Fortinet black logo

Admin Guide (FGT-Managed)

Home FortiExtender 7.2.0 Admin Guide (FGT-Managed)

FortiExtender for FortiGate HA configuration

7.2.0
7.4.1
7.4.0
7.2.5
7.2.0
7.0.3
7.0.2
7.0.1
Copy Link
Copy Doc ID e2c8cf6a-ac5a-11ec-9fd1-fa163e15d75b:499536
Download PDF

FortiExtender for FortiGate HA configuration

Note

All models of FortiExtender devices support connecting to a FortiGate HA pair, except the legacy 40D models. FortiExtender 201E is used in the following discussion for illustration purposes.

This use case discusses how to use a FortiExtender 201E to support two FortiGate devices in HA configuration to ensure uninterrupted network connectivity and business continuity. It provides step-by-step instructions on how to configure the FortiGate HA cluster from the FortiGate GUI. It also provides the FortiExtender CLI commands to verify the port configuration of FortiExtender 201E as a WAN switch to support the FortiGate HA configuration.

Network topology

Prerequisites

  • The FortiExtender 201E device must be physically networked with the two FortiGate devices, with its port1 connected to wan1 on the primary FortiGate and port2 connected to wan1 on the backup FortiGate, as illustrated in the Network topology.
  • The two FortiGate devices must be physically connected via the HA port on both of them, as illustrated in the Network topology.
  • The two FortiGate devices must be running the same version of FOS.
Note

The FortiGate devices used in this sample configuration are both running FOS 6.2.1.

Configuration procedures

This configuration involves the following major steps:

Step 1: Configure the primary FortiGate

  1. Log in to the GUI of the primary FortiGate device.
  2. From the menu, go to Dashboard > Status.

    The Status page opens.

  3. Locate the System Information widget, click the Hostname, and (from the drop-down menu) select the Configure settings in System>Settings link.

    The System Settings page opens.

  4. Change the Hostname to something that identifies the FortiGate as the primary device, and click Apply.
  5. Then, select System>HA, click the top part of the page to highlight it, and click Edit.

    The High Availability page opens.

    Note

    The Edit button will not be available until the top part of the Status page is highlighted.

  6. Make the following required entries and/or selections:
    1. Change Mode to Active-Passive.
    2. Set Device Priority to a value greater than the one set on the backup FortiGate.
    3. Specify the Group name.
    4. Set the Password.
    5. Select two Heartbeat interfaces (one at a time) by doing the following:
      1. Click + (plus sign), and (from the pop-up list of interfaces) select ha.
      2. Set Heartbeat Interface Priority to 50.
      3. Click OK.
      4. Click + (plus sign) again, and (from the pop-up list of interfaces) select wan1.
      5. Set Heartbeat Interface Priority to 50.
      6. Click OK.

Step 2: Configure the backup FortiGate

  1. Log in to the GUI of the backup FortiGate device.
  2. From the menu, go to Dashboard > Status.

    The Status page opens.

  3. Locate the System Information widget, click the Hostname, and (from the drop-down menu) select the Configure settings in System > Settings link.

    The System Settings page opens.

  4. Change the Host name to something that identifies the FortiGate as the backup device, and click Apply.
  5. Then, select System > HA, click the top part of the page to highlight it, and click Edit.

    The High Availability page opens.

    Note

    The Edit button will not be available until the top part of the Status page is highlighted.

  6. Make the following required entries and/or selections:
    1. Change Mode to Active-Passive.
    2. Set the Device Priority value smaller than the one set for the primary FortiGate.
    3. Set the Group name to be the same as the one set on the primary FortiGate.
    4. Set the Password to be the same as the one set on the primary FortiGate.
    5. Select two Heartbeat interfaces (one at a time) by doing the following:
      1. Click + (plus sign), and (from the pop-up list of interfaces) select ha.
      2. Set Heartbeat Interface Priority to 50.
      3. Click OK.
      4. Click + (plus sign) again, and (from the pop-up list of interfaces) select wan1.
      5. Set Heartbeat Interface Priority to 50.
      6. Click OK.
      Caution
      • Ensure that the Device Priority value on the primary FortiGate is higher than the one for the backup FortiGate.
      • Ensure that two heartbeat interfaces are selected and the Heartbeat Interface Priority are both set to 50 on both.

Step 3: Verify the port settings on FortiExtender

  1. Ensure that Port 1 on the back of the FortiExtender is connected to the WAN1 port on the primary FortiGate. Refer to the Network topology.
  2. Ensure that Port 2 on the back of the FortiExtender is connected to the WAN1 port on the backup FortiGate. Refer to the Network topology.
  3. Run the following commands to verify and ensure that the physical Ports 1 and 2 are aggregated in the LAN switch port. 
    FX211E5919000011 # config system interface 
FX211E5919000011 (interface) # edit lan
FX211E5919000011 (lan) # show 
edit lan
    set type lan-switch
    set status up
    set mode dhcp
    set mtu 1500
    set vrrp-virtual-mac enable
    config vrrp
        set status disable
    end
    set allowaccess http https ssh ping telnet
next

FX211E5919000011 # config system lan-switch 
FX211E5919000011 (lan-switch) # show 
config system lan-switch
    config ports
        edit port1
        next
        edit port2
        next 
        edit port3
        next
        edit port4
        next
    end
end
    Note
    • VLAN mode is best suited for high availability purposes because it delivers better throughput.
    • The "show" commands above yield the default settings of FortiExtender 201E as a LAN switch, which can be used out of the box to support FortiGate HA configurations. We recommend using these settings without change unless you are confident in your ability to configure custom settings of your own. If you prefer to configure your own LAN switch, be sure to use the aforementioned commands to double-check its configuration before putting FortiExtender to work.
Previous
Next

FortiExtender for FortiGate HA configuration

Note

All models of FortiExtender devices support connecting to a FortiGate HA pair, except the legacy 40D models. FortiExtender 201E is used in the following discussion for illustration purposes.

This use case discusses how to use a FortiExtender 201E to support two FortiGate devices in HA configuration to ensure uninterrupted network connectivity and business continuity. It provides step-by-step instructions on how to configure the FortiGate HA cluster from the FortiGate GUI. It also provides the FortiExtender CLI commands to verify the port configuration of FortiExtender 201E as a WAN switch to support the FortiGate HA configuration.

Network topology

Prerequisites

  • The FortiExtender 201E device must be physically networked with the two FortiGate devices, with its port1 connected to wan1 on the primary FortiGate and port2 connected to wan1 on the backup FortiGate, as illustrated in the Network topology.
  • The two FortiGate devices must be physically connected via the HA port on both of them, as illustrated in the Network topology.
  • The two FortiGate devices must be running the same version of FOS.
Note

The FortiGate devices used in this sample configuration are both running FOS 6.2.1.

Configuration procedures

This configuration involves the following major steps:

Step 1: Configure the primary FortiGate

  1. Log in to the GUI of the primary FortiGate device.
  2. From the menu, go to Dashboard > Status.

    The Status page opens.

  3. Locate the System Information widget, click the Hostname, and (from the drop-down menu) select the Configure settings in System>Settings link.

    The System Settings page opens.

  4. Change the Hostname to something that identifies the FortiGate as the primary device, and click Apply.
  5. Then, select System>HA, click the top part of the page to highlight it, and click Edit.

    The High Availability page opens.

    Note

    The Edit button will not be available until the top part of the Status page is highlighted.

  6. Make the following required entries and/or selections:
    1. Change Mode to Active-Passive.
    2. Set Device Priority to a value greater than the one set on the backup FortiGate.
    3. Specify the Group name.
    4. Set the Password.
    5. Select two Heartbeat interfaces (one at a time) by doing the following:
      1. Click + (plus sign), and (from the pop-up list of interfaces) select ha.
      2. Set Heartbeat Interface Priority to 50.
      3. Click OK.
      4. Click + (plus sign) again, and (from the pop-up list of interfaces) select wan1.
      5. Set Heartbeat Interface Priority to 50.
      6. Click OK.

Step 2: Configure the backup FortiGate

  1. Log in to the GUI of the backup FortiGate device.
  2. From the menu, go to Dashboard > Status.

    The Status page opens.

  3. Locate the System Information widget, click the Hostname, and (from the drop-down menu) select the Configure settings in System > Settings link.

    The System Settings page opens.

  4. Change the Host name to something that identifies the FortiGate as the backup device, and click Apply.
  5. Then, select System > HA, click the top part of the page to highlight it, and click Edit.

    The High Availability page opens.

    Note

    The Edit button will not be available until the top part of the Status page is highlighted.

  6. Make the following required entries and/or selections:
    1. Change Mode to Active-Passive.
    2. Set the Device Priority value smaller than the one set for the primary FortiGate.
    3. Set the Group name to be the same as the one set on the primary FortiGate.
    4. Set the Password to be the same as the one set on the primary FortiGate.
    5. Select two Heartbeat interfaces (one at a time) by doing the following:
      1. Click + (plus sign), and (from the pop-up list of interfaces) select ha.
      2. Set Heartbeat Interface Priority to 50.
      3. Click OK.
      4. Click + (plus sign) again, and (from the pop-up list of interfaces) select wan1.
      5. Set Heartbeat Interface Priority to 50.
      6. Click OK.
      Caution
      • Ensure that the Device Priority value on the primary FortiGate is higher than the one for the backup FortiGate.
      • Ensure that two heartbeat interfaces are selected and the Heartbeat Interface Priority are both set to 50 on both.

Step 3: Verify the port settings on FortiExtender

  1. Ensure that Port 1 on the back of the FortiExtender is connected to the WAN1 port on the primary FortiGate. Refer to the Network topology.
  2. Ensure that Port 2 on the back of the FortiExtender is connected to the WAN1 port on the backup FortiGate. Refer to the Network topology.
  3. Run the following commands to verify and ensure that the physical Ports 1 and 2 are aggregated in the LAN switch port. 
    FX211E5919000011 # config system interface 
FX211E5919000011 (interface) # edit lan
FX211E5919000011 (lan) # show 
edit lan
    set type lan-switch
    set status up
    set mode dhcp
    set mtu 1500
    set vrrp-virtual-mac enable
    config vrrp
        set status disable
    end
    set allowaccess http https ssh ping telnet
next

FX211E5919000011 # config system lan-switch 
FX211E5919000011 (lan-switch) # show 
config system lan-switch
    config ports
        edit port1
        next
        edit port2
        next 
        edit port3
        next
        edit port4
        next
    end
end
    Note
    • VLAN mode is best suited for high availability purposes because it delivers better throughput.
    • The "show" commands above yield the default settings of FortiExtender 201E as a LAN switch, which can be used out of the box to support FortiGate HA configurations. We recommend using these settings without change unless you are confident in your ability to configure custom settings of your own. If you prefer to configure your own LAN switch, be sure to use the aforementioned commands to double-check its configuration before putting FortiExtender to work.
Previous
Next