Converting a standalone FortiGate unit to a cluster
In this recipe, a backup FortiGate unit will be installed and connected to a FortiGate unit that has previously been installed to provide redundancy if the primary FortiGate unit fails.
A video of this recipe is available here.
1. Adding the backup FortiGate unit and configuring HA
If the FortiGates in the cluster will be running FortiOS Carrier, apply the FortiOS Carrier license before con- figuring the cluster (and before applying other licenses). Applying the FortiOS Carrier license sets the con- figuration to factory defaults, requiring you to repeat steps performed before applying the license.
If you have not already done so, register the primary FortiGate and apply licenses to it before setting up the cluster. This includes FortiCloud activation, FortiClient and FortiToken licensing, and entering a license key if you purchased more than 10 Virtual Domains (VDOMs). You can also install any third-party cer- tificates on the primary FortiGate before forming the cluster. Once the cluster is formed third-party cer- tificates are synchronized to the backup FortiGate.
Connect your network as shown in the initial dia- gram, with Ethernet cables connecting the HA heartbeat interfaces of the two FortiGate units. If your FortiGate unit does not have dedicated HA heartbeat interfaces, you can use different inter- faces, provided they are not used for any other function.
A switch must be used between the FortiGates and Internet, and another is required between the FortiGates and the internal network, as shown in the network diagram for this recipe.
Connect to the primary FortiGate and go to Sys– tem > Dashboard > Status and locate the Sys– tem Information widget.
Change the unit’s Host Name to identify it as the primary FortiGate.
In the System Information widget, configure
HA Status. Set the Mode to Active-Passive and set a Group Name and Password.
Ensure that the two Heartbeat Interfaces are selected and their priorities are both set to 50.
Connect to the backup FortiGate and go to Sys– tem > Dashboard > Status.
Change the unit’s Host Name to identify it as the backup FortiGate.
Configure HA Status and set the Mode to Act– ive-Passive.
Set the Device Priority to be lower than the primary FortiGate. Ensure that the Group Name and Password match those on the primary FortiGate.
Ensure that the two Heartbeat Interfaces are selected and their priorities are both set to 50.
Connect to the primary FortiGate and go to Sys– tem > HA to view the cluster information.
Select View HA Statistics for more information on how the cluster is operating and processing traffic.
2. Results
Normally, traffic should now be flowing through the primary FortiGate. However, if the primary FortiGate is unavailable, traffic should failover and the backup FortiGate will be used. Failover will also cause the primary and backup FortiGates to reverse roles, even when both FortiGates are available again.
To test this, ping the IP address 8.8.8.8 using a PC on the internal network. After a moment, power off the primary FortiGate. You will see a momentary pause in the Ping results, until traffic diverts to the backup FortiGate, allowing the Ping traffic to continue.
If you are using port monitoring, you can also unplug the primary FortiGate’s Internet-facing interface to test failover.