Configuring virtual clustering with two VDOMs and VDOM partitioning – web-based manager

To configure VDOM partitioning

1. Go to System > HA.

The cluster members shows two cluster units in Virtual Cluster 1.

 

 

  Device Priority  
Host Name Virtual Cluster 1 Virtual Cluster 2
FGT_ha_1 200 100
FGT_ha_2 100 200

You can do this by editing the HA configurations of each cluster unit in the cluster members list and changing device priorities.

Since the device priority of Virtual Cluster 1 is highest for FGT_ha_1 and since the root VDOM is in Virtual Cluster 1, all traffic for the root VDOM is processed by FGT_ha_1.

Since the device priority of Virtual Cluster 2 is highest for FGT_ha_2 and since the Eng_vdm VDOM is in Virtual Cluster 2, all traffic for the Eng_vdm VDOM is processed by FGT_ha_2.

 

To view cluster status and verify the VDOM partitioning configuration

1. Log into the web-based manager.

2. Go to System > HA.

The cluster members list should show the following:

  • Virtual Cluster 1 contains the root VDOM.
  • FGT_ha_1 is the primary unit (master) for Virtual Cluster 1.
  • Virtual Cluster 2 contains the Eng_vdm VDOM.
  • FGT_ha_2 is the primary unit (master) for Virtual Cluster 2.

 

To test the VDOM partitioning configuration

You can do the following to confirm that traffic for the root VDOM is processed by FGT_ha_1 and traffic for the Eng_vdm is processed by FGT_ha_2.

1. Log into the web-based manager by connecting to port2 using IP address 10.11.101.100.

You will log into FGT_ha_1 because port2 is in the root VDOM and all traffic for this VDOM is processed by FGT_ha_1. You can confirm that you have logged into FGT_ha_1 by checking the host name on the System Information dashboard widget.

2. Log into the web-based manager by connecting to port6 using IP address 10.12.101.100.

You will log into FGT_ha_2 because port6 is in the Eng_vdm VDOM and all traffic for this VDOM is processed by FGT_ha_2.

3. Add security policies to the root virtual domain that allows communication from the internal network to the Internet and connect to the Internet from the internal network.

4. Log into the web-based manager and go to System > HA and select View HA Statistics.

The statistics display shows more active sessions, total packets, network utilization, and total bytes for the FGT_ha_1 unit.

5. Add security policies to the Eng_vdm virtual domain that allow communication from the engineering network to the Internet and connect to the Internet from the engineering network.

6. Log into the web-based manager and go to System > HA and select View HA Statistics.

The statistics display shows more active sessions, total packets, network utilization, and total bytes for the FGT_ha_2 unit.

 

Configuring virtual clustering with two VDOMs and VDOM partitioning – CLI

These procedures assume you are starting with two FortiGate units with factory default settings.

 

To configure the FortiGate units for HA operation

1. Register and apply licenses to the FortiGate unit. This includes FortiCloud activation, FortiClient licensing, and

FortiToken licensing, and entering a license key if you purchased more than 10 Virtual Domains (VDOMS).

2. You can also install any third-party certificates on the primary FortiGate before forming the cluster. Once the cluster is formed third-party certificates are synchronized to the backup FortiGate.

3. Change the host name for this FortiGate unit:

config system global

set hostname FGT_ha_1 end

4. Configure HA settings.

config system ha set mode a-p

set group-name vexample2.com set password vHA_pass_2

end

The FortiGate unit negotiates to establish an HA cluster. You may temporarily lose connectivity with the FortiGate unit as the HA cluster negotiates and the FGCP changes the MAC address of the FortiGate unit interfaces (see Cluster virtual MAC addresses). The MAC addresses of the FortiGate interfaces change to the following virtual MAC addresses:

  • port1 interface virtual MAC: 00-09-0f-09-00-00
  • port10 interface virtual MAC: 00-09-0f-09-00-01 l  port11 interface virtual MAC: 00-09-0f-09-00-02 l  port12 interface virtual MAC: 00-09-0f-09-00-03 l  port13 interface virtual MAC: 00-09-0f-09-00-04 l  port14 interface virtual MAC: 00-09-0f-09-00-05 l  port15 interface virtual MAC: 00-09-0f-09-00-06 l  port16 interface virtual MAC: 00-09-0f-09-00-07 l  port17 interface virtual MAC: 00-09-0f-09-00-08 l  port18 interface virtual MAC: 00-09-0f-09-00-09 l  port19 interface virtual MAC: 00-09-0f-09-00-0a l  port2 interface virtual MAC: 00-09-0f-09-00-0b
  • port20 interface virtual MAC: 00-09-0f-09-00-0c
  • port3 interface virtual MAC: 00-09-0f-09-00-0d l  port4 interface virtual MAC: 00-09-0f-09-00-0e l  port5 interface virtual MAC: 00-09-0f-09-00-0f l  port6 interface virtual MAC: 00-09-0f-09-00-10 l  port7 interface virtual MAC: 00-09-0f-09-00-11
  • port8 interface virtual MAC: 00-09-0f-09-00-12
  • port9 interface virtual MAC: 00-09-0f-09-00-13

To be able to reconnect sooner, you can update the ARP table of your management PC by deleting the ARP table entry for the FortiGate unit (or just deleting all arp table entries). You may be able to delete the arp table of your management PC from a command prompt using a command similar to arp -d.

You can use the get hardware nic (or diagnose hardware deviceinfo nic) CLI command to view the virtual MAC address of any FortiGate unit interface. For example, use the following command to view the port1 interface virtual MAC address (Current_HWaddr) and the port1 permanent MAC address (Permanent_HWaddr):

get hardware nic port1

 

MAC: 00:09:0f:09:00:00

Permanent_HWaddr: 02:09:0f:78:18:c9

 

4. Power off the first FortiGate unit.

5. Repeat these steps for the second FortiGate unit.

Set the other FortiGate unit host name to:

config system global

set hostname FGT_ha_2 end

This entry was posted in FortiOS 5.4 Handbook and tagged , on by .

About Mike

Michael Pruett, CISSP has a wide range of cyber-security and network engineering expertise. The plethora of vendors that resell hardware but have zero engineering knowledge resulting in the wrong hardware or configuration being deployed is a major pet peeve of Michael's. This site was started in an effort to spread information while providing the option of quality consulting services at a much lower price than Fortinet Professional Services. Owns PacketLlama.Com (Fortinet Hardware Sales) and Office Of The CISO, LLC (Cybersecurity consulting firm).

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.