Fortinet white logo
Fortinet docs logo DOCUMENT LIBRARY
Fortinet white logo
Fortinet docs logo DOCUMENT LIBRARY
Products Best Practices Hardware Guides Products A-Z
Summary
By Solution
By 4D Pillars
By Cloud
Secure Networking
Unified SASE
Security Operations
Secure SD-WAN
Secure Access Service Edge (SASE)
ZTNA
LAN Edge
Identity and Access Management
Next Generation Firewall
Public Cloud
Private Cloud
FortiCloud
Secure Networking
  • Hybrid Mesh Firewall
  • NOC Management
  • LAN
  • WAN
    • More >>
    Unified SASE
  • Single Vendor SASE
  • Cloud Network Security
  • Secure Endpoint Connectivity
  • Web Application / API Protection
    • More >>
    Security Operations
  • Security Operations Automation
  • Identity
  • Early Detection & Prevention
    • More >>
    Secure Networking
  • Hybrid Mesh Firewall
  • NOC Management
  • LAN
  • WAN
  • Communication & Surveillance
    • Unified SASE
  • Single Vendor SASE
  • Secure Endpoint Connectivity
  • Cloud Network Security
  • Cloud-Native Security
  • Web Application / API Protection
    • Security Operations
  • Security Operations Automation
  • Endpoint
  • Data Protection
  • Identity
  • Email
  • Early Detection & Prevention
  • Expert Services
  • Edge Firewall
  • Orchestration & management
  • SD Branch
  • Application Delivery
  • Single Vendor SASE
  • Secure Endpoint Connectivity
  • Secure Private Access
  • Thin Edge
  • Identity
  • Application Gateway
  • Enterprise Asset Management
  • Endpoint Agent
  • Agentless Security Posture
  • Identity
  • Wireless
  • Switching
  • Identity
  • Privilege Acccess Management
  • Next Generation Firewall
  • Orchestration & management
  • Expert Services
  • All
  • All
  • Account Management
  • SAAS Management
  • SAAS Application Security
  • Managed Services
  • Platform as a service (PAAS)
  • Other SAAS Services
    • 4D Resources
    Solution Hubs
  • 4D Pillars
  • Cloud
  • Popular Solutions

    • FortiWiFi and FortiAP Configuration Guide

    Home FortiAP / FortiWiFi 7.4.0 FortiWiFi and FortiAP Configuration Guide
    7.4.0
    7.6.0
    7.4.5
    7.4.4
    7.4.2
    7.4.1
    7.4.0
    7.2.5
    7.2.4
    7.2.1
    7.2.0
    7.0.4
    7.0.2
    7.0.1
    7.0.0
    6.4.6
    6.4.4
    6.4.3
    6.4.2
    6.4.1
    6.4.0
    6.2.2
    6.2.0
    6.0.5
    6.0.4
    6.0.3
    5.6.4
    5.4.3

    FortiGate WiFi controller 1+1 fast failover example

    FortiGate WiFi controller 1+1 fast failover example

    This example uses a simple network topology to set up 1+1 fast failover between FortiGate WiFi controllers. The primary and secondary FortiGates must be routed into subnets and NAT must not be done on the traffic. The FortiAP must be able to reach both the primary and secondary FortiGates.

    The following takes place in the event of a failover:

    1. The primary FortiGate syncs the wireless configuration to the secondary FortiGate.
    2. If the primary FortiGate fails, the secondary FortiGate takes over management of the FortiAP. The client can still connect with the SSID from the FortiAP and pass traffic.
    3. When the primary FortiGate is back online, it returns to managing the FortiAP.

    In the following CLI example, the primary FortiGate has an IP address of 10.43.1.80, and the secondary FortiGate has an IP address of 10.43.1.62.

    To configure the primary FortiGate:

    config wireless-controller inter-controller

    set inter-controller mode 1+1

    set inter-controller key 123456

    config inter-controller-peer

    edit 1

    set peer-ip 10.43.1.62

    set peer-priority secondary

    next

    end

    To configure the secondary FortiGate:

    config wireless-controller inter-controller

    set inter-controller mode 1+1

    set inter-controller key 123456

    set inter-controller-pri secondary

    config inter-controller-peer

    edit 1

    set peer-ip 10.43.1.80

    next

    end

    To run diagnose commands:
    1. On the primary FortiGate, run the diagnose wireless-controller wlac -c ha command. The output should resemble the following:

      WC fast failover info

      cfg iter: 1 (age=17995, size=220729, fp=0x5477e28)

      dhcpd_db iter: 123 (age=132, size=1163, fp=0x5435930)

      dhcpd_ipmac iter: 123 (age=132, size=2860, fp=0x587d848)

      mode: 1+1-ffo

      pri: primary

      key csum: 0x9c99

      max: 10

      wait: 10

      peer cnt: 1

      FWF60E4Q16027198: 10.43.1.62:5245 secondary UP (age=0)

    2. On the secondary FortiGate, run the diagnose wireless-controller wlac -c ha command. The output should resemble the following:

      WC fast failover info

      mode: 1+1-ffo

      status: monitoring

      pri: secondary

      key csum: 0x43e

      max: 10

      wait: 10

      peer cnt: 1

      FG22E1T919900557: 10.43.1.80:5246 primary UP (age=0)

      dfile 0 iter 1 (age=133, size=1564731/1564731)

      dfile 1 iter 1 (age=163, size=0/0)

      dfile 2 iter 1 (age=163, size=0/0)

    Caution

    You cannot use FortiGate Clustering Protocol and Wireless 1+1 fast failover together. They are two different HA features and cannot be combined.
    Previous
    Next

    FortiGate WiFi controller 1+1 fast failover example

    FortiGate WiFi controller 1+1 fast failover example

    This example uses a simple network topology to set up 1+1 fast failover between FortiGate WiFi controllers. The primary and secondary FortiGates must be routed into subnets and NAT must not be done on the traffic. The FortiAP must be able to reach both the primary and secondary FortiGates.

    The following takes place in the event of a failover:

    1. The primary FortiGate syncs the wireless configuration to the secondary FortiGate.
    2. If the primary FortiGate fails, the secondary FortiGate takes over management of the FortiAP. The client can still connect with the SSID from the FortiAP and pass traffic.
    3. When the primary FortiGate is back online, it returns to managing the FortiAP.

    In the following CLI example, the primary FortiGate has an IP address of 10.43.1.80, and the secondary FortiGate has an IP address of 10.43.1.62.

    To configure the primary FortiGate:

    config wireless-controller inter-controller

    set inter-controller mode 1+1

    set inter-controller key 123456

    config inter-controller-peer

    edit 1

    set peer-ip 10.43.1.62

    set peer-priority secondary

    next

    end

    To configure the secondary FortiGate:

    config wireless-controller inter-controller

    set inter-controller mode 1+1

    set inter-controller key 123456

    set inter-controller-pri secondary

    config inter-controller-peer

    edit 1

    set peer-ip 10.43.1.80

    next

    end

    To run diagnose commands:
    1. On the primary FortiGate, run the diagnose wireless-controller wlac -c ha command. The output should resemble the following:

      WC fast failover info

      cfg iter: 1 (age=17995, size=220729, fp=0x5477e28)

      dhcpd_db iter: 123 (age=132, size=1163, fp=0x5435930)

      dhcpd_ipmac iter: 123 (age=132, size=2860, fp=0x587d848)

      mode: 1+1-ffo

      pri: primary

      key csum: 0x9c99

      max: 10

      wait: 10

      peer cnt: 1

      FWF60E4Q16027198: 10.43.1.62:5245 secondary UP (age=0)

    2. On the secondary FortiGate, run the diagnose wireless-controller wlac -c ha command. The output should resemble the following:

      WC fast failover info

      mode: 1+1-ffo

      status: monitoring

      pri: secondary

      key csum: 0x43e

      max: 10

      wait: 10

      peer cnt: 1

      FG22E1T919900557: 10.43.1.80:5246 primary UP (age=0)

      dfile 0 iter 1 (age=133, size=1564731/1564731)

      dfile 1 iter 1 (age=163, size=0/0)

      dfile 2 iter 1 (age=163, size=0/0)

    Caution

    You cannot use FortiGate Clustering Protocol and Wireless 1+1 fast failover together. They are two different HA features and cannot be combined.
    Previous
    Next