Fortinet black logo

FortiGate-6000 Handbook

Home FortiGate-6000 5.6.14 FortiGate-6000 Handbook

FortiGate-6000 high availability

5.6.14
7.0.15
7.0.14
7.0.13
7.0.12
7.0.10
7.0.5
6.4.15
6.4.14
6.4.13
6.4.12
6.4.10
6.4.8
6.4.6
6.4.2
6.2.16
6.2.16
6.2.15
6.2.13
6.2.12
6.2.11
6.2.10
6.2.9
6.2.7
6.2.6
6.2.4
6.2.3
6.0.18
6.0.17
6.0.16
6.0.15
6.0.14
6.0.13
6.0.12
6.0.10
6.0.9
6.0.8
6.0.6
6.0.4
5.6.14
5.6.12
5.6.11
5.6.7
5.4.10
Copy Link
Copy Doc ID 87e9ac87-1723-11ec-8c53-00505692583a:811338
Download PDF

FortiGate-6000 high availability

FortiGate-6000 supports active-passive FortiGate Clustering Protocol (FGCP) HA between two (and only two) identical FortiGate-6000s. You can configure FortiGate-6000 HA in much the same way as any FortiGate HA setup except that only active-passive HA is supported and even though FortiGate-6000s are configured with VDOMS, virtual clustering is not supported.

You must use the 10Gbit HA1 and HA2 interfaces for HA heartbeat communication. The recommended HA heartbeat configuration is to use a cable to directly the HA1 interfaces of each FortiGate-6000 and another cable to directly connect the HA2 interfaces of each FortiGate-6000.

You can use switches to connect the HA heartbeat interfaces. Heartbeat packets are VLAN-tagged and you can configure the VLANs used. If you are using switches you must configure the switch interfaces in trunk mode and the switches must allow the VLAN-tagged packets.

During the FortiGate-6000 HA configuration you assign each of the FortiGate-6000s in the HA cluster a chassis ID of 1 or 2. The chassis IDs just allow you to identify individual FortiGate-6000s and do not influence primary unit selection.

Example FortiGate-6000 HA configuration

In a FortiGate-6000 FGCP HA configuration, the primary (or master) FortiGate-6000 processes all traffic. The secondary FortiGate-6000 operates in hot standby mode. The FGCP synchronizes the configuration, active sessions, routing information, and so on to the secondary FortiGate-6000. If the primary FortiGate-6000 fails, traffic automatically fails over to the secondary.

The FGCP selects the primary FortiGate-6000 based on standard FGCP primary unit selection:

  • Connected monitored interfaces
  • Age
  • Device Priority
  • Serial Number

In most cases, if everything is connected and operating normally, the FortiGate-6000 with the highest serial number becomes the primary FortiGate-6000. You can set the device priority higher on one of the FortiGate-6000s if you want to it to become the primary unit. You can also enable override along with setting a higher device priority to make sure the same FortiGate-6000 always becomes the primary FortiGate-6000.

Previous
Next

FortiGate-6000 high availability

FortiGate-6000 supports active-passive FortiGate Clustering Protocol (FGCP) HA between two (and only two) identical FortiGate-6000s. You can configure FortiGate-6000 HA in much the same way as any FortiGate HA setup except that only active-passive HA is supported and even though FortiGate-6000s are configured with VDOMS, virtual clustering is not supported.

You must use the 10Gbit HA1 and HA2 interfaces for HA heartbeat communication. The recommended HA heartbeat configuration is to use a cable to directly the HA1 interfaces of each FortiGate-6000 and another cable to directly connect the HA2 interfaces of each FortiGate-6000.

You can use switches to connect the HA heartbeat interfaces. Heartbeat packets are VLAN-tagged and you can configure the VLANs used. If you are using switches you must configure the switch interfaces in trunk mode and the switches must allow the VLAN-tagged packets.

During the FortiGate-6000 HA configuration you assign each of the FortiGate-6000s in the HA cluster a chassis ID of 1 or 2. The chassis IDs just allow you to identify individual FortiGate-6000s and do not influence primary unit selection.

Example FortiGate-6000 HA configuration

In a FortiGate-6000 FGCP HA configuration, the primary (or master) FortiGate-6000 processes all traffic. The secondary FortiGate-6000 operates in hot standby mode. The FGCP synchronizes the configuration, active sessions, routing information, and so on to the secondary FortiGate-6000. If the primary FortiGate-6000 fails, traffic automatically fails over to the secondary.

The FGCP selects the primary FortiGate-6000 based on standard FGCP primary unit selection:

  • Connected monitored interfaces
  • Age
  • Device Priority
  • Serial Number

In most cases, if everything is connected and operating normally, the FortiGate-6000 with the highest serial number becomes the primary FortiGate-6000. You can set the device priority higher on one of the FortiGate-6000s if you want to it to become the primary unit. You can also enable override along with setting a higher device priority to make sure the same FortiGate-6000 always becomes the primary FortiGate-6000.

Previous
Next