SLBC Dual Mode with two FortiController-5103Bs (Expert)

Facebooktwittergoogle_plusredditpinterestlinkedinFacebooktwittergoogle_plusredditpinterestlinkedin

This example describes the basics of setting up a dual mode Session-aware Load Balancing Cluster (SLBC) that consists of two FortiController-5103Bs, installed in chassis slots 1 and 2, and three FortiGate-5001C workers, installed in chassis slots 3, 4, and 5. This SLBC configuration can have up to 16 10Gbit network connections.

The two FortiControllers in the same chassis operate in dual mode to double the number of network interfaces available. In dual mode, two FortiControllers load balance traffic to multiple workers. Traffic can be received by both FortiControllers and load balanced to all of the workers in the chassis. In dual mode configuration the front panel interfaces of both FortiControllers are active.

In a dual mode FortiController-5103B cluster this means up to 16 10Gbyte network interfaces are available. The interfaces of the FortiController in slot 1 are named fctrl/f1 to fctrl/f8 and the interfaces of the FortiController in slot 2 are named fctr2/f1 to fctrl2/f8.

All networks have single connections to the first or second FortiController. It is a best practice in a dual-mode configuration to distribute traffic evenly between the FortiControllers. So in this example, ingress traffic from the Internet is processed by the FortiController in slot 1 and egress traffic for the internal network is processed by the FortiController in slot 2.

One or more heartbeat links are created between the FortiControllers. Redundant heartbeat links are recommended. The heartbeat links use the front panel B1 and B2 interfaces.

If one of the FortiControllers fails, the remaining FortiController keeps processing traffic received by its front panel interfaces. Traffic to and from the failed FortiController is lost.

For more information about SLBC go here.

1. Hardware setup

Install a FortiGate-5000 series chassis and connect it to power. Install the FortiControllers in slots 1 and 2. Install the workers in slots 3, 4, and 5. Power on the chassis.

Check the chassis, FortiController, and FortiGate LEDs to verify that all components are operating normally (to check normal operation LED status, see the FortiGate-5000 series documents available here).

Create connections from the FortiController front panel interfaces to the Internet and to the internal network.

Create a heartbeat link by connecting the FortiController B1 interfaces together. Create a backup heartbeat link by connecting the FortiController B2 interfaces together. You can directly connect the interfaces with a patch cable or connect them together through a switch. If you use a switch, it must allow traffic on the heartbeat VLAN (default 999) and the base control and management VLANs (301 and 101). These connections establish heartbeat, base control, and base management communication between the FortiControllers. Only one heartbeat connection is required but redundant connections are recommended. 

Connect the mgmt interfaces of the both FortiControllers to the internal network or any network from which you want to manage the cluster.

Check the FortiSwitch-ATCA release notes and install the latest supported firmware on the FortiController and on the workers. Get FortiController firmware from the Fortinet Support site. Select the FortiSwitch-ATCA product.

2. Configuring the FortiControllers

Connect to the GUI (using HTTPS) or CLI (using SSH) of the FortiController in slot 1 with the default IP address (http://192.168.1.99) or connect to the FortiController CLI through the console port (Bits per second: 9600, Data bits: 8, Parity: None, Stop bits: 1, Flow control: None).

Add a password for the admin administrator account. You can either use the Administrators widget in the GUI or enter the following command in the CLI.

  config admin user
    edit admin
       set password <password>
    end

Change the FortiController mgmt interface IP address. Use the Management Port widget in the GUI or enter the following command in the CLI.

  config system interface
    edit mgmt
       set ip 172.20.120.151/24
    end

If you need to add a default route for the management IP address, enter this command.

  config route static
    edit 1
        set gateway 172.20.120.2
    end

Set the chassis type that you are using.

 config system global
    set chassis-type fortigate-5140
 end

Configure dual Mode HA on the FortiController in slot 1.

From the FortiController GUI System Information widget, beside HA Status select Configure.

Set Mode to Dual Mode, change the Group ID, and move the b1 and b2 interfaces to the Selected column and select OK.

 

You can also enter this CLI command:

 config system ha
    set mode dual
    set groupid 4
    set hbdev b1 b2
 end

If you have more than one cluster on the same network, each cluster should have a different Group ID. Changing the Group ID changes the cluster interface virtual MAC addresses. If your group ID setting causes a MAC address conflict you can select a different Group ID. The default Group ID of 0 is not a good choice and normally should be changed.

You can also adjust other HA settings. For example, you could increase the Device Priority of the FortiController that you want to become the primary unit, enable Override to make sure the FortiController with the highest device priority becomes the primary unit, and change the VLAN to use for HA heartbeat traffic if it conflicts with a VLAN on your network.

You would only select Enable chassis redundancy if your cluster has more than one chassis.

Log into the web-based manager of the FortiController in slot 2 and duplicate the HA configuration of the FortiController in slot 1, except for the Device Priority and override setting, which can be different on each FortiController.

After a short time, the FortiControllers restart in HA mode and form a dual mode cluster. Both FortiControllers must have the same HA configuration and at least one heartbeat link must be connected.

Normally the FortiController in slot 1 is the primary unit, and you can log into the cluster using the management IP address you assigned to this FortiController.

If the FortiControllers are unable to form a cluster, check to make sure that they both have the same HA configuration. Also they can’t form a cluster if the heartbeat interfaces (B1 and B2) are not connected.

You can confirm that the cluster has been formed by viewing the HA configuration from the the FortiController web-based manager. The display should show both FortiControllers in the cluster.

Since the configuration of the FortiControllers is synchronized, you can complete the configuration of the cluster from the primary FortiController.

 

You can also go to Load Balance > Status to see the status of the cluster.
This page should show both FortiControllers in the cluster.

Since both FortiControllers are active their slot icons are both colored green.

 

Go to Load Balance > Config to add the workers to the cluster by selecting Edit and moving the slots that contain workers to the Members list.

The Config page shows the slots in which the cluster expects to find workers. If the workers have not been configured yet their status will be Down.

Configure the External Management IP/Netmask. Once you have connected workers to the cluster, you can use this IP address to manage and configure them.

2b-config

You can also enter this command to add slots 3, 4, and 5 to the cluster.

 config load-balance setting
    config slots
      edit 3
      next
      edit 4
      next
      edit 5
      end
   end

You can also enter this command to configure the external management IP/Netmask and management access to this address.

 config load-balance setting
    set base-mgmt-external-ip 172.20.120.100 255.255.255.0
    set base-mgmt-allowaccess https ssh ping
 end

Enable base management traffic between FortiControllers.

  config load-balance setting
    config base-mgmt-interfaces
      edit b1
      next
      edit b2
      end
   end

Enable base control traffic between FortiControllers.    config load-balance setting
    config base-ctrl-interfaces
      edit b1
      next
      edit b2
      end
   end

3. Adding the workers to the cluster

Reset the workers to factory default settings.

If the workers are going to run FortiOS Carrier, add the FortiOS Carrier license instead. This will reset the worker to factory default settings.

 execute factoryreset
Register each worker and apply licenses to each worker before adding the workers to the cluster. This includes FortiCloud activation and FortiClient licensing, and entering a license key if you purchased more than 10 Virtual Domains (VDOMs). You can also install any third-party certificates on the primary worker before forming the cluster. Once the cluster is formed third-party certificates are synchronized to all of the workers. FortiToken licenses can be added at any time because they are synchronized to all of the workers.  

Optionally give the mgmt1 and or mgmt2 interfaces of each worker IP addresses and connect them to your network. When a cluster is created, the mgmt1 and mgmt2 IP addresses are not synchronized, so you can connect to and manage each worker separately.

Optionally give each worker a different hostname. The hostname is also not synchronized and allows you to identify each worker.

Log into the CLI of each worker and enter this command to set the worker to operate in FortiController mode.

 config system elbc
    set mode dual-forticontroller
 end
The worker restarts and joins the cluster. On the FortiController GUI go to Load Balance > Status. As the workers restart they should appear in their appropriate slots.  

4. Results

You can now connect to the worker GUI or CLI using the External Management IP and manage the workers in the same way as you would manage a standalone FortiGate. If you configured the worker mgmt1 or mgmt2 interfaces you can also connect to these interfaces to configure the workers.  Configuration changes made to any worker are synchronized to all workers.

Configure the workers to process the traffic they receive from the FortiController front panel interfaces. By default all FortiController front panel interfaces are in the root VDOM. You can keep them in the root VDOM or create additional VDOMs and move interfaces into them.

For example, if you connect the Internet to FortiController front panel interface 2 of the FortiController in slot 1 (fctrl1/f2 on the worker GUI and CLI) and the internal network to FortiController front panel interface 6 of the FortiController in slot 2 (fctrl2/f6 on the worker GUI and CLI) you would access the root VDOM and add this policy to allow users on the Internal network to access the Internet.

 

 

For further reading, check out the FortiController Session-aware Load Balancing Guide.

Bill Dickie

Our Fearless Documentation Leader at Fortinet
After completing a science degree at the University of Waterloo, Bill began his professional life teaching college chemistry in Corner Brook, Newfoundland and fell into technical writing after moving to Ottawa in the mid '80s. Tech writing stints at all sorts of companies finally led to joining Fortinet to write the first FortiGate-300 Administration Guide.
  • Was this helpful?
  • Yes   No
 Redundant connections to a network from the FortiControllers in same chassis is not supported (unless you configure link aggregation).