Configuring a Transparent mode active-active cluster of three FortiGate-5005FA2 units

Chapter 9 High Availability for FortiOS 5.0 : Configuring and connecting HA clusters : Example: advanced Transparent mode active-active HA configuration : Configuring a Transparent mode active-active cluster of three FortiGate-5005FA2 units - CLI

Configuring a Transparent mode active-active cluster of three FortiGate-5005FA2 units - CLI

Use the following procedures to configure the three FortiGate-5005FA2 units for Transparent mode HA operation using the FortiGate CLI.

To configure the FortiGate-5005FA2 units

1. Power on the first FortiGate unit by inserting it into chassis slot 5.

2. Connect port1 to the network and log into the CLI.

You can also use a console connection.

3. Change the host name for this FortiGate unit. For example:

config system global

set hostname 5005_ha_1

end

4. Enable showing backplane interfaces.

config system global

set show-backplane-intf enable

end

5. Make sure the administrative status and link status is up for base1 and fabric1.

Enter get system interface to view the status of these interfaces.

You can use the following commands to set the administrative status to up for these interfaces.

config system interface

edit base1

set status up

edit fabricq

set status up

end

6. Configure HA settings.

config system ha

set mode a-a

set group-name example3.com

set password HA_pass_3

set hbdev base1 50 port4 50

end


	This is the minimum recommended configuration for an active-active HA cluster. You can also configure other HA options, but if you wait until after the cluster is operating you will only have to configure these options once for the cluster instead of separately for each cluster unit.

The FortiGate unit negotiates to establish an HA cluster. You may temporarily lose connectivity with the FortiGate unit as the HA cluster negotiates and the FGCP changes the MAC address of the FortiGate unit interfaces (see “Cluster virtual MAC addresses”). The MAC addresses of the FortiGate‑620B interfaces change to the following virtual MAC addresses:

• base1 interface virtual MAC: 00-09-0f-09-00-00

• base2 interface virtual MAC: 00-09-0f-09-00-01

• fabric1 interface virtual MAC: 00-09-0f-09-00-02

• fabric2 interface virtual MAC: 00-09-0f-09-00-03

• port1 interface virtual MAC: 00-09-0f-09-00-04

• port2 interface virtual MAC: 00-09-0f-09-00-05

• port3 interface virtual MAC: 00-09-0f-09-00-06

• port4 interface virtual MAC: 00-09-0f-09-00-07

• port5 interface virtual MAC: 00-09-0f-09-00-08

• port6 interface virtual MAC: 00-09-0f-09-00-09

• port7 interface virtual MAC: 00-09-0f-09-00-0a

• port8 interface virtual MAC: 00-09-0f-09-00-0b

To reconnect sooner, you can update the ARP table of your management PC by deleting the ARP table entry for the FortiGate unit (or just deleting all arp table entries). You may be able to delete the arp table of your management PC from a command prompt using a command similar to arp -d.

You can use the get hardware nic (or diagnose hardware deviceinfo nic) CLI command to view the virtual MAC address of any FortiGate unit interface. For example, use the following command to view the port1 interface virtual MAC address (Current_HWaddr) and the port1 permanent MAC address (Permanent_HWaddr):

get hardware nic port1

Current_HWaddr 00:09:0f:09:00:04

Permanent_HWaddr 00:09:0f:71:0a:dc

7. Display the HA configuration (optional).

get system ha

group-id : 0

group-name : example3.com

mode : a-a

password : *

hbdev : "base1" 50 "port4" 50

session-sync-dev :

route-ttl : 10

route-wait : 0

route-hold : 10

sync-config : enable

encryption : disable

authentication : disable

hb-interval : 2

hb-lost-threshold : 20

helo-holddown : 20

arps : 5

arps-interval : 8

session-pickup : disable

link-failed-signal : disable

uninterruptible-upgrade: enable

ha-mgmt-status : disable

ha-eth-type : 8890

hc-eth-type : 8891

l2ep-eth-type : 8893

subsecond : disable

vcluster2 : disable

vcluster-id : 1

override : disable

priority : 128

schedule : round-robin

monitor :

pingserver-monitor-interface:

pingserver-failover-threshold: 0

pingserver-flip-timeout: 60

vdom : "root"

load-balance-all : disable

8. Repeat these steps for the second and third FortiGate units.

Set the second FortiGate unit host name to:

config system global

set hostname 5005_ha_2

end

Set the third FortiGate unit host name to:

config system global

set hostname 5005_ha_3

end

As you insert and configure each FortiGate unit they will negotiate and join the cluster using the base1 interface for HA heartbeat communication.

To connect the cluster to the network

1. Connect the port1 interfaces of the cluster to a switch that can connect to the router and the internal network.

2. Connect the port4 interfaces of the cluster units together using a switch.

These interfaces become the backup heartbeat interface.

3. Connect one of the FortiSwitch-5003A front panel fabric interfaces (for example, F3) to the engineering network.

To switch the cluster to Transparent mode

1. Log into the cluster CLI.

2. Change to Transparent mode.

config system settings

set opmode transparent

set manageip 10.22.101.20/24

set gateway 10.22.101.1

end

The cluster switches to Transparent Mode.

You can now connect to the cluster CLI using SSH to connect to the cluster internal interface using the management IP address (10.22.101.20 ).

To view cluster status

Use the following steps to view cluster status from the CLI.

1. Log into the CLI.

2. To verify the HA status of the cluster unit that you logged into, enter the CLI command get system status. Look for the following information in the command output.


Current HA mode: a-a, master	The cluster units are operating as a cluster and you have connected to the primary unit.
Current HA mode: a-a, backup	The cluster units are operating as a cluster and you have connected to a subordinate unit.
Current HA mode: standalone	The cluster unit is not operating in HA mode

3. Enter the following command to confirm the HA configuration of the cluster:

get system ha status

Model: 5005

Mode: a-a

Group: 0

Debug: 0

ses_pickup: disable

load_balance: disable

schedule: round robin

Master:128 5005_ha_1 FG5A253E07600124 0

Slave :128 5005_ha_2 FG5A253E06500088 1

Slave :128 5005_ha_3 FG5A253E06500099 2

number of vcluster: 1

vcluster 1: work 169.254.0.1

Master:0 FG5A253E07600124

Slave :1 FG5A253E06500088

Slave :2 FG5A253E06500099

The command output shows both cluster units, their host names, their roles in the cluster, and their priorities. You can use this command to confirm that the cluster is operating normally. For example, if the command shows only one cluster unit then the other unit has left the cluster for some reason.

To troubleshoot the cluster configuration

If the cluster members list and the dashboard do not display information for both cluster units the FortiGate units are not functioning as a cluster. See “Troubleshooting HA clusters” to troubleshoot the cluster.

To add a password for the admin administrative account

1. Add a password for the admin administrative account.

config system admin

edit admin

set password <psswrd>

end