Before you begin configuring HA
Before you begin:
- The FortiGate-6000s should be running the same FortiOS firmware version and be in the same VDOM mode (Multi VDOM or Split-Task VDOM mode).
- Interfaces should be configured with static IP addresses (not DHCP or PPPoE).
- Register and apply licenses to each FortiGate-6000 before setting up the HA cluster. This includes licensing for FortiCare, IPS, AntiVirus, Web Filtering, Mobile Malware, FortiClient, FortiCloud, and additional virtual domains (VDOMs).
- Both FortiGate-6000s in the cluster must have the same level of licensing for FortiGuard, FortiCloud, FortiClient, and VDOMs.
- FortiToken licenses can be added at any time because they are synchronized to all cluster members.
- Both FortiGate-6501Fs or FortiGate-6301Fs in a cluster must have the same log disk and RAID configuration. Use the
execute disk list
command to confirm the log disk configuration of each device.
On each FortiGate-6000, make sure the configurations of the FPCs are synchronized before starting to configure HA. You can use the following command to verify the configuration status of the FPCs. The following example shows the results for a FortiGate-6300F.
diagnose sys confsync showchsum | grep all
all: c0 68 d2 67 e1 23 d9 3a 10 50 45 c5 50 f1 e6 8e
all: c0 68 d2 67 e1 23 d9 3a 10 50 45 c5 50 f1 e6 8e
all: c0 68 d2 67 e1 23 d9 3a 10 50 45 c5 50 f1 e6 8e
all: c0 68 d2 67 e1 23 d9 3a 10 50 45 c5 50 f1 e6 8e
all: c0 68 d2 67 e1 23 d9 3a 10 50 45 c5 50 f1 e6 8e
all: c0 68 d2 67 e1 23 d9 3a 10 50 45 c5 50 f1 e6 8e
all: c0 68 d2 67 e1 23 d9 3a 10 50 45 c5 50 f1 e6 8e
If the FPCs are synchronized, the listed checksums should all be the same.
You can also use the following command to list the FPCs that are synchronized. The example output, for a FortiGate-6300F, shows all six FPCs have been configured for HA and added to the cluster.
diagnose sys confsync status | grep in_sync F6KF313E17900031, Slave, uptime=232441.23, priority=2, slot_id=1:0, idx=0, flag=0x10, in_sync=1 F6KF313E17900031, Slave, uptime=232441.23, priority=2, slot_id=1:0, idx=0, flag=0x10, in_sync=1 F6KF313E17900031, Slave, uptime=232441.23, priority=2, slot_id=1:0, idx=0, flag=0x10, in_sync=1 F6KF313E17900031, Slave, uptime=232441.23, priority=2, slot_id=1:0, idx=0, flag=0x10, in_sync=1 F6KF313E17900031, Slave, uptime=232441.23, priority=2, slot_id=1:0, idx=0, flag=0x10, in_sync=1 F6KF313E17900031, Master, uptime=232441.23, priority=1, slot_id=1:0, idx=0, flag=0x10, in_sync=1 F6KF313E17900031, Slave, uptime=232441.23, priority=2, slot_id=1:0, idx=0, flag=0x10, in_sync=1 FPC6KF3E17900209, Slave, uptime=231561.99, priority=24, slot_id=1:6, idx=6, flag=0x24, in_sync=1 FPC6KF3E17900215, Slave, uptime=231524.81, priority=22, slot_id=1:4, idx=7, flag=0x24, in_sync=1 FPC6KF3E17900217, Slave, uptime=232289.83, priority=120, slot_id=1:5, idx=8, flag=0x24, in_sync=1 FPC6KF3E17900229, Slave, uptime=232271.59, priority=118, slot_id=1:3, idx=10, flag=0x24, in_sync=1 FPC6KF3E17900230, Slave, uptime=232330.19, priority=116, slot_id=1:1, idx=11, flag=0x24, in_sync=1 FPC6KF3E17900291, Slave, uptime=232314.29, priority=117, slot_id=1:2, idx=13, flag=0x24, in_sync=1
In this command output in_sync=1
means the FPC is synchronized with the management board and in_sync=0
means the FPC is not synchronized.