High Availability – Cluster Setup – FortiOS 6.2

Cluster setup

HA active-passive cluster setup

An HA Active-Passive (A-P) cluster can be set up using the GUI or CLI.

This example uses the following network topology:

To set up an HA A-P cluster using the GUI:

  1. Make all the necessary connections as shown in the topology diagram.
  2. Log into one of the FortiGates.
  3. Go to System > HA and set the following options:
Mode Active-Passive
Device priority 128 or higher
Group name Example_cluster
Heartbeat interfaces ha1 and ha2

Except for the device priority, these settings must be the same on all FortiGates in the cluster.

  1. Leave the remaining settings as their default values. They can be changed after the cluster is in operation.
  2. Click OK.

The FortiGate negotiates to establish an HA cluster. Connectivity with the FortiGate may be temporarily lost as the HA cluster negotiates and the FGCP changes the MAC addresses of the FortiGate’s interfaces.

  1. Factory reset the other FortiGate that will be in the cluster, configure GUI access, then repeat steps 1 to 5, omitting setting the device priority, to join the cluster.

To set up an HA A-P cluster using the CLI:

  1. Make all the necessary connections as shown in the topology diagram.
  2. Log into one of the FortiGates.
  3. Change the hostname of the FortiGate:

config system global set hostname Example1_host

end

Changing the host name makes it easier to identify individual cluster units in the cluster operations.

  1. Enable HA:

config system ha set mode a-p

set group-name Example_cluster

set hbdev ha1 10 ha2 20 end

  1. Leave the remaining settings as their default values. They can be changed after the cluster is in operation.
  2. Repeat steps 1 to 5 on the other FortiGate devices to join the cluster.

HA active-active cluster setup

An HA Active-Active (A-A) cluster can be set up using the GUI or CLI.

This example uses the following network topology:

To set up an HA A-A cluster using the GUI:

  1. Make all the necessary connections as shown in the topology diagram.
  2. Log into one of the FortiGates.
  3. Go to System > HA and set the following options:
Mode Active-Active
Device priority 128 or higher
Group name Example_cluster
Heartbeat interfaces ha1 and ha2

Except for the device priority, these settings must be the same on all FortiGates in the cluster.

  1. Leave the remaining settings as their default values. They can be changed after the cluster is in operation.
  2. Click OK.

The FortiGate negotiates to establish an HA cluster. Connectivity with the FortiGate may be temporarily lost as the HA cluster negotiates and the FGCP changes the MAC addresses of the FortiGate’s interfaces.

  1. Factory reset the other FortiGate that will be in the cluster, configure GUI access, then repeat steps 1 to 5, omitting setting the device priority, to join the cluster.

To set up an HA A-P cluster using the CLI:

  1. Make all the necessary connections as shown in the topology diagram.
  2. Log into one of the FortiGates.
  3. Change the hostname of the FortiGate:

config system global set hostname Example1_host

end

Changing the host name makes it easier to identify individual cluster units in the cluster operations.

  1. Enable HA:

config system ha set mode a-a

set group-name Example_cluster

set hbdev ha1 10 ha2 20 end

  1. Leave the remaining settings as their default values. They can be changed after the cluster is in operation.
  2. Repeat steps 1 to 5 on the other FortiGate devices to join the cluster.

HA virtual cluster setup

An HA virtual cluster can be set up using the GUI or CLI.

To set up an HA virtual cluster using the GUI:

  1. Make all the necessary connections as shown in the topology diagram.
  2. Log into one of the FortiGates.
  3. Go to System > HA and set the following options:
Mode Active-Passive
Device priority 128 or higher
Group name Example_cluster
Heartbeat interfaces ha1 and ha2

Except for the device priority, these settings must be the same on all FortiGates in the cluster.

  1. Leave the remaining settings as their default values. They can be changed after the cluster is in operation.
  2. Click OK.

The FortiGate negotiates to establish an HA cluster. Connectivity with the FortiGate may be temporarily lost as the HA cluster negotiates and the FGCP changes the MAC addresses of the FortiGate’s interfaces.

  1. Factory reset the other FortiGate that will be in the cluster, configure GUI access, then repeat steps 1 to 5, omitting setting the device priority, to join the cluster.
  2. Go to System > Settings and enable Virtual Domains.
  3. Click Apply. You will be logged out of the FortiGate.
  4. Log back into the FortiGate, ensure that you are in the global VDOM, and go to System > VDOM.
  5. Create two new VDOMs, such as VD1 and VD2:
    1. Click Create New. The New Virtual Domain page opens.
    2. Enter a name for the VDOM in the Virtual Domain field, then click OK to create the VDOM.
    3. Repeat these steps to create a second new VDOM.
  6. Implement a virtual cluster by moving the new VDOMs to Virtual cluster2:
    1. Go to System > HA.
    2. Enable VDOM Partitioning.
    3. Click on the Virtual cluster2 field and select the new VDOMs.
    4. Click OK.

To set up an HA virtual cluster using the CLI:

  1. Make all the necessary connections as shown in the topology diagram.
  2. Set up a regular A-P cluster. See HA active-passive cluster setup on page 212.
  3. Enable VDOMs:

config system global set vdom-mode multi-vdom

end

You will be logged out of the FortiGate.

  1. Create two VDOMs:

config vdom edit VD1 next edit VD2 next

end

  1. Reconfigure the HA settings to be a virtual cluster:

config global config system ha set vcluster2 enable config secondary-vcluster set vdom “VD1” “VD2”

end

end end

This entry was posted in Administration Guides, FortiGate, FortiOS 6.2 on by .

About Mike

Michael Pruett, CISSP has a wide range of cyber-security and network engineering expertise. The plethora of vendors that resell hardware but have zero engineering knowledge resulting in the wrong hardware or configuration being deployed is a major pet peeve of Michael's. This site was started in an effort to spread information while providing the option of quality consulting services at a much lower price than Fortinet Professional Services. Owns PacketLlama.Com (Fortinet Hardware Sales) and Office Of The CISO, LLC (Cybersecurity consulting firm).

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.