Connect the HA1 and HA2 interfaces for HA heartbeat communication
HA heartbeat communication between FortiGate-6000s happens over the 10Gbit HA1 and HA2 interfaces. To set up HA heartbeat connections:
- Connect the HA1 interfaces of the two FortiGate-6000s together either with a direct cable connection, or using a switch.
- Connect the HA2 interfaces in the same way.
Heartbeat packets are VLAN packets with VLAN ID 999 and ethertype 8890. The MTU value for the HA1 and HA2 interfaces is 1500. You can use the following commands to change the HA heartbeat packet VLAN ID and ethertype values if required for your switches. You must change these settings on each FortiGate-6000. By default, the HA1 and HA2 interface heartbeat packets use the same VLAN IDs.
config system ha
set hbdev-vlan-id <vlan>
set hbdev-second-vlan-id <vlan>
set ha-eth-type <eth-type>
end
Using separate connections for HA1 and HA2 is recommended for redundancy. If you are using switches, it is also recommended that these switches be dedicated to HA heartbeat communication and not used for other traffic. If you use the same switch for both HA1 and HA2, separate the HA1 and HA2 traffic on the switch, enable trunk mode for the switch interfaces, and set the heartbeat traffic on the HA1 and HA2 Interfaces to have different VLAN IDs. For example, use the following command to set the heartbeat traffic on HA1 to use VLAN ID 4091 and the heartbeat traffic on HA2 to use VLAN ID 4092:
|
Example FortiGate-6000 switch configuration
The switch that you use for connecting HA heartbeat interfaces does not have to support IEEE 802.1ad (also known as Q-in-Q, double-tagging). But the switch should be able to forward the double-tagged frames. Some switches will strip out the inner tag and Fortinet recommends avoiding these switches. FortiSwitch D and E series can correctly forward double-tagged frames.
This configuration is not required for FortiGate-6000 HA configurations if you have set up direct connections between the HA heartbeat interfaces. |
This example shows how to configure a FortiGate-6000 to use different VLAN IDs for the HA1 and HA2 HA heartbeat interfaces and then how to configure two interfaces on a Cisco switch to allow HA heartbeat packets.
This example sets the native VLAN ID for both switch ports to 777. You can use any VLAN ID as the native VLAN ID as long as the native VLAN ID is not the same as the allowed VLAN ID. |
-
On both FortiGate-6000s, enter the following command to use different VLAN IDs for the HA1 and HA2 interfaces. The command sets the ha1 VLAN ID to 4091 and the ha2 VLAN ID to 4092:
config system ha
set hbdev ha1 50 ha2 100
set hbdev-vlan-id 4091
set hbdev-second-vlan-id 4092
end
-
Use the
get system ha status
command to confirm the VLAN IDs.get system ha status ... HBDEV stats: F6KF51T018900026(updated 4 seconds ago): ha1: physical/10000full, up, rx-bytes/packets/dropped/errors=54995955/230020/0/0, tx=63988049/225267/0/0, vlan-id=4091 ha2: physical/10000full, up, rx-bytes/packets/dropped/errors=54995955/230020/0/0, tx=63988021/225267/0/0, vlan-id=4092 F6KF51T018900022(updated 3 seconds ago): ha1: physical/10000full, up, rx-bytes/packets/dropped/errors=61237440/230023/0/0, tx=57746989/225271/0/0, vlan-id=4091 ha2: physical/10000full, up, rx-bytes/packets/dropped/errors=61238907/230023/0/0, tx=57746989/225271/0/0, vlan-id=4092 ...
-
Configure the Cisco switch interface that connects the HA1 interfaces to allow packets with a VLAN ID of 4091:
interface <name>
switchport mode trunk
switchport trunk native vlan 777
switchport trunk allowed vlan 4091
-
Configure the Cisco switch port that connects the HA2 interfaces to allow packets with a VLAN ID of 4092:
interface <name>
switchport mode trunk
switchport trunk native vlan 777
switchport trunk allowed vlan 4092