SLBC Active-Passive setup with two FortiController-5103Bs (Expert)

Facebooktwittergoogle_plusredditpinterestlinkedinFacebooktwittergoogle_plusredditpinterestlinkedin

This example describes the basics of setting up an active-passive Session-aware Load Balancing Cluster (SLBC) that consists of two FortiController-5103Bs, installed in chassis slots 1 and 2, and three FortiGate-5001C workers, installed in chassis slots 3, 4, and 5. This SLBC configuration can have up to eight redundant 10Gbit network connections.

The FortiControllers in the same chassis to operate in active-passive HA mode for redundancy. The FortiController in slot 1 becomes the primary unit actively processing sessions. The FortiController in slot 2 becomes the subordinate unit, sharing the primary unit’s session table. If the primary unit fails the subordinate unit resumes all active sessions.

All networks have redundant connections to both FortiControllers. You also create heartbeat links between the FortiControllers and management links from the FortiControllers to an internal network.

For more information about SLBC go here.

1. Hardware setup

Install a FortiGate-5000 series chassis and connect it to power. Install the FortiControllers in slots 1 and 2. Install the workers in slots 3, 4, and 5. Power on the chassis.

Check the chassis, FortiController, and FortiGate LEDs to verify that all components are operating normally (to check normal operation LED status, see the FortiGate-5000 series documents available here).

Create duplicate connections from the FortiController front panel interfaces to the Internet and to the internal network.

Create a heartbeat link by connecting the FortiController B1 interfaces together. Create a backup heartbeat link by connecting the FortiController B2 interfaces together. You can directly connect the interfaces with a patch cable or connect them together through a switch. If you use a switch, it must allow traffic on the heartbeat VLAN (default 999) and the base control and management VLANs (301 and 101). These connections establish heartbeat, base control, and base management communication between the FortiControllers. Only one heartbeat connection is required but redundant connections are recommended. 

Connect the mgmt interfaces of the both FortiControllers to the internal network or any network from which you want to manage the cluster.

Check the FortiSwitch-ATCA release notes and install the latest supported firmware on the FortiController and on the workers. Get FortiController firmware from the Fortinet Support site. Select the FortiSwitch-ATCA product.

2. Configuring the FortiControllers

Connect to the GUI (using HTTPS) or CLI (using SSH) of the FortiController in slot 1 with the default IP address (http://192.168.1.99) or connect to the FortiController CLI through the console port (Bits per second: 9600, Data bits: 8, Parity: None, Stop bits: 1, Flow control: None).

Add a password for the admin administrator account. You can either use the GUI Administrators widget or enter this CLI command.

  config admin user
    edit admin
       set password <password>
    end

Change the FortiController mgmt interface IP address. Use the Management Port widget in the GUI or enter this command. Each FortiController should have a different Management IP address.

  config system interface
    edit mgmt
       set ip 172.20.120.151/24
    end

If you need to add a default route for the management IP address, enter this command.

  config route static
    edit 1
        set gateway 172.20.120.2
    end

Set the chassis type that you are using.

 config system global
    set chassis-type fortigate-5140
 end

Configure active-passive HA on the FortiController in slot 1.

From the FortiController GUI System Information widget, beside HA Status select Configure.

Set Mode to Active-Passive, change the Group ID, and move the b1 and b2 interfaces to the Selected column and select OK.

 2a-ha-setup

You can also enter this command:

 config system ha
    set mode a-p
    set groupid 23
    set hbdev b1 b2
 end

If you have more than one cluster on the same network, each cluster should have a different Group ID. Changing the Group ID changes the cluster interface virtual MAC addresses. If your group ID setting causes a MAC address conflict you can select a different Group ID. The default Group ID of 0 is not a good choice and normally should be changed.

You can also adjust other HA settings. For example, you could increase the Device Priority of the FortiController that you want to become the primary unit, enable Override to make sure the FortiController with the highest device priority becomes the primary unit, and change the VLAN to use for HA heartbeat traffic if it conflicts with a VLAN on your network.

You would only select Enable chassis redundancy if your cluster has more than one chassis.

Log into the web-based manager of the FortiController in slot 2 and duplicate the HA configuration of the FortiController in slot 1, except for the Device Priority and override setting, which can be different on each FortiController.

After a short time, the FortiControllers restart in HA mode and form an active-passive cluster. Both FortiControllers must have the same HA configuration and at least one heartbeat link must be connected.

Normally the FortiController in slot 1 is the primary unit, and you can log into the cluster using the management IP address you assigned to this FortiController.

You can confirm that the cluster has been formed by viewing the HA configuration from the the FortiController web-based manager. The display should show both FortiControllers in the cluster.

Since the configuration of all FortiControllers is synchronized, you can complete the configuration of the cluster from the primary FortiController.

You can also go to Load Balance > Status to see the status of the cluster.
This page should show both FortiControllers in the cluster.

The FortiController in slot 1 is the primary unit (slot icon colored green) and the FortiController in slot 2 is the backup unit (slot icon colored yellow).

 

Go to Load Balance > Config to add the workers to the cluster by selecting Edit and moving the slots that contain workers to the Members list.

The Config page shows the slots in which the cluster expects to find workers. If the workers have not been configured yet their status will be Down.

Configure the External Management IP/Netmask. Once you have connected workers to the cluster, you can use this IP address to manage and configure them.

2b-config

You can also enter this command to add slots 3, 4, and 5 to the cluster:

 config load-balance setting
    config slots
      edit 3
      next
      edit 4
      next
      edit 5
      end
   end

You can also enter this command to set the external management IP/Netmask and configure management access.

 config load-balance setting
    set base-mgmt-external-ip 172.20.120.100 255.255.255.0
    set base-mgmt-allowaccess https ssh ping
 end

Enable base management traffic between FortiControllers.

  config load-balance setting
    config base-mgmt-interfaces
      edit b1
      next
      edit b2
      end
   end

Enable base control traffic between FortiControllers.   config load-balance setting
    config base-ctrl-interfaces
      edit b1
      next
      edit b2
      end
   end

3. Adding the workers to the cluster

Reset the workers to factory default settings.

If the workers are going to run FortiOS Carrier, add the FortiOS Carrier license instead. This will reset the worker to factory default settings.

 execute factoryreset
Register each worker and apply licenses to each worker before adding the workers to the cluster. This includes FortiCloud activation and FortiClient licensing, and entering a license key if you purchased more than 10 Virtual Domains (VDOMs). You can also install any third-party certificates on the primary worker before forming the cluster. Once the cluster is formed third-party certificates are synchronized to all of the workers. FortiToken licenses can be added at any time because they are synchronized to all of the workers.  

Optionally give the mgmt1 and or mgmt2 interfaces of each worker IP addresses and connect them to your network. When a cluster is created, the mgmt1 and mgmt2 IP addresses are not synchronized, so you can connect to and manage each worker separately.

Optionally give each worker a different hostname. The hostname is also not synchronized and allows you to identify each worker.

Log into the CLI of each worker and enter this command to set the worker to operate in FortiController mode.

 config system elbc
    set mode forticontroller
 end
The worker restarts and joins the cluster. On the FortiController GUI go to Load Balance > Status. As the workers restart they should appear in their appropriate slots.  

4. Results

You can now connect to the worker GUI or CLI using the External Management IP and manage the workers in the same way as you would manage a standalone FortiGate. If you configured the worker mgmt1 or mgmt2 interfaces you can also connect to these interfaces to configure the workers.  Configuration changes made to any worker are synchronized to all workers.

Configure the workers to process the traffic they receive from the FortiController front panel interfaces. By default all FortiController front panel interfaces are in the root VDOM. You can keep them in the root VDOM or create additional VDOMs and move interfaces into them.

For example, if you connect the Internet to FortiController front panel interface 1 (fctrl/f1 on the worker GUI and CLI) and the internal network to FortiController front panel interface 6 (fctrl/f6 on the worker GUI and CLI) you would access the root VDOM and add this policy to allow users on the Internal network to access the Internet.

 

For further reading, check out the FortiController Session-aware Load Balancing Guide.

Bill Dickie

Our Fearless Documentation Leader at Fortinet
After completing a science degree at the University of Waterloo, Bill began his professional life teaching college chemistry in Corner Brook, Newfoundland and fell into technical writing after moving to Ottawa in the mid '80s. Tech writing stints at all sorts of companies finally led to joining Fortinet to write the first FortiGate-300 Administration Guide.

Latest posts by Bill Dickie (see all)

  • Was this helpful?
  • Yes   No