LAN and WAN links can connect to separate FortiSwitches, as shown in the figure. You can also connect them to the same FortiSwitch (and use VLANs to separate the LAN and WAN traffic).
- Connect the FortiLinks from any two FortiSwitch ports to FGT1 port X and FGT2 port X, where the FortiGate port numbers must match (port1 in the above topology diagram).
- For a Logical FortiLink interface with two ports, connect Fortilinks from two additional FortiSwitch ports to FGT1 port Y and FGT2 port Y, where the FortiGate port numbers must match.
Adding a Second FortiGate to Existing Single FortiGate
Connect an additional FortiLink from the FortiSwitch to the new FortiGate, and configure HA on both of the FortiGate units.
Configuration consists of the following major steps:
- Configure “auto-discovery-fortilink enable” on the FortiSwitch ports that you will connect to FGT2. This step is not required if the port is auto-fortilink by default.
- Add cable connections from FGT2 to the directly-connected FortiSwitches (exact duplicate of FGT1 to the FortiSwitches)
- Connect HA cables between FGT1 and FGT2
- At FGT1: configure FortiGate High Availability using the GUI. For additional information, refer to the High Availability chapter in the FortiOS Handbook.
- At FGT2: Configure FortiGate High Availability using the CLI from the console port. The following parameters must be identical to FGT1:
- Group Name and Password
- At this point, the FGT1 synchronizes with FGT2. This takes several minutes.
- Verify the configuration at FGT2 using the following commands:
get ha status
get system ha status
Adding the First Switch to Existing HA FortiGates (single FortiLinks)
Connect one FortiSwitch port to each of the FortiGate units. On FGT1, follow the same FortiLink configuration steps as for the non-HA configuration. FGT1 synchronizes the configuration with FGT2.
- Configure two FortiSwitch ports as “auto-discovery-fortilink enable”. This step is not required for any port is auto-fortilink by default.
- Connect one port to FGT1 and the other port to FGT2.
- The FGT1 and FGT2 port numbers must be identical For example:
- FortiSwitch port21 and port22 connect to FGT1 port4 and FGT2 port4
- At FGT1, perform the steps to configure FortiLink (as described in FortiLink Configuration Using FortiGate GUI ):
- Configure a port to be the FortiLink port
- Authorize the FortiSwitch
- At FGT2, run the command "get switch-controller managed-switch" to verify that the FGT1 configuration was synchronized successfully
Adding the First Switch to Existing FGT HA setup (Logical Fortilink Interface)
In this configuration, connect two FortiSwitch ports to each FortiGate unit. Enter the configuration commands on FGT1 (same commands as for the non-HA configuration). The HA feature synchronizes the configuration to FGT2.
- Configure four FortiSwitch ports as “auto-discovery-fortilink enable”. This step is not required for any port is auto-fortilink by default.
- Connect two ports to FGT1 and the other ports to FGT2
- the FGT1 and FGT2 port numbers must be the same. For example:
- FortiSwitch port21 and port22 connect to FGT1 port4 and port5 and FortiSwitch port23 and port24 connect to FGT2 port4 and port5
- At FGT1, configure the Fortilink interface (as described in FortiLink Configuration Using FortiGate GUI ):
- Create the FortiLink logical interface and add the physical ports as members
- Authorize the FortiSwitch
- At FGT2, run command "get switch-controller managed-switch" to verify that the FGT1 configuration was synchronized successfully
(Optional) Test the HA Capability
Warning: the following is a destructive test that simulates a FortiGate failure. You should conduct this test only in a lab or test network, not in a production network:
- Disconnect power from FGT1 to simulate failure
- From the FGT2 UI:
Check Wifi and Switch Controller > Managed FortiSwitch
- FortiSwitch is now visible from the management interface on FGT2