Fortinet white logo
Fortinet white logo

Session-Aware Load Balancing Cluster Guide

5.2.11

Configuring the FortiController in chassis 1

Configuring the FortiController in chassis 1

  1. Connect to the GUI (using HTTPS) or CLI (using SSH) of the FortiController in chassis 1 using the default IP address 192.168.1.99.

    Or connect to the FortiController CLI through the console port (Baud Rate 9600bps, Data bits 8, Parity None, Stop bits 1, and Flow Control None).

  2. Login using the admin administrator account and no password.
  3. From the Dashboard System Information widget, set the Host Name to ch1-slot1. Or enter this command.

    config system global

    set hostname ch1-slot1

    end

  4. Add a password for the admin administrator account. From the GUI use the Administrators widget or from the CLI enter this command.

    config admin user

    edit admin

    set password <password>

    end

  5. Change the FortiController mgmt interface IP address.

    From the GUI use the Management Port widget or from the CLI enter this command:

    config system interface

    edit mgmt

    set ip 172.20.120.151/24

    end

  6. If you need to add a default route for the management IP address, enter this command.

    config route static

    edit route 1

    set gateway 172.20.120.2

    end

  7. Set the chassis type that you are using, for example:

    config system global

    set chassis-type fortigate-5140

    end

  8. Enable FortiController session sync.

    config load-balance setting

    set session-sync enable

    end

  9. Configure Active-Passive HA. From the FortiController GUI System Information widget, beside HA Status select Configure.
  10. Set Mode to Active-Passive, set the Device Priority to 250, change the Group ID, select Enable Override, enable Chassis Redundancy, set Chassis ID to 1 and move the b1 and b2 interfaces to the Selected column and select OK.

  11. Enter the following command to use the FortiController front panel F4 interface for FortiController session sync communication between FortiControllers.

    config system ha

    set session-sync-port f4

    end

    You can also enter the complete HA configuration with this command:

    config system ha

    set mode active-passive

    set groupid 5

    set priority 250

    set override enable

    set chassis-redundancy enable

    set chassis-id 1

    set hbdev b1 b2

    set session-sync-port f4

    end

    If you have more than one cluster on the same network, each cluster should have a different Group ID. Changing the group ID changes the cluster interface virtual MAC addresses. If your group ID setting causes a MAC address conflict you can select a different group ID. The default group ID of 0 is not a good choice and normally should be changed.

    Enable Override is selected to make sure the FortiController in chassis 1 always becomes the primary unit. Enabling override could lead to the cluster renegotiating more often, so once the chassis is operating you can disable this setting.

    You can also adjust other HA settings. For example, if the heartbeat interfaces are connected using a switch, you can change the VLAN to use for HA heartbeat traffic if it conflicts with a VLAN on the switch. You can also adjust the Heartbeat Interval and Number of Heartbeats lost to adjust how quickly the cluster determines if one of the FortiControllers has failed.

Configuring the FortiController in chassis 1

Configuring the FortiController in chassis 1

  1. Connect to the GUI (using HTTPS) or CLI (using SSH) of the FortiController in chassis 1 using the default IP address 192.168.1.99.

    Or connect to the FortiController CLI through the console port (Baud Rate 9600bps, Data bits 8, Parity None, Stop bits 1, and Flow Control None).

  2. Login using the admin administrator account and no password.
  3. From the Dashboard System Information widget, set the Host Name to ch1-slot1. Or enter this command.

    config system global

    set hostname ch1-slot1

    end

  4. Add a password for the admin administrator account. From the GUI use the Administrators widget or from the CLI enter this command.

    config admin user

    edit admin

    set password <password>

    end

  5. Change the FortiController mgmt interface IP address.

    From the GUI use the Management Port widget or from the CLI enter this command:

    config system interface

    edit mgmt

    set ip 172.20.120.151/24

    end

  6. If you need to add a default route for the management IP address, enter this command.

    config route static

    edit route 1

    set gateway 172.20.120.2

    end

  7. Set the chassis type that you are using, for example:

    config system global

    set chassis-type fortigate-5140

    end

  8. Enable FortiController session sync.

    config load-balance setting

    set session-sync enable

    end

  9. Configure Active-Passive HA. From the FortiController GUI System Information widget, beside HA Status select Configure.
  10. Set Mode to Active-Passive, set the Device Priority to 250, change the Group ID, select Enable Override, enable Chassis Redundancy, set Chassis ID to 1 and move the b1 and b2 interfaces to the Selected column and select OK.

  11. Enter the following command to use the FortiController front panel F4 interface for FortiController session sync communication between FortiControllers.

    config system ha

    set session-sync-port f4

    end

    You can also enter the complete HA configuration with this command:

    config system ha

    set mode active-passive

    set groupid 5

    set priority 250

    set override enable

    set chassis-redundancy enable

    set chassis-id 1

    set hbdev b1 b2

    set session-sync-port f4

    end

    If you have more than one cluster on the same network, each cluster should have a different Group ID. Changing the group ID changes the cluster interface virtual MAC addresses. If your group ID setting causes a MAC address conflict you can select a different group ID. The default group ID of 0 is not a good choice and normally should be changed.

    Enable Override is selected to make sure the FortiController in chassis 1 always becomes the primary unit. Enabling override could lead to the cluster renegotiating more often, so once the chassis is operating you can disable this setting.

    You can also adjust other HA settings. For example, if the heartbeat interfaces are connected using a switch, you can change the VLAN to use for HA heartbeat traffic if it conflicts with a VLAN on the switch. You can also adjust the Heartbeat Interval and Number of Heartbeats lost to adjust how quickly the cluster determines if one of the FortiControllers has failed.