Converting a standalone FortiGate unit to a cluster

Converting a standalone FortiGate unit to a cluster

In this recipe, a backup FortiGate unit will be installed and connected to a FortiGate unit that has previously been installed to provide redundancy if the primary FortiGate unit fails.

A video of this recipe is available here.

1. Adding the backup FortiGate unit and configuring HA

If the FortiGates in the cluster will be running FortiOS Carrier, apply the FortiOS Carrier license before con- figuring the cluster (and before applying other licenses). Applying the FortiOS Carrier license sets the con- figuration to factory defaults, requiring you to repeat steps performed before applying the license.

If you have not already done so, register the primary FortiGate and apply licenses to it before setting up the cluster. This includes FortiCloud activation, FortiClient and FortiToken licensing, and entering a license key if you purchased more than 10 Virtual Domains (VDOMs). You can also install any third-party cer- tificates on the primary FortiGate before forming the cluster. Once the cluster is formed third-party cer- tificates are synchronized to the backup FortiGate.

Connect your network as shown in the initial dia- gram, with Ethernet cables connecting the HA heartbeat interfaces of the two FortiGate units. If your FortiGate unit does not have dedicated HA heartbeat interfaces, you can use different inter- faces, provided they are not used for any other function.

A switch must be used between the FortiGates and Internet, and another is required between the FortiGates and the internal network, as shown in the network diagram for this recipe.

Connect to the primary FortiGate and go to Sys– tem > Dashboard > Status and locate the Sys– tem Information widget.

Change the unit’s Host Name to identify it as the primary FortiGate.

In the System Information widget, configure

HA Status. Set the Mode to Active-Passive and set a Group Name and Password.

Ensure that the two Heartbeat Interfaces are selected and their priorities are both set to 50.

Connect to the backup FortiGate and go to Sys– tem > Dashboard > Status.

Change the unit’s Host Name to identify it as the backup FortiGate.

Configure HA Status and set the Mode to Act– ive-Passive.

Set the Device Priority to be lower than the primary FortiGate. Ensure that the Group Name and Password match those on the primary FortiGate.

Ensure that the two Heartbeat Interfaces are selected and their priorities are both set to 50.

Connect to the primary FortiGate and go to Sys– tem > HA to view the cluster information.

Select View HA Statistics for more information on how the cluster is operating and processing traffic.

2. Results

Normally, traffic should now be flowing through the primary FortiGate. However, if the primary FortiGate is unavailable, traffic should failover and the backup FortiGate will be used. Failover will also cause the primary and backup FortiGates to reverse roles, even when both FortiGates are available again.

To test this, ping the IP address 8.8.8.8 using a PC on the internal network. After a moment, power off the primary FortiGate. You will see a momentary pause in the Ping results, until traffic diverts to the backup FortiGate, allowing the Ping traffic to continue.

If you are using port monitoring, you can also unplug the primary FortiGate’s Internet-facing interface to test failover.


Having trouble configuring your Fortinet hardware or have some questions you need answered? Check Out The Fortinet Guru Youtube Channel! Want someone else to deal with it for you? Get some consulting from Fortinet GURU!

This entry was posted in FortiOS 5.4 Handbook and tagged , on by .

About Mike

Michael Pruett, CISSP has a wide range of cyber-security and network engineering expertise. The plethora of vendors that resell hardware but have zero engineering knowledge resulting in the wrong hardware or configuration being deployed is a major pet peeve of Michael's. This site was started in an effort to spread information while providing the option of quality consulting services at a much lower price than Fortinet Professional Services. Owns PacketLlama.Com (Fortinet Hardware Sales) and Office Of The CISO, LLC (Cybersecurity consulting firm).

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.