High availability with two FortiGates

Facebooktwittergoogle_pluslinkedinFacebooktwittergoogle_pluslinkedin

This recipe describes how to add a backup FortiGate to a previously installed FortiGate, to form a high availability (HA) cluster to improve network reliability.

Before you begin, make sure that the FortiGates are running the same FortiOS firmware version and interfaces are not configured to get their addresses from DHCP or PPPoE.

This recipe is in the Fortinet Security Fabric collection. It can also be used as a standalone recipe.

This recipe uses the FortiGate Clustering Protocol (FGCP) for HA. After you complete this recipe, the original FortiGate continues to operate as the primary FortiGate and the new FortiGate operates as the backup FortiGate.

For a more advanced HA recipe that includes CLI steps and involves using advanced options such as override to maintain the same primary FortiGate, see High Availability with FGCP (Expert).

Find this recipe for other FortiOS versions
5.2 | 5.4 | 5.6 | 6.0

1. Setting up registration and licensing

Make sure both FortiGates are running the same FortiOS firmware version. Register and apply licenses to the new FortiGate unit before you add it to the HA cluster.

This includes licensing for FortiCare Support, IPS, AntiVirus, Web Filtering, Mobile Malware, FortiClient, FortiCloud, and additional virtual domains (VDOMs).

All FortiGates in the cluster must have the same level of licensing for FortiGuard, FortiCloud, FortiClient, and VDOMs. You can add FortiToken licenses at any time because they’re synchronized to all cluster members.

You can also install any third-party certificates on the primary FortiGate before you form the cluster. Once the cluster is running, the FGCP synchronizes third-party certificates  to the backup FortiGate.

2. Configuring the primary FortiGate for HA

On the primary FortiGate, go to System > Settings and change the Host name to identify this as the primary FortiGate in the HA cluster.

Go to System > HA and set the Mode to Active-Passive. Set the Device priority to a higher value than the default (in the example, 250) to make sure this FortiGate will always be the primary FortiGate. Also, set a Group name and Password.

Make sure you select Heartbeat interfaces (in the example, port3 and port4). Set the Heartbeat Interface Priority for each interface to 50.

Since the backup FortiGate isn’t available, when you save the HA configuration, the primary FortiGate forms a cluster of one FortiGate but keeps operating normally.

If there are other FortiOS HA clusters on your network, you may need to change the cluster group ID, using this CLI command:

config system ha
    set group-id 25
end

3. Connecting the backup FortiGate

Connect the backup FortiGate to the primary FortiGate and to the network, as shown in the network diagram at the top of this recipe.

Since these connections disrupt traffic, you should make the connections when the network isn’t processing a lot of traffic. If possible, make direct Ethernet connections between the heartbeat interfaces of the two FortiGate units.

You must use switches between the cluster and the Internet, and between the cluster and the internal networks, as shown in the network diagram. You can use any good quality switches to make these connections. You can also use one switch for all of these connections, as long as you configure the switch to separate traffic from the different networks.

4. Configuring the backup FortiGate for HA

Connect to the backup FortiGate GUI and go to System > Settings and change the Host name to identify this as the backup FortiGate.

Go to System > HA and duplicate the HA configuration of the primary FortiGate (except for the Device priority): set Mode to Active-Passive, and set the Device Priority to a lower value than the default to make sure this FortiGate is always the backup FortiGate. Also, set the same Group name and Password as you did for the primary FortiGate.

Make sure that you select the same two Heartbeat interfaces (port3 and port4) and set the Heartbeat Interface Priority for each to 50.

If you changed the cluster group ID of the primary FortiGate, change the cluster group ID for the backup FortiGate to match, using this CLI command:

config system ha
    set group-id 25
end

When you save the HA configuration of the backup FortiGate, if the heartbeat interfaces are connected, the FortiGates will find each other and form an HA cluster. Network traffic may be disrupted for a few seconds while the cluster is negotiating.

5. Viewing the status of the HA cluster

Connect to the GUI of the primary FortiGate. The HA Status widget shows the cluster mode (Mode) and group name (Group).

 

It also shows the host name of the primary FortiGate (Master), which you can hover over to verify that the cluster is synchronized and operating normally. You can click on the widget to change the HA configuration or view a list of recently recorded cluster events, such as members joining or leaving the cluster.

To view the cluster status, click on the HA Status widget and select Configure settings in System > HA (or go to System > HA).
If the cluster is part of a Security Fabric, the FortiView Physical and Logical Topology views show information about the cluster status.

6. Results

Traffic is now passing through the primary FortiGate. However, if the primary FortiGate becomes unavailable, traffic should fail over and the backup FortiGate processes traffic.

A failover also causes the primary and backup FortiGate to reverse roles, even when both FortiGates are available again.

To test HA failover, ping an IP address on the Internet (in the example, 8.8.8.8) from a PC in the internal network.

 

After a short time interval, power off the primary FortiGate. The ping results pause while traffic fails over to the backup FortiGate and the ping traffic resumes.

7. (Optional) Upgrading the firmware for the HA cluster

Upgrading the firmware on the primary FortiGate automatically upgrades the firmware on the backup FortiGate. Both FortiGates are updated with minimal traffic disruption.

Always review the Release Notes before you instal new firmware.

Click the System Information widget and select Update firmware in System > Firmware. Back up the configuration and update the firmware from FortiGuard or upload a firmware image file. The firmware installs onto both the primary and backup FortiGates.
After the upgrade completes, verify that the System Information widget shows the new firmware version.

For further reading, check out FGCP configuration examples and troubleshooting in the FortiOS 6.0 Online Help.

Bill Dickie

Technical Writer at Fortinet
After completing a science degree at the University of Waterloo, Bill began his professional life teaching college chemistry in Corner Brook, Newfoundland and fell into technical writing after moving to Ottawa in the mid '80s. Tech writing stints at all sorts of companies finally led to joining Fortinet to write the first FortiGate-300 Administration Guide.
Facebooktwittergoogle_pluslinkedinFacebooktwittergoogle_pluslinkedin
If you haven’t already installed a FortiGate, see Installing a FortiGate in NAT/Route mode.
Also, you can’t use a switch port as an HA heartbeat interface. If necessary, convert the switch port to individual interfaces.
If the FortiGates in the cluster will run FortiOS Carrier, apply the FortiOS Carrier license before you configure the cluster (and before you apply other licenses). When you apply the FortiOS Carrier license, the FortiGate resets its configuration to factory defaults, requiring you to repeat steps performed before applying the license.
If these steps don’t start HA mode, make sure that none of the FortiGate interfaces use DHCP or PPPoE addressing.
This example uses two FortiGate-600Ds and the default heartbeat interfaces (port3 and port4). You can use any interfaces for HA heartbeat interfaces. A best practice is to use interfaces that don’t process traffic, but this is not a requirement. If you are setting up HA between two FortiGates in a VM environment (for example, VMware or Hyper-V) you must enable promiscuous mode and allow mac address changes for heartbeat communication to work. Since the HA heartbeat interfaces must be on the same broadcast domain, for HA between remote data centers (called distributed clustering) you must support layer 2 extensions between the remote data centers, using technology such as MPLS or VXLAN.
If these steps don’t start HA mode, make sure that none of the FortiGate’s interfaces use DHCP or PPPoE addressing.
If you’re using port monitoring, you can also unplug the primary FortiGate’s Internet-facing interface to test failover.
For information about accessing firmware images, see Verifying and updating the FortiGate unit’s firmware.