In this recipe, a backup FortiGate unit will be installed and connected to a previously installed primary FortiGate to provide redundancy if the primary FortiGate fails.
Before you begin, the FortiGates should be running the same FortiOS firmware version and interfaces should not be configured to get their addresses from DHCP or PPPoE.
This recipe is part of the Security Fabric collection. It can also be used as a standalone recipe.
This setup, called FortiGate High Availability (HA), improves network reliability. The previously installed FortiGate will continue to operate as the primary unit and the new FortiGate will operate as the backup FortiGate.
Find this recipe for other FortiOS versions
5.2 | 5.4 | 5.6
1. Setting up registration and licensing |
|
|
Make sure both FortiGates are running the same FortiOS firmware version. Register and apply licenses to the new FortiGate unit before adding it to the cluster. This includes activation of FortiCloud and licenses for FortiGuard, FortiSandbox, and FortiClient, as well as entering a license key if you purchased more than 10 Virtual Domains (VDOMS). All FortiGates in the cluster must have the same level of licensing for FortiGuard, FortiCloud, FortiClient and VDOMs. FortiToken licenses can be added at any time because they are synchronized to all cluster members. |
 |
|
You can also install any third-party certificates on the primary FortiGate before forming the cluster. Once the cluster is formed third-party certificates are synchronized to the backup FortiGate. |
|
2. Configuring the Primary FortiGate for HA |
|
|
Connect to the primary FortiGate GUI and go to System > Settings and change the Host Name to identify this as the primary FortiGate in the HA cluster. |
 |
|
Go to System > HA and set the Mode to Active-Passive. Set the Device Priority to a higher value than the default to make sure this FortiGate will always be the primary FortiGate. Also set a Group Name and Password. Make sure that two Heartbeat Interfaces (port3 and port4 in this case) are selected and their priorities are both set to 50. Since the backup FortiGate is not available, when you save the HA configuration, the primary FortiGate will form a cluster of one FortiGate but will keep operating normally. |
 |
| If there are other FortiOS clusters on your network you may need to change the cluster group id using this CLI command. | config system ha set group-id 25end |
3. Connecting the backup FortiGate |
|
|
Connect the backup FortiGate to the primary FortiGate and the network as shown in the network diagram at the top of the recipe. Making these network connections will disrupt traffic so you should do this when the network is quiet. |
 |
|
If possible, make direct Ethernet connections between the heartbeat interfaces of the two FortiGate units. Switches must be used between the cluster and the Internet and between the cluster and the internal networks as shown in the network diagram. You can use any good quality switches to make these connections. You can also use one switch for all of these connections as long as you configure the switch to separate traffic from the different networks. |
|
4. Configuring the backup FortiGate for HA |
|
|
Connect to the backup FortiGate GUI and go to System > Settings and change the Host Name to identify this as the backup FortiGate. |
 |
|
Go to System > HA and duplicate the HA configuration of the primary FortiGate (except for the Device Priority): set the Mode to Active-Passive, set the Device Priority to a lower value than the default to make sure this FortiGate will always be the backup FortiGate. Also set the same Group Name and Password as the primary FortiGate. Make sure that the same two Heartbeat Interfaces (port3 and port4) are enabled and their priorities are both set to 50. |
 |
| Change the cluster group id if you changed it for the primary unit using this CLI command. | config system ha set group-id 25end |
|
When you save the backup FortiGate’s HA configuration, if the heartbeat interfaces are connected, the FortiGates will find each other and form a cluster. Network traffic may be disrupted for a few seconds while the cluster is negotiating. |
|
5. Viewing the cluster status |
|
| Connect to the primary FortiGate GUI. The HA Status widget displays the cluster mode, group name, and includes the host name of the primary unit (master). Hover over the primary unit host name to verify that the cluster is synchronized and operating normally. |  |
| Click on the HA Status widget and select Configure settings in System > HA (or go to System > HA) to view the cluster status. |  |
| If the cluster is part of a security Fabric, the FortiView Physical and Logical Topology views show information about the cluster status. |  |
6. Results |
|
|
Traffic is now passing through the primary FortiGate. However, if the primary FortiGate becomes unavailable, traffic should failover and the backup FortiGate will process traffic. Failover also causes the primary and backup FortiGate to reverse roles, even when both FortiGates are available again. |
|
| To test this, ping the IP address 8.8.8.8 using a PC on the internal network. After a moment, power off the primary FortiGate. You will see a momentary pause in the ping results, until traffic diverts to the backup FortiGate, allowing the ping traffic to continue. |  |
7. (Optional) Upgrading the firmware for the HA cluster |
|
|
When a new version of the FortiOS firmware becomes available, upgrading the firmware on the primary FortiGate automatically upgrades the backup FortiGate’s firmware. Both FortiGates are updated with minimal traffic disruption. Always review the Release Notes and Supported Upgrade Paths before installing new firmware. |
 |
| From the admin menu, select Configuration > Backup. Always remember to back up your configuration before upgrading the firmware. |  |
| Click the System Information widget and select the option to update firmware. Update the firmware from FortiGuard or by uploading a firmware image file. The
firmware loads onto both the primary and the backup FortiGates with minimal traffic interruption. |
|
| After the upgrade is complete, verify that the System Information widget shows the new firmware version. |  |
For further reading, check out FGCP configuration examples and troubleshooting in the FortiOS 5.6 Handbook.
The post High Availability with two FortiGates appeared first on Fortinet Cookbook.