FortiExtender for FortiGate HA configuration
|
All models of FortiExtender devices support connecting to a FortiGate HA pair, except the legacy 40D models. FortiExtender 201E is used in the following discussion for illustration purposes. |
This use case discusses how to use a FortiExtender 201E to support two FortiGate devices in HA configuration to ensure uninterrupted network connectivity and business continuity. It provides step-by-step instructions on how to configure the FortiGate HA cluster from the FortiGate GUI. It also provides the FortiExtender CLI commands to verify the port configuration of FortiExtender 201E as a WAN switch to support the FortiGate HA configuration.
Example network topology
Prerequisites
- The FortiExtender 201E device must be physically networked with the two FortiGate devices, with its port1 connected to a physical port (for example, wan1) on the primary FortiGate and port2 connected to the same physical port number on the backup FortiGate, as illustrated in the example network topology.
- The two FortiGate devices must be physically connected via the HA port on both of them, as illustrated in the example network topology. On FortiGate models that do not have a HA port, you can connect another pair of physical ports as dedicated heartbeat interfaces.
- The two FortiGate devices must be running the same version of FortiOS.
Configuration procedures
This configuration involves the following major steps:
Step 1: Configure the primary FortiGate
- Log in to the GUI of the primary FortiGate device.
- From the menu, go to Dashboard > Status.
The Status page opens.
- Locate the System Information widget, click the Hostname, and (from the drop-down menu) select the Configure settings in System > Settings link.
The System Settings page opens.
- Change the Hostname to something that identifies the FortiGate as the primary device, and click Apply.
- Go to System > HA, click the top part of the page to highlight it, and click Edit.
The High Availability page opens.
The Edit button will not be available until the top part of the Status page is highlighted.
- Make the following required entries and/or selections:
- Change Mode to Active-Passive.
- Set Device Priority to a value greater than the one set on the backup FortiGate.
- Specify the Group name.
- Set the Password.
- Select Heartbeat interfaces by doing the following:
- Click + (plus sign), and (from the pop-up list of interfaces) select either ha or the heartbeat interfaces you connected in the Prerequisites section.
- Click OK.
- Optionally, configure link failover by monitoring the FortiGate port that is connected to the FortiExtender by doing the following:
- Select Monitoring interfaces.
- Click + (plus sign) again, and (from the pop-up list of interfaces) select wan1.
- Click OK.
Step 2: Configure the backup FortiGate
- Log in to the GUI of the backup FortiGate device.
- From the menu, go to Dashboard > Status.
The Status page opens.
- Locate the System Information widget, click the Hostname, and (from the drop-down menu) select the Configure settings in System > Settings link.
The System Settings page opens.
- Change the Host name to something that identifies the FortiGate as the backup device, and click Apply.
- Go to System > HA, click the top part of the page to highlight it, and click Edit.
The High Availability page opens.
The Edit button will not be available until the top part of the Status page is highlighted.
- Make the following required entries and/or selections:
- Change Mode to Active-Passive.
- Set the Device Priority value smaller than the one set for the primary FortiGate.
- Set the Group name to be the same as the one set on the primary FortiGate.
- Set the Password to be the same as the one set on the primary FortiGate.
- Select Heartbeat interfaces by doing the following:
- Click + (plus sign), and (from the pop-up list of interfaces) select either ha or the heartbeat interfaces you connected to in the Prerequisites section.
- Click OK.
- Optionally, configure link failover by monitoring the FortiGate port that is connected to the FortiExtender by doing the following:
- Select Monitoring interfaces.
- Click + (plus sign) again, and (from the pop-up list of interfaces) select wan1.
- Click OK.
Step 3: Verify the port settings on FortiExtender
- Ensure that Port 1 on the back of the FortiExtender is connected to the WAN1 port on the primary FortiGate. Refer to the Network topology.
- Ensure that Port 2 on the back of the FortiExtender is connected to the WAN1 port on the backup FortiGate. Refer to the Network topology.
- Run the following commands to verify and ensure that the physical Ports 1 and 2 are aggregated in the LAN switch port.
FX211E5919000011 # config system interface FX211E5919000011 (interface) # edit lan FX211E5919000011 (lan) # show edit lan set type lan-switch set status up set mode dhcp set mtu 1500 set vrrp-virtual-mac enable config vrrp set status disable end set allowaccess http https ssh ping telnet next FX211E5919000011 # config system lan-switch FX211E5919000011 (lan-switch) # show config system lan-switch config ports edit port1 next edit port2 next edit port3 next end end- VLAN mode is best suited for high availability purposes because it delivers better throughput.
- The
"show"commands above yield the default settings of FortiExtender 201E as a LAN switch, which can be used out of the box to support FortiGate HA configurations. We recommend using these settings without change unless you are confident in your ability to configure custom settings of your own. If you prefer to configure your own LAN switch, be sure to use the aforementioned commands to double-check its configuration before putting FortiExtender to work.