Preparing the FortiGates before setting up a FGCP cluster

Before creating an FGCP cluster you should complete the following setup on each FortiGate.

 

DHCP and PPPoE

Make sure your FortiGate interfaces are configured with static IP addresses. If any interface gets its address using DHCP or PPPoE you should temporarily switch it to a static address and enable DHCP or PPPoE after the cluster has been established.

 

Firmware version

Make sure the FortiGates are running the same FortiOS firmware version.

 

FortiOS Carrier license

If the FortiGates in the cluster will be running FortiOS Carrier, apply the FortiOS Carrier license before configuring the cluster (and before applying other licenses). Applying the FortiOS Carrier license sets the configuration to factory defaults, requiring you to repeat steps performed before applying the license.

 

Licenses (Support, FortiGuard, FortiCloud, FortiClient, FortiToken Mobile, VDOMs)

Register and apply licenses to each FortiGate. This includes FortiCloud activation, FortiClient, and FortiToken licensing, and entering a license key if you purchased more than 10 Virtual Domains (VDOMS).

 

Certificates

You can also install any third-party certificates on the primary FortiGate before forming the cluster. Once the cluster is formed third-party certificates are synchronized to the backup FortiGate.

 

Configuring FortiGate units for FGCP HA operation

Each FortiGate unit in the cluster must have the same HA configuration. Once the cluster is connected, you can configure it in the same way as you would configure a standalone FortiGate unit. The following example sets the HA mode to active-passive and the HA password to HA_pass.

Make sure your FortiGate interfaces are configured with static IP addresses. If any interface gets its address using DHCP or PPPoE you should temporarily switch it to a static address and enable DHCP or PPPoE after the cluster has been established.

Make sure both FortiGates are running the same FortiOS firmware version. Register and apply licenses to both FortiGates before adding them to the cluster. This includes FortiCloud activation, FortiClient licensing, and FortiToken licensing, and entering a license key if you purchased more than 10 Virtual Domains (VDOMS).

You can also install any third-party certificates on the primary FortiGate before forming the cluster. Once the cluster is formed third-party certificates are synchronized to the backup FortiGate.

 

To configure a FortiGate unit for HA operation – web-based manager

1. Power on the FortiGate unit to be configured.

2. Log into the web-based manager.

3. On the Dashboard System Information dashboard widget, beside Host Name select Change.

4. Enter a new Host Name for this FortiGate unit.

Changing the host name makes it easier to identify individual cluster units when the cluster is operating.

5. Go to System > HA and change the following settings:

Mode                                           Active-Passive

Group Name                              Example_cluster

Password                                   HA_pass

The password must be the same for all FortiGate units in the cluster.

You can accept the default configuration for the remaining HA options and change them later, once the cluster is operating.

6. Select OK.

The FortiGate unit negotiates to establish an HA cluster. When you select OK you may temporarily lose connectivity with the FortiGate unit as the HA cluster negotiates and the FGCP changes the MAC address of the FortiGate unit interfaces. To be able to reconnect sooner, you can update the ARP table of your management PC by deleting the ARP table entry for the FortiGate unit (or just deleting all ARP table entries). You may be able to delete the ARP table of your management PC from a command prompt using a command similar to arp -d.

7. Power off the FortiGate unit.

8. Repeat this procedure for all of the FortiGate units in the cluster.

Once all of the units are configured, continue by connecting the FortiGate HA cluster below.

To configure a FortiGate unit for HA operation – CLI

1. Power on the FortiGate unit to be configured.

2. Log into the CLI.

3. Enter the following command to change the FortiGate unit host name.

config system global

set hostname Example1_host end

Changing the host name makes it easier to identify individual cluster units when the cluster is operating.

4. Enter the following command to enable HA:

config system ha

set mode active-passive

set group-name Example_cluster set password HA_pass

end

You can accept the default configuration for the remaining HA options and change them later, once the cluster is operating.

The FortiGate unit negotiates to establish an HA cluster. You may temporarily lose connectivity with the FortiGate unit as the HA cluster negotiates and because the FGCP changes the MAC address of the FortiGate unit interfaces. To be able to reconnect sooner, you can update the ARP table of your management PC by deleting the ARP table entry for the FortiGate unit (or just deleting all arp table entries). You may be able to delete the arp table of your management PC from a command prompt using a command similar to arp -d.

5. Power off the FortiGate unit.

6. Repeat this procedure for all of the FortiGate units in the cluster.

Once all of the units are configured, continue with connecting the FortiGate HA cluster.

 

Connecting a FortiGate HA cluster

Use the following procedure to connect a cluster. Connect the cluster units to each other and to your network. You must connect all matching interfaces in the cluster to the same switch, then connect these interfaces to their networks using the same switch.

Although you can use hubs, Fortinet recommends using switches for all cluster connections for the best performance.

Connecting an HA cluster to your network temporarily interrupts communications on the network because new physical connections are being made to route traffic through the cluster. Also, starting the cluster interrupts network traffic until the individual cluster units are functioning and the cluster completes negotiation. Cluster negotiation is automatic and normally takes just a few seconds. During system startup and negotiation all network traffic is dropped.

This section describes how to connect the cluster shownbelow, which consists of two FortiGate-100D units to be connected between the Internet and a head office internal network. The wan1 interfaces of the FortiGate unit connect the cluster to the Internet and the internal interfaces connect the cluster to the internal network. The ha1 and ha2 interfaces are used for redundant HA heartbeat links.

 

Example cluster connections

To connect a FortiGate HA cluster

1. Connect the WAN1 interfaces of each cluster unit to a switch connected to the Internet.

2. Connect the Port1 interfaces of each cluster unit to a switch connected to the internal network.

3. Connect the HA1 interfaces of the cluster units together. You can use a crossover Ethernet cable or a regular

Ethernet cable. (You can also connect the interfaces using Ethernet cables and a switch.)

4. Connect the HA2 interfaces of the cluster units together. You can use a crossover Ethernet cable or a regular

Ethernet cable. (You can also connect the interfaces using Ethernet cables and a switch.)

5. Power on both of the FortiGate units.

As the cluster units start, they negotiate to choose the primary unit and the subordinate unit. This negotiation occurs with no user intervention and normally just takes a few seconds.

At least one heartbeat interface should be connected together for the cluster to operate. Do not use a switch port for the HA heartbeat traffic. This configuration is not supported.

You could use one switch to connect all four heartbeat interfaces. However, this is not recommended because if the switch fails both heartbeat interfaces will become disconnected.

6. You can now configure the cluster as if it is a single FortiGate unit.

Having trouble configuring your Fortinet hardware or have some questions you need answered? Check Out The Fortinet Guru Youtube Channel! Want someone else to deal with it for you? Get some consulting from Fortinet GURU!