FortiGate-5000 active-active HA cluster with FortiClient licenses

Leave a reply

To view cluster status

As you add units to the cluster you can log into the CLI of one of the cluster units using its reserved management interface to view the status of the cluster. The status will show each unit as it is added to the cluster.

For example, the following command output shows the status of the cluster when all three cluster units have been added:

get system ha status Model: FortiGate-5001C Mode: a-a

Group: 0

Debug: 0

ses_pickup: disable

Master:128 slot-5     FG-5KC3E13800084 0

Slave :128 slot-4 FG-5KC3E13800051 1

Slave :128 slot-3 FG-5KC3E13800046 2 number of vcluster: 1

vcluster 1: work 169.254.0.1

Master:0 FG-5KC3E13800084

Slave :1 FG-5KC3E13800051

Slave :2 FG-5KC3E13800046

You can use this command to confirm that the cluster is operating normally. For example, if the command shows only two cluster units then one unit has left the cluster for some reason.

 

To troubleshoot the cluster

See FortiGate-5000 active-active HA cluster with FortiClient licenses on page 1385.

 

To manage each cluster unit

Because you have configured a reserved management interface, you can manage each cluster unit separately by connecting to the IP address you configured for each unit’s mgmt1 interface. You can view the status of each cluster unit and make changes to each unit’s configuration. For example, as described below, each cluster unit must have its own FortiClient license. You can use the reserved management IP addresses to connect to each cluster unit to install the FortiClient license for that unit.

Usually you would make configuration changes by connecting to the primary unit and changing its configuration. The cluster then synchronizes the configuration changes to all cluster units. If you connect to individual cluster units and change their configuration, those configuration changes are also synchronized to each cluster unit. The exception to this is configuration objects that are not synchronized, such as the host name, FortiClient license and so on.

You can also manage each cluster unit by logging into the primary unit CLI and using the following command to connect to other cluster units:

execute ha manage <cluster-index>

Pages: 1 2 3 4 5 6
This entry was posted in FortiOS 5.4 Handbook and tagged on by .

About Mike

Michael Pruett, CISSP has a wide range of cyber-security and network engineering expertise. The plethora of vendors that resell hardware but have zero engineering knowledge resulting in the wrong hardware or configuration being deployed is a major pet peeve of Michael's. This site was started in an effort to spread information while providing the option of quality consulting services at a much lower price than Fortinet Professional Services. Owns PacketLlama.Com (Fortinet Hardware Sales) and Office Of The CISO, LLC (Cybersecurity consulting firm).

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.