High Availability with two FortiGates

Facebooktwittergoogle_plusredditpinterestlinkedinFacebooktwittergoogle_plusredditpinterestlinkedin

In this recipe, a backup FortiGate unit will be installed and connected to a previously installed primary FortiGate to provide redundancy if the primary FortiGate fails.

Before you start the FortiGates should be running the same FortiOS firmware version and interfaces should not be configured to get their addresses from DHCP or PPPoE.

This recipe is part of the Cooperative Security Fabric collection. It can also be used as a standalone recipe.

This setup, called FortiGate High Availability (HA), improves network reliability. The previously installed FortiGate will continue to operate as the primary unit and the new FortiGate will operate as the backup FortiGate.

Find this recipe for other FortiOS versions
5.2 | 5.4 | 5.6

1. Setting up registration and licensing

Make sure both FortiGates are running the same FortiOS firmware version. Register and apply licenses to the new FortiGate unit before adding it to the cluster. This includes activation of FortiCloud and licenses for FortiGuard, FortiSandbox, and FortiClient, as well as entering a license key if you purchased more than 10 Virtual Domains (VDOMS). All FortiGates in the cluster must have the same level of licensing for FortiGuard, FortiCloud, FortiClient and VDOMs. FortiToken licenses can be added at any time because they are synchronized to all cluster members.

You can also install any third-party certificates on the primary FortiGate before forming the cluster. Once the cluster is formed third-party certificates are synchronized to the backup FortiGate.

2. Configuring the Primary FortiGate for HA

Connect to the primary FortiGate GUI and from the System Information Dashboard widget change the Host Name to identify this as the primary FortiGate in the HA cluster.

 
 

Also on the System Information widget, configure HA Status (or go to System > HA). Set the Mode to Active-Passive. Set the Device Priority to a higher value than the default to make sure this FortiGate will always be the primary FortiGate. Also set a Group Name and Password.

Make sure that the two Heartbeat Interfaces (port3 and port4) are enabled and their priorities are both set to 50.

Since the backup FortiGate is not available, when you save the HA configuration the primary FortiGate will form a cluster of one FortiGate but will keep operating normally.

 
If there are other FortiOS clusters on your network you may need to change the cluster group id using this CLI command. config system ha
    set group-id 25
end

3. Connecting the backup FortiGate

Connect the backup FortiGate to the primary FortiGate and the network as shown in the network diagram at the top of the recipe. Making these network connections will disrupt traffic so you should do this when the network is quiet.

If possible, make direct Ethernet connections between the heartbeat interfaces of the two FortiGate units.

Switches must be used between the cluster and the Internet and between the cluster and the internal networks as shown in the network diagram. You can use any good quality switches to make these connections. You can also use one switch for all of these connections as long as you configure the switch to separate traffic from the different networks.

4. Configuring the backup FortiGate for HA

Connect to the backup FortiGate GUI and from the System Information Dashboard widget change the Host Name to identify this as the backup FortiGate.

 

Also on the System Information widget, configure HA Status (or go to System > HA) and duplicate the HA configuration of the primary FortiGate (except for the Device Priority): set the Mode to Active-Passive, set the Device Priority to a lower value than the default to make sure this FortiGate will always be the backup FortiGate. Also set the same Group Name and Password as the primary FortiGate.

Make sure that the two Heartbeat Interfaces (port3 and port4) are enabled and their priorities are both set to 50.

When you save the backup FortiGate’s HA configuration, the FortiGates will find each other and form a cluster of two FortiGates. Network traffic may be disrupted for a few seconds while the cluster is negotiating.

 
Change the cluster group id if you changed it for the primary unit using this CLI command. config system ha
    set group-id 25
end

5. Viewing the cluster status

Connect to the primary FortiGate GUI. The System Information widget displays the HA status and some information about the cluster. For example, the System Information widget can indicate when the configurations of the cluster units in not synchronized.
From on the System Information widget, select HA Status (or go to System > HA) to view the cluster status.  
Select View HA Statistics for more information on how the cluster is operating and processing traffic.  

6. Results

Traffic is now passing through the primary FortiGate. However, if the primary FortiGate becomes unavailable, traffic should failover and the backup FortiGate will process traffic.

Failover also causes the primary and backup FortiGate to reverse roles, even when both FortiGates are available again.

To test this, ping the IP address 8.8.8.8 using a PC on the internal network. After a moment, power off the primary FortiGate. You will see a momentary pause in the ping results, until traffic diverts to the backup FortiGate, allowing the ping traffic to continue.

7. (Optional) Upgrading the firmware for the HA cluster

When a new version of the FortiOS firmware becomes available, upgrading the firmware on the primary FortiGate automatically upgrades the backup FortiGate’s firmware. Both FortiGates are updated with minimal traffic disruption.

Always review the Release Notes and Supported Upgrade Paths documentation before installing new firmware. These documents can be found at the Fortinet Document Library.

 
From the System Information widget, select Backup beside System Configuration. Always remember to back up your configuration before upgrading the firmware.  
From the System Information widget select Upgrade beside Firmware Version. Find the firmware image file that you downloaded and select OK to upload and install the firmware build.

The firmware loads onto both the primary and the backup FortiGates with minimal traffic interruption.

 
After the upgrade is process is complete, verify that the System Information widget shows the new firmware version.  

For further reading, check out FGCP configuration examples and troubleshooting in the FortiOS 5.4 Handbook.

Bill Dickie

Our Fearless Documentation Leader at Fortinet
After completing a science degree at the University of Waterloo, Bill began his professional life teaching college chemistry in Corner Brook, Newfoundland and fell into technical writing after moving to Ottawa in the mid '80s. Tech writing stints at all sorts of companies finally led to joining Fortinet to write the first FortiGate-300 Administration Guide.
  • Was this helpful?
  • Yes   No
If you have not already installed a FortiGate, see Installing a FortiGate in NAT/Route mode.
If the FortiGates in the cluster will be running FortiOS Carrier, apply the FortiOS Carrier license before configuring the cluster (and before applying other licenses). Applying the FortiOS Carrier license sets the configuration to factory defaults, requiring you to repeat steps performed before applying the license.
If these steps don’t start HA mode, make sure that none of the FortiGate’s interfaces use DHCP or PPPoE addressing.
This example uses two FortiGate-600Ds and the default heartbeat interfaces are used (port3 and port4). You can use any interfaces for HA heartbeat interfaces. A best practice is to use interfaces that do not process traffic, but this is not a requirement.
If these steps don’t start HA mode, make sure that none of the FortiGate’s interfaces use DHCP or PPPoE addressing.
If you are using port monitoring, you can also unplug the primary FortiGate’s Internet-facing interface to test failover.
For information about accessing firmware images, see Verifying and updating the FortiGate unit’s firmware.
  • M Mousa

    Hi,

    Can anybody advise if secondary units can preserve different configurations than primary unit and use these configs whenever becomes active/forwards pkts?

    the difference will be related to BGP configs.

  • Dominik

    Hi,

    I am not able to find the info, can you give any advice on HA interface speed sizing?
    Let’s say I am planing for an active/backup deployment with 2*10GB (lacp) for the internal network , would I need 10GB links for the heartbeat or would one GB be sufficient?

    • bdickie

      This question has also come up recently on our internal discussion forums. Heartbeat sizing depends on many factors so its difficult to give a useful recommendation.

      In general, we could recommend using interfaces with the same capacity as your busiest network interface for heartbeat interfaces. This will make it more likely that your cluster will not have problems with lost heartbeat packets. But this is not a requirement. In many cases you can use lower capacity interfaces for the heartbeat and adjust heartbeat timing and session-pickup settings if you experience problems.

      See the section “Heartbeat bandwidth requirements” at the bottom of this
      page for some useful info (http://help.fortinet.com/fos50hlp/54/Content/FortiOS/fortigate-high-availability-52/HA_failoverHeartbeat.htm).

  • NodgeB

    So the monitored interfaces need to ‘see’ each other via a switch? – we can’t connect each FG directly to provider router?
    Also, can you explain how to have individual management addresses for each FG that reside on the same subnet as the LAN I/F – i.e. difference between “Management Interface Reservation” in HA and “Dedicated Management Port” in mgmt Interface?

    • bdickie

      When a failover occurs, the new primary unit sends gratuitous arp packets to attached network devices to indicate that the cluster IP address is now assigned to the new primary unit. As long as your network equipment can do this you should be ok. Its not that the interfaces need to see each other, its that the network should be able to switch between the interfaces in response to the gratuitous arps.

      In HA mode you can select one interface on each cluster unit to be a reserved management interface. This just means that each FortiGate in the cluster can have a different IP address for this interface, allowing you to log into and manage each cluster unit separately. (more info here http://help.fortinet.com/fos50hlp/54/Content/FortiOS/fortigate-high-availability-52/HA_operatingReservedMg.htm)

      A dedicated management port (for example, mgmt1) would have the same IP address on each FortiGate in the cluster. So when you logged into that interface you would always log into the primary unit.

      I kept my responses kind of brief but could provide more information if you have more questions.

      • NodgeB

        Thanks for this info, this helps clarify the failover process. The issue I have is that the LAN (port1) overlaps with the mgmt interface and stops me making any changes to port1 via the gui – could this be because I’ve used the mgmt interface as reserved management rather than a different port? (FG100D

        • bdickie

          Hello, the functionality you are describing should work. But I do recall there being problems with how the mgmt interfaces work in some cases and with some hardware; so you might want to try using another interface as the reserved management interface. Support would be able to provide more definitive information.

          Also FortiOS 5.6 HA allows you to add a management IP address to the port1 interface that would be on the same subnet as the port1 IP and this interface can be used for “in-band management”. 5.6 was release very recently and may have known issues so you might want to wait a patch or 2 before installing into a production environment.

  • bdickie

    We recently had a question from someone trying to understand why on a 200D they could only select the WAN ports as heartbeat ports. This was probably happening because the LAN interface was in hardware switch mode and you can’t use a switch mode interface as a heartbeat interface.

    This recipe explains how to convert the switch to separate interfaces which can then be used as heartbeat interfaces. http://cookbook.fortinet.com/choosing-fortigate-switch-mode/

  • belal

    hi all i try to configure cluster between two forti 200d do you need add same ip address on lan?

    • bdickie

      You do not need the same IP address on the lan ports of each FortiGate. However, when the cluster is created it will have the lan IP address of the FortiGate that becomes the primary unit. So you will loose one of the lan IP addresses.

      • belal

        thanks

  • Christopher Tano

    do i need to put ip address to HA heartbeat interface? or just remain 0.0.0.0/0.0.0.0.0

  • Sirlanzarot

    Hi Bill,
    My company has bought two 1500D devices, and is my first time that i am going to install a fortigate.
    We are interested in create the cluster using two ports of 10 GE SFP+ Slots (ports 33&34). Do you know if this is possible? Or the Ethernet is the only option?

    We are using 5.4.1 ‎(8) (FGT_1500D-v5-build1064-FORTINET)

    Thanks in advance!
    Julio.

    • bdickie

      Yes this is possible. There are no restrictions on the port types you can use for HA.

      • Robert Groenewald

        I have noticed that an aggregated port can not be used as an HB port ( only port monitoring ). I’m in the process of configuring a dual 600D and sending all traffic over the 10GE ports ( both aggregated to two Arista 7050S’s in MLAG ).

        But there is no way to send the heartbeats via the same ( or aggregated ) interface.. So there is a limitation 🙂

        • bdickie

          Thanks for your comment. I was not aware of this limitation (so its not documented) and will look into it. The other limitation that I should have mentioned is that you cannot use switch ports for HA heartbeat interfaces.

  • e4sy

    Is it possible to reactivate FortiCloud on Fortigate units that are members of the Active-Passive HA cluster ?
    When I try to do this debug log shows: HA-slave: failed to login.
    Is tearing down the cluster and reactivating each unit separately the only solution ?
    We are running FortiOS 5.4.2 on Fortigate 50E.

    • bdickie

      You don’t need to tear down the cluster to do this. I am not sure what the problem is, you might want to contact Fortinet Support. http://cookbook.fortinet.com/how-to-work-with-fortinet-support/

      • Jordan L

        I just setup HA with 2 100d’s, running 5.2.8. 1 has full Fortiguard service one has zero Fortiguard. Now my main unit (with service) is no longer getting IPS or AV updates, and it says those 2 services have expired.
        I have a checksum mismatch, probably related to signatures.
        I don’t think the 2nd unit needs full Fortiguard service to accomplish what I want; a unit to fail over to to keep VPN tunnels up for a few days while the primary unit is repaired.
        Active-Active I get the need for full Fortiguard on both.
        Any insight?
        Moved this comment

        • bdickie

          I have recently learned that all units in the cluster must have the same FortiCare and FortiGuard subscriptions. If there is a difference, the services with the least functionality/expiration date/etc. will be used for the whole cluster. I haven’t had a chance to verify this so you might want to contact Fortinet support to confirm. If we get verification on this we will add notes to the documentation.

          • Jordan L

            I was thinking something like that was true. I completely understand the need for security licensing to be the same with Active-Active, but Active-Standby is a bit annoying. Most people don’t mind operating with reduced functionality in the event of failure. I kind of want an option in HA to NOT check for or care about syncing Fortiguard. That setting should exist. Policies that have Fortiguard on them would be disabled on HA unit, fine.

          • bdickie

            Your request sounds like a new feature request (NFR). Please contact your Fortinet sales representative to discuss this in detail.

  • Jordan L

    We have 2 200d in HA. I’ve never upgraded them. only the Primary has it’s WAN connections wired. So, when I perform the upgrade will the backup HA unit become primary? that would be problem for us. thanks! yes, both will be fully wired soon.

    • bdickie

      Normally after a firmware upgrade the roles of the FortiGates will not change. So the backup unit will not necessarily become the primary. But this could happen at any time for a number of reasons. However you can enable override and set priorities to guarantee that the FortiGate you select to be the primary unit will always be the primary. See the following link for details: http://help.fortinet.com/fos50hlp/54/Content/FortiOS/fortigate-high-availability-52/HA_FGCP_override.htm

      • Jordan L

        I just setup HA with 2 100d’s, running 5.2.8. 1 has full Fortiguard service one has zero Fortiguard. Now my main unit (with service) is no longer getting IPS or AV updates, and it says those 2 services have expired.
        I have a checksum mismatch, probably related to signatures.
        I don’t think the 2nd unit needs full Fortiguard service to accomplish what I want; a unit to fail over to to keep VPN tunnels up for a few days while the primary unit is repaired.
        Active-Active I get the need for full Fortiguard on both.
        Any insight?