High availability with two FortiGates

Facebooktwittergoogle_plusredditpinterestlinkedinFacebooktwittergoogle_plusredditpinterestlinkedin

In this recipe, a backup FortiGate unit is installed and connected to a previously installed FortiGate to form a high availability (HA) cluster that improves network reliability.

Before you begin, the FortiGates should be running the same FortiOS firmware version and interfaces should not be configured to get their addresses from DHCP or PPPoE.

This recipe is in the Security Fabric collection. It can also be used as a standalone recipe.

This recipe uses the FortiGate Clustering Protocol (FGCP) for HA. The previously installed FortiGate will continue to operate as the primary unit and the new FortiGate will operate as the backup FortiGate.

Find this recipe for other FortiOS versions
5.2 | 5.4 | 5.6

1. Setting up registration and licensing

Make sure both FortiGates are running the same FortiOS firmware version. Register and apply licenses to the new FortiGate unit before adding it to the HA cluster. This includes licensing for FortiCare Support, IPS, AntiVirus, Web Filtering, Mobile Malware, FortiClient, FortiCloud, and additional virtual domains (VDOMs). All FortiGates in the cluster must have the same level of licensing for FortiGuard, FortiCloud, FortiClient, and VDOMs. FortiToken licenses can be added at any time because they are synchronized to all cluster members.

You can also install any third-party certificates on the primary FortiGate before forming the cluster. Once the cluster is formed, third-party certificates are synchronized to the backup FortiGate.

2. Configuring the primary FortiGate for HA

On the primary FortiGate, go to System > Settings and change the Host name to identify this as the primary FortiGate in the HA cluster.

Go to System > HA and set the Mode to Active-Passive. Set the Device priority to a higher value than the default (in the example, 250) to make sure this FortiGate will always be the primary FortiGate. Also, set a Group name and Password.

Make sure that two Heartbeat interfaces (in the example, port3 and port4) are selected and the Heartbeat Interface Priority for each is set to 50.

Since the backup FortiGate is not available, when you save the HA configuration, the primary FortiGate will form a cluster of one FortiGate but will keep operating normally.

If there are other FortiOS HA clusters on your network, you may need to change the cluster group ID using this CLI command. config system ha
set group-id 25
end

3. Connecting the backup FortiGate

Connect the backup FortiGate to the primary FortiGate and the network, as shown in the network diagram at the top of the recipe. Making these network connections will disrupt traffic so you should do this when the network is not processing much traffic.

If possible, make direct Ethernet connections between the heartbeat interfaces of the two FortiGate units.

Switches must be used between the cluster and the Internet, and between the cluster and the internal networks, as shown in the network diagram. You can use any good quality switches to make these connections. You can also use one switch for all of these connections, as long as you configure the switch to separate traffic from the different networks.

4. Configuring the backup FortiGate for HA

Connect to the backup FortiGate GUI and go to System > Settings and change the Host name to identify this as the backup FortiGate.

Go to System > HA and duplicate the HA configuration of the primary FortiGate (except for the Device priority): set Mode to Active-Passive, and set the Device Priority to a lower value than the default to make sure this FortiGate will always be the backup FortiGate. Also, set the same Group name and Password as the primary FortiGate.

Make sure that the same two Heartbeat interfaces (port3 and port4) are selected and the Heartbeat Interface Priority for each is set to 50.

If you changed the cluster group id of the primary FortiGate, change the cluster group ID for the backup FortiGate to match, using this CLI command. config system ha
set group-id 25
end

When you save the HA configuration of the backup FortiGate, if the heartbeat interfaces are connected, the FortiGates will find each other and form an HA cluster. Network traffic may be disrupted for a few seconds while the cluster is negotiating.

5. Viewing the status of the HA cluster

Connect to the GUI of the primary FortiGate. The HA Status widget shows the cluster mode (Mode) and group name (Group). It also shows the host name of the primary FortiGate (Master), which you can hover over to verify that the cluster is synchronized and operating normally. You can click on the widget to change the HA configuration or view a list of recently recorded cluster events, such as members joining or leaving the cluster.

 
Click on the HA Status widget and select Configure settings in System > HA (or go to System > HA) to view the cluster status.
If the cluster is part of a Security Fabric, the FortiView Physical and Logical Topology views show information about the cluster status.

6. Results

Traffic is now passing through the primary FortiGate. However, if the primary FortiGate becomes unavailable, traffic should fail over and the backup FortiGate will process traffic.

A failover also causes the primary and backup FortiGate to reverse roles, even when both FortiGates are available again.

To test HA failover, from a PC on the internal network, ping an IP address on the Internet (in the example, 8.8.8.8). After a moment, power off the primary FortiGate. You will see a momentary pause in the ping results, until traffic fails over to the backup FortiGate, allowing the ping traffic to continue.  

7. (Optional) Upgrading the firmware for the HA cluster

Upgrading the firmware on the primary FortiGate automatically upgrades the firmware on the backup FortiGate. Both FortiGates are updated with minimal traffic disruption.

Always review the Release Notes and Supported Upgrade Paths before installing new firmware.

Click the System Information widget and select Update firmware in System > Firmware. Back up the configuration and update the firmware from FortiGuard or by uploading a firmware image file. The firmware installs onto both the primary and backup FortiGates.
After the upgrade is complete, verify that the System Information widget shows the new firmware version.

For further reading, check out FGCP configuration examples and troubleshooting in the FortiOS 5.6 Handbook.

Bill Dickie

Our Fearless Documentation Leader at Fortinet
After completing a science degree at the University of Waterloo, Bill began his professional life teaching college chemistry in Corner Brook, Newfoundland and fell into technical writing after moving to Ottawa in the mid '80s. Tech writing stints at all sorts of companies finally led to joining Fortinet to write the first FortiGate-300 Administration Guide.
  • Was this helpful?
  • Yes   No
If you have not already installed a FortiGate, see Installing a FortiGate in NAT/Route mode.
Also, you cannot use a switch port as an HA heartbeat interface. If necessary, convert the switch port to individual interfaces (see Choosing your FortiGate’s switch mode).
If the FortiGates in the cluster will be running FortiOS Carrier, apply the FortiOS Carrier license before configuring the cluster (and before applying other licenses). Applying the FortiOS Carrier license sets the configuration to factory defaults, requiring you to repeat steps performed before applying the license.
If these steps don’t start HA mode, make sure that none of the FortiGate’s interfaces use DHCP or PPPoE addressing.
This example uses two FortiGate-600Ds and the default heartbeat interfaces are used (port3 and port4). You can use any interfaces for HA heartbeat interfaces. A best practice is to use interfaces that do not process traffic, but this is not a requirement. If you are setting up HA between two FortiGates in a VM environment (for example, VMware or Hyper-V) you need to enable promiscuous mode and allow mac address changes for heartbeat communication to work. Since the HA heartbeat interfaces must be on the same broadcast domain, for HA between remote data centers (called distributed clustering) you must support layer 2 extensions between the remote data centers, using technology such as MPLS or VXLAN.
If these steps don’t start HA mode, make sure that none of the FortiGate’s interfaces use DHCP or PPPoE addressing.
If you are using port monitoring, you can also unplug the primary FortiGate’s Internet-facing interface to test failover.
For information about accessing firmware images, see Verifying and updating the FortiGate unit’s firmware.