High Availability with two FortiGates

Facebooktwittergoogle_pluslinkedinFacebooktwittergoogle_pluslinkedin

In this recipe, a backup FortiGate unit will be installed and connected to a previously installed FortiGate, to provide redundancy if the primary FortiGate unit fails. This set up, called FortiGate High Availability (HA), improves network reliability.

Before you start the FortiGates should be running the same FortiOS firmware version and interfaces should not be configured to get their addresses from DHCP or PPPoE.

For a more advanced HA recipe that includes CLI steps and involves using advanced options such as override to maintain the same primary FortiGate, see High Availability with FGCP (Expert).

Find this recipe for other FortiOS versions
5.2 | 5.4 | 5.6 | 6.0

1. Adding the backup FortiGate unit and configuring HA

If the FortiGates in the cluster will be running FortiOS Carrier, apply the FortiOS Carrier license before configuring the cluster (and before applying other licenses). Applying the FortiOS Carrier license sets the configuration to factory defaults, requiring you to repeat steps performed before applying the license.

Make sure both FortiGates are running the same FortiOS firmware version. Register and apply licenses to the new FortiGate unit before adding it to the cluster. This includes FortiCloud activation and FortiClient licensing, and entering a license key if you purchased more than 10 Virtual Domains (VDOMS). All FortiGates in the cluster must have the same level of licensing for FortiGuard, FortiCloud, FortiClient and VDOMs.

You can also install any third-party certificates on the primary FortiGate before forming the cluster. Once the cluster is formed third-party certificates are synchronized to the backup FortiGate.

FortiToken licenses can be added at any time because they are synchronized to all cluster members.

 

Connect your network as shown in the initial diagram, with Ethernet cables connecting the HA heartbeat interfaces of the two FortiGate units. If your FortiGate unit does not have dedicated HA heartbeat interfaces, you can use different interfaces, provided they are not used for any other function.

A switch must be used between the FortiGates and Internet, and another is required between the FortiGates and the internal network, as shown in the network diagram for this recipe.

Connect to the primary FortiGate and go to System > Dashboard > Status and locate the System Information widget.

Change the unit’s Host Name to identify it as the primary FortiGate.

 

In the System Information widget, configure HA Status. Set the Mode to Active-Passive and set a Group Name and Password.

Take note of the Device Priority value, which will be used when configuring the backup FortiGate.

Ensure that the two Heartbeat Interfaces are selected and their priorities are both set to 50.

 

If there are other FortiOS clusters on your network you may need to change the cluster group id using this CLI command.

config system ha
    set group-id 25
end

Connect to the backup FortiGate and go to System > Dashboard > Status.

Change the unit’s Host Name to identify it as the backup FortiGate.

 

Configure HA Status and set the Mode to Active-Passive.

Set the Device Priority to be lower than the primary FortiGate. Ensure that the Group Name and Password match those on the primary FortiGate.

Ensure that the two Heartbeat Interfaces are selected and their priorities are both set to 50.

 

Change the cluster group id if you changed it for the primary unit using this CLI command.

config system ha
    set group-id 25
end
Connect to the primary FortiGate and go to System > Config > HA to view the cluster information.  
Select View HA Statistics for more information on how the cluster is operating and processing traffic.  

2. Results

Traffic is now passing through the primary FortiGate. However, if the primary FortiGate becomes unavailable, traffic should failover and the backup FortiGate will be processing traffic.

Failover also causes the primary and backup FortiGates to reverse roles, even when both FortiGates are available again.

To test this, ping the IP address 8.8.8.8 using a PC on the internal network. After a moment, power off the primary FortiGate. You will see a momentary pause in the Ping results, until traffic diverts to the backup FortiGate, allowing the Ping traffic to continue.

3. (Optional) Upgrading the firmware for the HA cluster

When a new version of the FortiOS firmware becomes available, upgrading the firmware on the primary FortiGate will automatically upgrade the backup FortiGate’s firmware as well.

Always review the Release Notes and Supported Upgrade Paths documentation before installing new firmware. These documents can be found at the Fortinet Document Library.

 
Go to System > Dashboard > Status and view the System Information widget.

Now that the FortiGates are in HA mode, their configuration is synchronized and the System Information widget displays information for both units.

Select Backup beside System Configuration. Always remember to back up your configuration before doing any firmware upgrades.

 
Go to System > Dashboard > Status and view the System Information widget.

Select Upgrade beside Firmware Version. Find the firmware image file that you downloaded and select OK to upload and install the firmware build.

The firmware will load onto both the primary FortiGate unit and the backup unit.

 
Go to System > Dashboard > Status and verify that the System Information widget shows the new firmware version.  

For further reading, check out High Availability in the FortiOS 5.2 Handbook.

Victoria Martin

Victoria Martin

Technical Writer at Fortinet
Victoria Martin works in Ottawa as part of the FortiOS technical documentation team. She graduated with a Bachelor's degree from Mount Allison University, after which she attended Humber College's book publishing program, followed by the more practical technical writing program at Algonquin College. She does need glasses but also likes wearing them, since glasses make you look smarter.
Victoria Martin

Latest posts by Victoria Martin (see all)

Facebooktwittergoogle_pluslinkedinFacebooktwittergoogle_pluslinkedin
If you have not already installed a FortiGate, see Installing a FortiGate in NAT/Route mode
If these steps don’t start HA mode, make sure that none of the FortiGate’s interfaces use DHCP or PPPoE addressing.
If these steps don’t start HA mode, make sure that none of the FortiGate’s interfaces use DHCP or PPPoE addressing.
If you are using port monitoring, you can also unplug the primary FortiGate’s Internet-facing interface to test failover.
For information about accessing firmware images, see Verifying and updating the FortiGate unit’s firmware.