FortiExtender for FortiGate HA configuration
All models of FortiExtender devices support connecting to a FortiGate HA pair, except the legacy 40D models. FortiExtender 201E is used in the following discussion for illustration purposes. |
This use case discusses how to use a FortiExtender 201E to support two FortiGate devices in HA configuration to ensure uninterrupted network connectivity and business continuity. It provides step-by-step instructions on how to configure the FortiGate HA cluster from the FortiGate GUI. It also provides the FortiExtender CLI commands to verify the port configuration of FortiExtender 201E as a WAN switch to support the FortiGate HA configuration.
Network topology
Prerequisites
- The FortiExtender 201E device must be physically networked with the two FortiGate devices, with its port1 connected to wan1 on the primary FortiGate and port2 connected to wan1 on the backup FortiGate, as illustrated in the Network topology.
- The two FortiGate devices must be physically connected via the HA port on both of them, as illustrated in the Network topology.
- The two FortiGate devices must be running the same version of FOS.
The FortiGate devices used in this sample configuration are both running FOS 6.2.1. |
Configuration procedures
This configuration involves the following major steps:
Step 1: Configure the primary FortiGate
- Log in to the GUI of the primary FortiGate device.
- From the menu, go to Dashboard > Status.
The Status page opens.
- Locate the System Information widget, click the Hostname, and (from the drop-down menu) select the Configure settings in System>Settings link.
The System Settings page opens.
- Change the Hostname to something that identifies the FortiGate as the primary device, and click Apply.
- Then, select System>HA, click the top part of the page to highlight it, and click Edit.
The High Availability page opens.
The Edit button will not be available until the top part of the Status page is highlighted.
- Make the following required entries and/or selections:
- Change Mode to Active-Passive.
- Set Device Priority to a value greater than the one set on the backup FortiGate.
- Specify the Group name.
- Set the Password.
- Select two Heartbeat interfaces (one at a time) by doing the following:
- Click + (plus sign), and (from the pop-up list of interfaces) select ha.
- Set Heartbeat Interface Priority to 50.
- Click OK.
- Click + (plus sign) again, and (from the pop-up list of interfaces) select wan1.
- Set Heartbeat Interface Priority to 50.
- Click OK.
Step 2: Configure the backup FortiGate
- Log in to the GUI of the backup FortiGate device.
- From the menu, go to Dashboard > Status.
The Status page opens.
- Locate the System Information widget, click the Hostname, and (from the drop-down menu) select the Configure settings in System > Settings link.
The System Settings page opens.
- Change the Host name to something that identifies the FortiGate as the backup device, and click Apply.
- Then, select System > HA, click the top part of the page to highlight it, and click Edit.
The High Availability page opens.
The Edit button will not be available until the top part of the Status page is highlighted.
- Make the following required entries and/or selections:
- Change Mode to Active-Passive.
- Set the Device Priority value smaller than the one set for the primary FortiGate.
- Set the Group name to be the same as the one set on the primary FortiGate.
- Set the Password to be the same as the one set on the primary FortiGate.
- Select two Heartbeat interfaces (one at a time) by doing the following:
- Click + (plus sign), and (from the pop-up list of interfaces) select ha.
- Set Heartbeat Interface Priority to 50.
- Click OK.
- Click + (plus sign) again, and (from the pop-up list of interfaces) select wan1.
- Set Heartbeat Interface Priority to 50.
- Click OK.
- Ensure that the Device Priority value on the primary FortiGate is higher than the one for the backup FortiGate.
- Ensure that two heartbeat interfaces are selected and the Heartbeat Interface Priority are both set to 50 on both.
Step 3: Verify the port settings on FortiExtender
- Ensure that Port 1 on the back of the FortiExtender is connected to the WAN1 port on the primary FortiGate. Refer to the Network topology.
- Ensure that Port 2 on the back of the FortiExtender is connected to the WAN1 port on the backup FortiGate. Refer to the Network topology.
- Run the following commands to verify and ensure that the physical Ports 1 and 2 are aggregated in the LAN switch port.
FX211E5919000011 # config system interface FX211E5919000011 (interface) # edit lan FX211E5919000011 (lan) # show edit lan set type lan-switch set status up set mode dhcp set mtu 1500 set vrrp-virtual-mac enable config vrrp set status disable end set allowaccess http https ssh ping telnet next FX211E5919000011 # config system lan-switch FX211E5919000011 (lan-switch) # show config system lan-switch config ports edit port1 next edit port2 next edit port3 next edit port4 next end end
- VLAN mode is best suited for high availability purposes because it delivers better throughput.
- The
"show"
commands above yield the default settings of FortiExtender 201E as a LAN switch, which can be used out of the box to support FortiGate HA configurations. We recommend using these settings without change unless you are confident in your ability to configure custom settings of your own. If you prefer to configure your own LAN switch, be sure to use the aforementioned commands to double-check its configuration before putting FortiExtender to work.