Configuring a Transparent mode active-active cluster of three FortiGate-5005FA2 units - web‑based manager
These procedures assume you are starting with three FortiGate-5005FA2 units with factory default settings but not installed in chassis slots and a FortiSwitch-5003A board installed in chassis slot 1. The chassis is powered on. This configuration works for a FortiGate-5050 chassis or for a FortiGate-5140 chassis. No configuration changes to the FortiSwitch-5003A board are required.
To configure the FortiGate-5005FA2 units
1. Power on the first FortiGate unit by inserting it into chassis slot 5.
2. Connect port1 to the network and log into the web‑based manager.
3. On the System Information dashboard widget, beside Host Name select Change.
4. Enter a new Host Name for this FortiGate unit.
5. Select OK.
6. Go to System > Network > Interfaces and select Show backplane interfaces.
7. Make sure the administrative status and link status is for base1 and fabric1.
You can edit the interface to set the administrative status to up. The link status will be up if the administrative status is up and the FortiGate-5005FA2 board can connect to the FortiSwitch-5003A board.
8. Go to System > Config > HA and change the following settings:
Mode | Active-Active | |
Group Name | example3.com | |
Password | HA_pass_3 | |
Heartbeat Interface | |
| Enable | Priority |
base1 | Select | 50 |
fabric1 | Clear check box | 0 |
fabric2 | Clear check box | 0 |
port4 | Select | 50 |
9. Select OK.
The FortiGate unit negotiates to establish an HA cluster. When you select OK you may temporarily lose connectivity with the FortiGate unit as the HA cluster negotiates and the FGCP changes the MAC address of the FortiGate unit interfaces (see
“Cluster virtual MAC addresses”). The MAC addresses of the FortiGate‑5005FA2 interfaces change to the following virtual MAC addresses:
• base1 interface virtual MAC: 00-09-0f-09-00-00
• base2 interface virtual MAC: 00-09-0f-09-00-01
• fabric1 interface virtual MAC: 00-09-0f-09-00-02
• fabric2 interface virtual MAC: 00-09-0f-09-00-03
• port1 interface virtual MAC: 00-09-0f-09-00-04
• port2 interface virtual MAC: 00-09-0f-09-00-05
• port3 interface virtual MAC: 00-09-0f-09-00-06
• port4 interface virtual MAC: 00-09-0f-09-00-07
• port5 interface virtual MAC: 00-09-0f-09-00-08
• port6 interface virtual MAC: 00-09-0f-09-00-09
• port7 interface virtual MAC: 00-09-0f-09-00-0a
• port8 interface virtual MAC: 00-09-0f-09-00-0b
To reconnect sooner, you can update the ARP table of your management PC by deleting the ARP table entry for the FortiGate unit (or just deleting all arp table entries). You may be able to delete the arp table of your management PC from a command prompt using a command similar to arp -d.
You can use the get hardware nic (or diagnose hardware deviceinfo nic) CLI command to view the virtual MAC address of any FortiGate unit interface. For example, use the following command to view the port1 interface virtual MAC address (Current_HWaddr) and the port1 permanent MAC address (Permanent_HWaddr):
get hardware nic port1
.
.
.
Current_HWaddr 00:09:0f:09:00:04
Permanent_HWaddr 00:09:0f:71:0a:dc
.
.
.
10. Power off the first FortiGate unit.
11. Repeat these steps for the second and third FortiGate units, with the following difference.
Set the second FortiGate unit host name to:
Set the third FortiGate unit host name to:
As you insert and configure each FortiGate unit, they will negotiate and join the cluster using the base1 interface for HA heartbeat communication.
To connect the cluster to the network
1. Connect the port1 interfaces of the cluster to a switch that can connect to the router and the internal network.
2. Connect the port4 interfaces of the cluster units together using a switch.
These interfaces become the backup heartbeat interface.
3. Connect one of the FortiSwitch-5003A front panel fabric interfaces (for example, F3) to the engineering network.
To switch the cluster to operate in Transparent mode
Switching from NAT/Route to Transparent mode also involves adding the Transparent mode management IP address and default route.
1. Log into the web‑based manager.
2. Under System Information, beside Operation Mode select Change.
3. Set Operation Mode to Transparent.
4. Configure basic Transparent mode settings.
Operation Mode | Transparent |
Management IP/Mask | 10.22.101.20/24 |
Default Gateway | 10.22.101.1 |
5. Select Apply.
The cluster switches to operating in Transparent mode. The virtual MAC addresses assigned to the cluster interfaces do not change. You must login again using the new TP address.
To view cluster status
Use the following steps to view the cluster dashboard and cluster members list to confirm that the cluster units are operating as a cluster.
1. View the system dashboard.
The System Information dashboard widget shows the Cluster Name (example3.com) and the host names and serial numbers of the Cluster Members. The Unit Operation widget shows multiple cluster units.
2. Go to System > Config > HA to view the cluster members list.
The list shows three cluster units, their host names, their roles in the cluster, and their priorities. You can use this list to confirm that the cluster is operating normally.
To troubleshoot the cluster configuration
If the cluster members list and the dashboard do not display information for both cluster units, the FortiGate units are not functioning as a cluster. See
“Troubleshooting HA clusters” to troubleshoot the cluster.
To add basic configuration settings to the cluster
Use the following steps to configure the cluster. The following are example configuration steps only and do not represent all of the steps required to configure the cluster for a given network.
1. Log into the cluster web‑based manager.
2. Go to System > Admin > Administrators.
3. For admin, select the Change Password icon
4. Enter and confirm a new password.
5. Select OK.
The default route was changed when you switched to Transparent mode.