Fortinet Document Library

Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:


Table of Contents

FortiGate-6000 Handbook

Basic FortiGate-6000 HA configuration

Use the following steps to set up HA between two FortiGate-6000s. To configure HA, you assign a chassis ID (1 and 2) to each of the FortiGate-6000s. These IDs allow the FGCP to identify the chassis and do not influence primary FortiGate-6000 selection. Before you start, determine which FortiGate-6000 should be chassis 1 and which should be chassis 2.

Caution

Make sure you give each FortiGate-6000 a different chassis ID. If you accidentally give both FortiGate-6000s the same chassis ID, after HA negotiation the FortiGate-6000 that would have become the secondary FortiGate in the cluster is shut down. To resolve this issue you need to manually restart the shut down FortiGate-6000 and make sure its chassis ID will be different from the FortiGate-6000 that is operating. For example, you could change the chassis ID of the operating FortiGate-6000 before restarting the shut down FortiGate-6000.

Also, if you are setting up a cluster of FortiGate-6301Fs or 6501Fs, before you configure HA, consider using the execute disk list command on each FortiGate to verify that they both have the same disk and RAID configuration. If one of the FortiGates only has one operating hard disk, when the cluster forms the FortiGate with fewer operating hard disks will be shut down. If the RAID configurations are different, when the cluster forms, the FortiGate with the lowest RAID level will be shut down. You can use the execute disk format command to format the disks and the execute disk raid command to set both FortiGates to the same RAID mode.

  1. Set up HA heartbeat communication as described in Connect the HA1 and HA2 interfaces for HA heartbeat communication.
  2. Log into the GUI or CLI of the FortiGate-6000 that will become chassis 1.
  3. Use the following CLI command to change the host name. This step is optional, but setting a host name makes the FortiGate-6000 easier to identify after the cluster has formed.

    config system global

    set hostname 6K-Chassis-1

    end

    From the GUI you can configure the host name by going to System > Settings and changing the Host name.

  4. Enter the following command to configure basic HA settings for the chassis 1 FortiGate-6000.

    config system ha

    set group-id 6

    set group-name My-6K-cluster

    set mode a-p

    set hbdev ha1 50 ha2 100

    set chassis-id 1

    set password <password>

    end

    From the GUI you can configure HA by going to System > HA. Set the Mode to Active-Passive, set the Group Name, add a Password, and set the Heartbeat Interface Priority for the heartbeat interfaces (HA1 and HA2). You must configure the chassis ID and group ID from the CLI.

  5. If you are connecting the HA heartbeat interfaces together with a switch, change the HA heartbeat VLAN IDs, for example:

    config system ha

    set hbdev-vlan-id 4091

    set hbdev-second-vlan-id 4092

    end

  6. Log into the chassis 2 FortiGate-6000 and configure its host name, for example:

    config system global

    set hostname 6K-Chassis-2

    end

    From the GUI you can configure the host name by going to System > Settings and changing the Host name.

  7. Enter the following command to configure basic HA settings. The configuration must be the same as the chassis 1 configuration, except for the chassis ID.

    config system ha

    set group-id 6

    set group-name My-6K-cluster

    set mode a-p

    set hbdev ha1 50 ha2 100

    set chassis-id 2

    set password <password>

    end

    From the GUI you can configure HA by going to System > HA. Set the Mode to Active-Passive, set the Group Name, add a Password, and set the Heartbeat Interface Priority for the heartbeat interfaces (HA1 and HA2). You must configure the chassis ID and group ID from the CLI.

  8. If you are connecting the HA heartbeat interfaces together with a switch, change the HA heartbeat VLAN IDs, for example:

    config system ha

    set hbdev-vlan-id 4091

    set hbdev-second-vlan-id 4092

    end

    Once you save your configuration changes, if the HA heartbeat interfaces are connected, the FortiGate-6000s negotiate to establish a cluster. You may temporarily lose connectivity with the FortiGate-6000s as the cluster negotiates and the FGCP changes the MAC addresses of the FortiGate-6000 interfaces. To be able to reconnect sooner, you can update the ARP table of your management PC by deleting the ARP table entry for the FortiGate (or just deleting all ARP table entries). You may be able to delete the ARP table of your management PC from a command prompt using a command similar to arp -d. When the cluster has completed negotiating, you can log into it using the management IP address of the primary FortiGate-6000.

  9. Log into the cluster and view the HA Status dashboard widget or enter the get system ha status command to confirm that the cluster has formed and is operating normally.

    If the cluster is operating normally, you can connect network equipment, add your configuration, and start operating the cluster.

Verifying that the cluster is operating normally

You view the cluster status from the HA Status dashboard widget or by using the get system ha status command.

If the HA Status widget or the get system ha status command shows a cluster has not formed, check the HA heartbeat connections. They should be configured as described in Connect the HA1 and HA2 interfaces for HA heartbeat communication.

You should also review the HA configurations of the FortiGate-6000s. When checking the configurations, make sure both FortiGate-6000s have the same HA configuration, including identical HA group IDs, group names, passwords, and HA heartbeat VLAN IDs.

The following example FortiGate-6000 get system ha status output shows a FortiGate-6000 cluster that is operating normally. The output shows which FortiGate-6000 has become the primary (master) FortiGate-6000 and how it was chosen. You can also see CPU and memory use data, HA heartbeat VLAN IDs, and so on.

get system ha status
Master selected using:
HA Health Status: OK
Model: FortiGate-6000F
Mode: HA A-P
Group: 6
Debug: 0
Cluster Uptime: 0 days 12:42:5
Cluster state change time: 2019-02-24 16:26:30
    <2019/02/24 16:26:30> F6KF31T018900143 is selected as the master because it has the largest value of serialno.
    ses_pickup: disable
override: disable
Configuration Status:
    F6KF31T018900143(updated 4 seconds ago): in-sync
    F6KF51T018900022 (updated 0 seconds ago): in-sync
System Usage stats:
    F6KF31T018900143(updated 4 seconds ago):
        sessions=198, average-cpu-user/nice/system/idle=1%/0%/0%/97%, memory=5%
    F6KF51T018900022 (updated 0 seconds ago):
        sessions=0, average-cpu-user/nice/system/idle=2%/0%/0%/96%, memory=6%
HBDEV stats:
    F6KF31T018900143(updated 4 seconds ago):
        ha1: physical/10000full, up, rx-bytes/packets/dropped/errors=227791977/902055/0/0, tx=85589814/300318/0/0, vlan-id=4091
        ha2: physical/10000full, up, rx-bytes/packets/dropped/errors=227791977/902055/0/0, tx=85589814/300318/0/0, vlan-id=4092
    F6KF51T018900022(updated 0 seconds ago):
        ha1: physical/10000full, up, rx-bytes/packets/dropped/errors=0/0/0/0, tx=85067/331/0/0, vlan-id=4091
        ha2: physical/10000full, up, rx-bytes/packets/dropped/errors=947346/3022/0/0, tx=206768/804/0/0, vlan-id=4092
Master: 6K-Chassis-1    , F6KF31T018900143, cluster index = 0
Slave : 6K-Chassis-2    , F6KF51T018900022, cluster index = 1
number of vcluster: 1
vcluster 1: work 10.101.11.20
Master: F6KF31T018900143, operating cluster index = 0
Slave : F6KF51T018900022, operating cluster index = 1
Chassis Status: (Local chassis ID: 2)
    Chassis ID 1: Slave Chassis
        Slot ID 1: Master Slot
        Slot ID 2: Slave Slot
    Chassis ID 2: Master Chassis
        Slot ID 1: Master Slot
        Slot ID 2: Slave Slot

Basic FortiGate-6000 HA configuration

Use the following steps to set up HA between two FortiGate-6000s. To configure HA, you assign a chassis ID (1 and 2) to each of the FortiGate-6000s. These IDs allow the FGCP to identify the chassis and do not influence primary FortiGate-6000 selection. Before you start, determine which FortiGate-6000 should be chassis 1 and which should be chassis 2.

Caution

Make sure you give each FortiGate-6000 a different chassis ID. If you accidentally give both FortiGate-6000s the same chassis ID, after HA negotiation the FortiGate-6000 that would have become the secondary FortiGate in the cluster is shut down. To resolve this issue you need to manually restart the shut down FortiGate-6000 and make sure its chassis ID will be different from the FortiGate-6000 that is operating. For example, you could change the chassis ID of the operating FortiGate-6000 before restarting the shut down FortiGate-6000.

Also, if you are setting up a cluster of FortiGate-6301Fs or 6501Fs, before you configure HA, consider using the execute disk list command on each FortiGate to verify that they both have the same disk and RAID configuration. If one of the FortiGates only has one operating hard disk, when the cluster forms the FortiGate with fewer operating hard disks will be shut down. If the RAID configurations are different, when the cluster forms, the FortiGate with the lowest RAID level will be shut down. You can use the execute disk format command to format the disks and the execute disk raid command to set both FortiGates to the same RAID mode.

  1. Set up HA heartbeat communication as described in Connect the HA1 and HA2 interfaces for HA heartbeat communication.
  2. Log into the GUI or CLI of the FortiGate-6000 that will become chassis 1.
  3. Use the following CLI command to change the host name. This step is optional, but setting a host name makes the FortiGate-6000 easier to identify after the cluster has formed.

    config system global

    set hostname 6K-Chassis-1

    end

    From the GUI you can configure the host name by going to System > Settings and changing the Host name.

  4. Enter the following command to configure basic HA settings for the chassis 1 FortiGate-6000.

    config system ha

    set group-id 6

    set group-name My-6K-cluster

    set mode a-p

    set hbdev ha1 50 ha2 100

    set chassis-id 1

    set password <password>

    end

    From the GUI you can configure HA by going to System > HA. Set the Mode to Active-Passive, set the Group Name, add a Password, and set the Heartbeat Interface Priority for the heartbeat interfaces (HA1 and HA2). You must configure the chassis ID and group ID from the CLI.

  5. If you are connecting the HA heartbeat interfaces together with a switch, change the HA heartbeat VLAN IDs, for example:

    config system ha

    set hbdev-vlan-id 4091

    set hbdev-second-vlan-id 4092

    end

  6. Log into the chassis 2 FortiGate-6000 and configure its host name, for example:

    config system global

    set hostname 6K-Chassis-2

    end

    From the GUI you can configure the host name by going to System > Settings and changing the Host name.

  7. Enter the following command to configure basic HA settings. The configuration must be the same as the chassis 1 configuration, except for the chassis ID.

    config system ha

    set group-id 6

    set group-name My-6K-cluster

    set mode a-p

    set hbdev ha1 50 ha2 100

    set chassis-id 2

    set password <password>

    end

    From the GUI you can configure HA by going to System > HA. Set the Mode to Active-Passive, set the Group Name, add a Password, and set the Heartbeat Interface Priority for the heartbeat interfaces (HA1 and HA2). You must configure the chassis ID and group ID from the CLI.

  8. If you are connecting the HA heartbeat interfaces together with a switch, change the HA heartbeat VLAN IDs, for example:

    config system ha

    set hbdev-vlan-id 4091

    set hbdev-second-vlan-id 4092

    end

    Once you save your configuration changes, if the HA heartbeat interfaces are connected, the FortiGate-6000s negotiate to establish a cluster. You may temporarily lose connectivity with the FortiGate-6000s as the cluster negotiates and the FGCP changes the MAC addresses of the FortiGate-6000 interfaces. To be able to reconnect sooner, you can update the ARP table of your management PC by deleting the ARP table entry for the FortiGate (or just deleting all ARP table entries). You may be able to delete the ARP table of your management PC from a command prompt using a command similar to arp -d. When the cluster has completed negotiating, you can log into it using the management IP address of the primary FortiGate-6000.

  9. Log into the cluster and view the HA Status dashboard widget or enter the get system ha status command to confirm that the cluster has formed and is operating normally.

    If the cluster is operating normally, you can connect network equipment, add your configuration, and start operating the cluster.

Verifying that the cluster is operating normally

You view the cluster status from the HA Status dashboard widget or by using the get system ha status command.

If the HA Status widget or the get system ha status command shows a cluster has not formed, check the HA heartbeat connections. They should be configured as described in Connect the HA1 and HA2 interfaces for HA heartbeat communication.

You should also review the HA configurations of the FortiGate-6000s. When checking the configurations, make sure both FortiGate-6000s have the same HA configuration, including identical HA group IDs, group names, passwords, and HA heartbeat VLAN IDs.

The following example FortiGate-6000 get system ha status output shows a FortiGate-6000 cluster that is operating normally. The output shows which FortiGate-6000 has become the primary (master) FortiGate-6000 and how it was chosen. You can also see CPU and memory use data, HA heartbeat VLAN IDs, and so on.

get system ha status
Master selected using:
HA Health Status: OK
Model: FortiGate-6000F
Mode: HA A-P
Group: 6
Debug: 0
Cluster Uptime: 0 days 12:42:5
Cluster state change time: 2019-02-24 16:26:30
    <2019/02/24 16:26:30> F6KF31T018900143 is selected as the master because it has the largest value of serialno.
    ses_pickup: disable
override: disable
Configuration Status:
    F6KF31T018900143(updated 4 seconds ago): in-sync
    F6KF51T018900022 (updated 0 seconds ago): in-sync
System Usage stats:
    F6KF31T018900143(updated 4 seconds ago):
        sessions=198, average-cpu-user/nice/system/idle=1%/0%/0%/97%, memory=5%
    F6KF51T018900022 (updated 0 seconds ago):
        sessions=0, average-cpu-user/nice/system/idle=2%/0%/0%/96%, memory=6%
HBDEV stats:
    F6KF31T018900143(updated 4 seconds ago):
        ha1: physical/10000full, up, rx-bytes/packets/dropped/errors=227791977/902055/0/0, tx=85589814/300318/0/0, vlan-id=4091
        ha2: physical/10000full, up, rx-bytes/packets/dropped/errors=227791977/902055/0/0, tx=85589814/300318/0/0, vlan-id=4092
    F6KF51T018900022(updated 0 seconds ago):
        ha1: physical/10000full, up, rx-bytes/packets/dropped/errors=0/0/0/0, tx=85067/331/0/0, vlan-id=4091
        ha2: physical/10000full, up, rx-bytes/packets/dropped/errors=947346/3022/0/0, tx=206768/804/0/0, vlan-id=4092
Master: 6K-Chassis-1    , F6KF31T018900143, cluster index = 0
Slave : 6K-Chassis-2    , F6KF51T018900022, cluster index = 1
number of vcluster: 1
vcluster 1: work 10.101.11.20
Master: F6KF31T018900143, operating cluster index = 0
Slave : F6KF51T018900022, operating cluster index = 1
Chassis Status: (Local chassis ID: 2)
    Chassis ID 1: Slave Chassis
        Slot ID 1: Master Slot
        Slot ID 2: Slave Slot
    Chassis ID 2: Master Chassis
        Slot ID 1: Master Slot
        Slot ID 2: Slave Slot