Chapter 9 High Availability for FortiOS 5.0 : Configuring and connecting HA clusters : Example: converting a standalone FortiGate unit to a cluster
  
Example: converting a standalone FortiGate unit to a cluster
You can convert an already configured and installed FortiGate unit into a cluster by configuring this FortiGate unit to be a primary unit and then adding subordinate units.
General configuration steps:
Configure the original FortiGate unit for HA operation.
Set the HA Device Priority of the original FortiGate unit to 255 to make sure that this FortiGate unit becomes the primary unit after cluster negotiation and synchronization.
Back up the configuration of the original FortiGate unit.
Configure one or more new FortiGate units with the same HA configuration as the original FortiGate unit with one exception. Keep the Unit Priority at the default setting, which is 128.
Connect the FortiGate units to form a cluster and connect the cluster to your network.
When you power on all of the FortiGate units in the cluster, the original FortiGate unit becomes the primary unit. Its configuration is synchronized to all of the subordinate units. The entire cluster now operates with the original FortiGate unit configuration. No further configuration changes are required.
The new FortiGate units must:
Have the same hardware configuration as the original FortiGate unit. Including the same hard disk configuration and the same AMC cards installed in the same slots.
Have the same firmware build as the original FortiGate unit.
Be set to the same operating mode (NAT or Transparent) as the original FortiGate unit.
Be operating in single VDOM mode.
In addition to one or more new FortiGate units, you need sufficient switches to connect all of the FortiGate interfaces in the cluster. Generally you will need one switch per interface, as it will have to connect that same interface on all cluster units. That is, all port1 interfaces use the port1 switch, port2 interfaces use the port2 switch, and so on. Intelligent switches that can be partitioned can reduce your switch requirements.
Converting a FortiGate unit to a primary unit and adding in the subordinate unit or units results in a brief service interruption as you disconnect and reconnect FortiGate interfaces and as the cluster negotiates. Therefore, conversion should only be done during off peak hours.
 
Make sure your FortiGate interfaces are configured with static IP addresses. If any interface gets its address using DHCP you will not be able to configure HA.
To configure the original FortiGate unit for HA operation
1. Connect to the FortiGate unit web‑based manager.
2. Go to System > Config > HA.
3. Configure the FortiGate unit for HA operation.
Mode
Active-Active
Device Priority
255
Group Name
example4.com
Password
HA_pass_4
You can make other HA configuration changes after the cluster is operating.
4. Select OK.
The FortiGate unit negotiates to establish an HA cluster. When you select OK you may temporarily lose connectivity with the FortiGate unit as the HA cluster negotiates and because the FGCP changes the MAC address of the FortiGate unit interfaces (see “Cluster virtual MAC addresses”).
To reconnect sooner, you can update the ARP table of your management PC by deleting the ARP table entry for the FortiGate unit (or just deleting all arp table entries). You may be able to delete the arp table of your management PC from a command prompt using a command similar to arp -d.
5. Configure the new FortiGate units with the same HA configuration as the original FortiGate unit. The one exception is to keep the device priorities of the new FortiGate units at 128 to ensure the original FortiGate unit will become the primary unit in the new cluster.
Mode
Active-Active
Device Priority
128
Group Name
example4.com
Password
HA_pass_4
6. Configure the other FortiGate units to the same operation mode as the original FortiGate unit.
There is no need to make any other configuration changes (including network configuration changes) to the other FortiGate units.
7. Optionally power off all of the cluster units.
If you don’t power off all of the units they may not negotiate to form a cluster when they are connected together.
8. Connect the cluster to your network.
For example, for a configuration similar to the FortiGate-620B cluster configuration described in this chapter, see “To connect the cluster to the network”.
9. Power on all of the cluster units.
As the units start they change their MAC addresses and then negotiate to choose the primary unit and the subordinate units. This negotiation occurs with no user intervention and normally takes less than a minute.
The original the FortiGate unit becomes the primary unit because the device priority of the original FortiGate unit is higher than the device priority of the other FortiGate units. The configuration of the original FortiGate unit is synchronized to all the cluster units. As a result, the cluster is quickly up and running and configured for your network. No further configuration changes are required.