FortiGate VM High Availability VMware configuration

Leave a reply

High Availability VMware configuration

If you want to combine two or more FortiGate-VM instances into a FortiGate Clustering Protocol (FGCP) High Availability (HA) cluster the VMware server’s virtual switches used to connect the heartbeat interfaces must operate in promiscuous mode. This permits HA heartbeat communication between the heartbeat interfaces. HA heartbeat packets are non-TCP packets that use Ethertype values 0x8890, 0x8891, and 0x8890. The FGCP uses link-local IPv4 addresses in the 169.254.0.x range for HA heartbeat interface IP addresses.

To enable promiscuous mode in VMware:

  1. In the vSphere client, select your VMware server in the left pane and then select the Configuration tab in the right pane.
  2. In Hardware, select Networking.
  3. Select Properties of a virtual switch used to connect heartbeat interfaces.
  4. In the Properties window left pane, select vSwitch and then select Edit.
  5. Select the Security tab, set Promiscuous Mode to Accept, then select OK.
  6. Select Close.

You must also set the virtual switches connected to other FortiGate interfaces to allow MAC address changes and to accept forged transmits. This is required because the FGCP sets virtual MAC addresses for all FortiGate interfaces and the same interfaces on the different VM instances in the cluster will have the same virtual MAC addresses.

To make the required changes in VMware:

  1. In the vSphere client, select your VMware server in the left pane and then select the Configuration tab in the right pane.
  2. In Hardware, select Networking.
  3. Select Properties of a virtual switch used to connect FortiGate VM interfaces.
  4. Set MAC Address ChangestoAccept.
  5. Set Forged Transmits to Accept.

Power on your FortiGate VM

You can now proceed to power on your FortiGate VM. There are several ways to do this:

  • Select the name of the FortiGate VM you deployed in the inventory list and select Power on the virtual machine in the Getting Started
  • In the inventory list, right-click the name of the FortiGate VM you deployed, and select Power > Power On. l Select the name of the FortiGate VM you deployed in the inventory list. Click the Power On button on the toolbar.

Select the Console tab to view the console. To enter text, you must click in the console pane. The mouse is then captured and cannot leave the console screen. As the FortiGate console is text-only, no mouse pointer is visible. To release the mouse, press Ctrl-Alt.

This entry was posted in Administration Guides, FortiGate on by .

About Mike

Michael Pruett, CISSP has a wide range of cyber-security and network engineering expertise. The plethora of vendors that resell hardware but have zero engineering knowledge resulting in the wrong hardware or configuration being deployed is a major pet peeve of Michael's. This site was started in an effort to spread information while providing the option of quality consulting services at a much lower price than Fortinet Professional Services. Owns PacketLlama.Com (Fortinet Hardware Sales) and Office Of The CISO, LLC (Cybersecurity consulting firm).

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.