Configuring the FortiGate-5000 active-active cluster - web‑based manager
These procedures assume you are starting with three FortiGate-5001C boards and two FortiSwitch-5003B boards installed in a compatible FortiGate-5000 series chassis. The FortiSwitch-5003B boards are in chassis slots 1 and 2 and the FortiGate-5001C boards are in chassis slots 3, 4, and 5 and the chassis is powered on. All devices are in their factory default configuration. No configuration changes to the FortiSwitch-5003B boards are required.
To configure the FortiGate-5001C units
1. From the internal network, log into the web‑based manager of the FortiGate-5001C unit in chassis slot 3 by connecting to the mgmt1 interface.
| By default the mgmt1 interface of each FortiGate-5001C unit has the same IP address. To log into each FortiGate-5001C unit separately you could either disconnect the mgmt1 interfaces of the units that you don’t want to log into or change the mgmt1 interface IP addresses for each unit by connecting to each unit’s CLI from their console port. |
2. On the System Information dashboard widget, beside Host Name select Change.
3. Enter a new Host Name for this FortiGate unit, for example:
4. Connect to the CLI and enter the following command to display backplane interfaces on the web‑based manager:
config system global
set show-backplane-intf enable
end
5. Set the Administrative Status of the base1 and base 2 interfaces to Up.
You can do this from the web‑based manager by going to System > Network > Interface, editing each interface and setting Administrative Status to Up.
You can also do this from the CLI using the following command:
config system interface
edit base1
set status up
next
edit base2
set status up
end
6. Go to System > Network > Interface and configure the IP address of the mgmt1 interface.
Because mgmt1 will become the reserved management interface for the cluster unit each FortiGate-5001C should have a different mgmt1 interface IP address. Give the mgmt1 interface an address that is valid for the internal network. Once HA with the reserved Management interface is enabled the IP address of the mgmt1 interface can be on the same subnet as the port2 interface (which will also be connected to the Internal network).
After the FortiGate unit is operating in HA mode the mgmt1 interface will retain its original MAC address instead of being assigned a virtual MAC address.
7. Go to System > Config > HA and change the following settings:
Set the Mode to Active-Active.
Select Reserve Management Port for Cluster Member and select mgmt1.
Set the group name and password:
Group Name | example3.com | | |
Password | HA_pass_3 | | |
Set the Heartbeat interface configuration to use base1, base2 and mgmt2 for heartbeat communication. Set the priority of each heartbeat interface to 50:
| Heartbeat Interface | |
| Enable | Priority | |
base1 | Select | 50 | |
base2 | Select | 50 | |
mgmt2 | Select | 50 | |
8. Select OK.
The FortiGate unit negotiates to establish an HA cluster. When you select OK you may temporarily lose connectivity with the FortiGate unit as the HA cluster negotiates and the FGCP changes the MAC address of the FortiGate unit interfaces (see
“Cluster virtual MAC addresses”). The MAC addresses of the FortiGate‑5001C interfaces change to the following virtual MAC addresses:
• base1 interface virtual MAC: 00-09-0f-09-00-00
• base2 interface virtual MAC: 00-09-0f-09-00-01
• fabric1 interface virtual MAC: 00-09-0f-09-00-02
• fabric2 interface virtual MAC: 00-09-0f-09-00-03
• fabric3 interface virtual MAC: 00-09-0f-09-00-04
• fabric4 interface virtual MAC: 00-09-0f-09-00-05
• fabric5 interface virtual MAC: 00-09-0f-09-00-06
• mgmt1 keeps its original MAC address
• mgmt2 interface virtual MAC: 00-09-0f-09-00-08
• port1 interface virtual MAC: 00-09-0f-09-00-09
• port2 interface virtual MAC: 00-09-0f-09-00-0a
To reconnect sooner, you can update the ARP table of your management PC by deleting the ARP table entry for the FortiGate unit (or just deleting all arp table entries). You may be able to delete the arp table of your management PC from a command prompt using a command similar to arp -d.
You can use the get hardware nic (or diagnose hardware deviceinfo nic) CLI command to view the virtual MAC address of any FortiGate unit interface. For example, use the following command to view the port1 interface virtual MAC address (Current_HWaddr) and the port1 permanent MAC address (Permanent_HWaddr):
get hardware nic base1
.
.
.
Current_HWaddr 00:09:0f:09:00:00
Permanent_HWaddr 00:09:0f:71:0a:dc
.
.
.
9. Repeat these steps for the FortiGate-5001C units in chassis slots 4 and 5, with the following differences.
Set the mgmt1 interface IP address of each FortiGate-5001C unit to a different IP address.
Set the FortiGate-5001C unit in chassis slot 4 host name to:
Set the FortiGate-5001C unit in chassis slot 5 host name to:
As you configure each FortiGate unit, they will negotiate and join the cluster.
To view cluster status
As you add units to the cluster you can log into the web-based manager of one of the cluster units to view the status of the cluster. The status displays will show each unit as it is added to the cluster.
1. Log into the primary unit or any cluster unit and view the system dashboard.
The System Information dashboard widget shows the Cluster Name (example3.com) and the host names and serial numbers of the Cluster Members. The Unit Operation widget shows multiple cluster units.
2. Go to System > Config > HA to view the cluster members list.
The list shows three cluster units, their host names, their roles in the cluster, and their priorities. You can check this list at any time to confirm that the cluster is operating normally.
If the cluster members list and the dashboard do not display all of the cluster units, they are not functioning as a cluster.
To troubleshoot the cluster
To manage each cluster unit
Because you have configured a reserved management interface, you can manage each cluster unit separately by connecting to the IP address you configured for each unit’s mgmt1 interface. You can view the status of each cluster unit and make changes to each unit’s configuration. For example, as described below, each cluster unit must have its own FortiClient license. You can use the reserved management IP addresses to connect to each cluster unit to install the FortiClient license for that unit.
Usually you would make configuration changes by connecting to the primary unit and changing its configuration. The cluster then synchronizes the configuration changes to all cluster units. If you connect to individual cluster units and change their configuration, those configuration changes are also synchronized to each cluster unit. The exception to this is configuration objects that are not synchronized, such as the host name, FortiClient license and so on.
You can also manage each cluster unit by logging into the primary unit CLI and using the following command to connect to other cluster units:
execute ha manage <cluster-index>
To add basic configuration settings to the cluster
Use the following steps to configure the cluster.
1. Log into the cluster web‑based manager.
You can log into the primary unit or any one of the cluster units using the appropriate mgmt1 IP address.
2. Go to System > Admin > Administrators.
3. Edit admin and select Change Password.
4. Enter and confirm a new password.
5. Select OK.
6. Go to System > Network > Interface and edit the port1 interface. Set this interface IP address to the address required to connect to the interface to the Internet.
7. Edit the port2 interface and set its IP to an IP address for the internal network.
To add a FortiClient license to each cluster unit
Contact your reseller to purchase FortiClient licenses for your cluster units. Each cluster unit must have its own FortiClient license.
When you receive the license keys you can log into
https://support.fortinet.com and add a FortiClient license key to each licensed FortiGate unit. Then, as long as the cluster can connect to the Internet the license keys are downloaded from the FortiGuard network to all of the FortiGate units in the cluster.
You can also use the following steps to manually add the license keys to your cluster units from the web‑based manager. Your cluster must be connected to the Internet.
1. Log into the web‑based manager of each cluster unit using its reserved management interface IP address.
2. Go to the License Information dashboard widget and beside FortiClient select Enter License.
3. Enter the license key and select OK.
4. Confirm that the license has been installed and the correct number of FortiClients are licensed.
5. Repeat for all of the cluster units.
You can also use the following command to add the license key from the CLI:
execute FortiClient-NAC update-registration-license <license-number>
You can connect to the CLIs of each cluster unit using their reserved management IP address.
You can also log into the primary unit CLI and use the execute ha manage command to connect to each cluster unit CLI.