FortiGate-5000 active-active HA cluster with FortiClient licenses

Example network topology

By default base1 and base2 are used for heartbeat communication between the FortiGate units. To use the base1 and base2 interfaces for the HA heartbeat, the example describes how to display the backplane interfaces on the web-based manager before turning on HA.

This example also includes using the mgmt2 interface for heartbeat communication for additional heartbeat redundancy.

 

To connect the cluster

1. Connect the FortiGate-5001C port1 interfaces to a switch and connect that switch to the Internet.

2. Connect the FortiGate-5001C port2 interfaces to a switch and connect that switch to the internal network.

3. Connect the FortiGate-5001C mgmt1 interfaces to a switch that connects to the engineering network.

4. Connect the FortiGate-5001C mgmt2 interfaces to a switch for heartbeat communication between them.

 

Configuring the FortiGate-5000 active-active cluster – web-based manager

These procedures assume you are starting with three FortiGate-5001C boards and two FortiSwitch-5003B boards installed in a compatible FortiGate-5000 series chassis. The FortiSwitch-5003B boards are in chassis slots 1 and 2 and the FortiGate-5001C boards are in chassis slots 3, 4, and 5 and the chassis is powered on. All devices are in their factory default configuration. No configuration changes to the FortiSwitch-5003B boards are required.

 

To configure the FortiGate-5001C units

1. From the internal network, log into the web-based manager of the FortiGate-5001C unit in chassis slot 3 by connecting to the mgmt1 interface.

By default the mgmt1 interface of each FortiGate-5001C unit has the same IP address. To log into each FortiGate-5001C unit separately you could either disconnect the mgmt1 interfaces of the units that you don’t want to log into or change the mgmt1 interface IP addresses for each unit by connecting to each unit’s CLI from their console port.

2. Register and apply licenses to the FortiGate unit. This includes FortiCloud activation, and FortiToken licensing, and entering a license key if you purchased more than 10 Virtual Domains (VDOMS). In this example you will leave FortiClient licensing until after you have formed the cluster.

Register and apply licenses to the FortiGate unit. This includes FortiCloud activation, FortiClient licensing, and FortiToken licensing, and entering a license key if you purchased more than 10 Virtual Domains (VDOMS).

3. You can also install any third-party certificates on the primary FortiGate before forming the cluster. Once the cluster is formed third-party certificates are synchronized to the backup FortiGate.

4. On the System Information dashboard widget, beside Host Name select Change.

5. Enter a new Host Name for this FortiGate unit, for example:

New Name                                  5001C-Slot-3

6. Connect to the CLI and enter the following command to display backplane interfaces on the web-based manager:

config system global

set show-backplane-intf enable end

7. Set the Administrative Status of the base1 and base 2 interfaces to Up.

You can do this from the web-based manager by going to System > Network > Interface, editing each interface and setting Administrative Status to Up.

You can also do this from the CLI using the following command:

config system interface edit base1

set status up next

edit base2

set status up end

8. Go to System > Network > Interface and configure the IP address of the mgmt1 interface.

Because mgmt1 will become the reserved management interface for the cluster unit each FortiGate- 5001C should have a different mgmt1 interface IP address. Give the mgmt1 interface an address that is valid for the internal network. Once HA with the reserved Management interface is enabled the IP address of the mgmt1 interface can be on the same subnet as the port2 interface (which will also be connected to the Internal network).

After the FortiGate unit is operating in HA mode the mgmt1 interface will retain its original MAC address instead of being assigned a virtual MAC address.

9. Go to System > HA and change the following settings: Set the Mode to Active-Active.

Select Reserve Management Port for Cluster Member and select mgmt1.

Set the group name and password:

Group Name                   example3.com

Password                        HA_pass_3

Set the Heartbeat interface configuration to use base1, base2 and mgmt2 for heartbeat communication. Set the priority of each heartbeat interface to 50:

 

  Heartbeat Interface  
Enable Priority
base1 Select 50
base2 Select 50
mgmt2 Select 50


10
. Select OK.

The FortiGate unit negotiates to establish an HA cluster. When you select OK you may temporarily lose connectivity with the FortiGate unit as the HA cluster negotiates and the FGCP changes the MAC address of the FortiGate unit interfaces. The MAC addresses of the FortiGate-5001C interfaces change to the following virtual MAC addresses:

  • base1 interface virtual MAC: 00-09-0f-09-00-00
  • base2 interface virtual MAC: 00-09-0f-09-00-01
  • fabric1 interface virtual MAC: 00-09-0f-09-00-02 l  fabric2 interface virtual MAC: 00-09-0f-09-00-03 l  fabric3 interface virtual MAC: 00-09-0f-09-00-04 l  fabric4 interface virtual MAC: 00-09-0f-09-00-05 l  fabric5 interface virtual MAC: 00-09-0f-09-00-06 l  mgmt1 keeps its original MAC address
  • mgmt2 interface virtual MAC: 00-09-0f-09-00-08
  • port1 interface virtual MAC: 00-09-0f-09-00-09
  • port2 interface virtual MAC: 00-09-0f-09-00-0a

 

To reconnect sooner, you can update the ARP table of your management PC by deleting the ARP table entry for the FortiGate unit (or just deleting all arp table entries). You may be able to delete the arp table of your management PC from a command prompt using a command similar to arp -d.

You can use the get hardware nic (or diagnose hardware deviceinfo nic) CLI command to view the virtual MAC address of any FortiGate unit interface. For example, use the following command to view the port1 interface virtual MAC address (Current_HWaddr) and the port1 permanent MAC address (Permanent_HWaddr):

get hardware nic base1

 

Current_HWaddr 00:09:0f:09:00:00

Permanent_HWaddr 00:09:0f:71:0a:dc

 

9. Repeat these steps for the FortiGate-5001C units in chassis slots 4 and 5, with the following differences.

Set the mgmt1 interface IP address of each FortiGate-5001C unit to a different IP address.

Set the FortiGate-5001C unit in chassis slot 4 host name to:

New Name                                  5001C-Slot-4

Set the FortiGate-5001C unit in chassis slot 5 host name to:

New Name                                  5001C-Slot-5

As you configure each FortiGate unit, they will negotiate and join the cluster.

This entry was posted in FortiOS 5.4 Handbook and tagged on by .

About Mike

Michael Pruett, CISSP has a wide range of cyber-security and network engineering expertise. The plethora of vendors that resell hardware but have zero engineering knowledge resulting in the wrong hardware or configuration being deployed is a major pet peeve of Michael's. This site was started in an effort to spread information while providing the option of quality consulting services at a much lower price than Fortinet Professional Services. Owns PacketLlama.Com (Fortinet Hardware Sales) and Office Of The CISO, LLC (Cybersecurity consulting firm).

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.