Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:


Table of Contents

FortiGate-6000 Handbook

Before you begin configuring HA

Before you begin:

  • The FortiGate-6000s must be running the same FortiOS firmware version
  • The FortiGate-6000s must be in the same VDOM mode (Multi VDOM or Split-Task VDOM mode).
  • To successfully form an FGCP HA cluster, both FortiGate-6000s must be operating in the same VDOM mode (Multi or Split-Task). You should change both FortiGate-6000s to the VDOM mode that you want them to operate in before configuring HA. To change the VDOM mode of an operating cluster, you need remove the backup FortiGate-6000 from the cluster, switch both FortiGate-6000s to the other VDOM mode and then re-form the cluster. This process will cause traffic interruptions.

  • Interfaces should be configured with static IP addresses (not DHCP or PPPoE).
  • Register and apply licenses to each FortiGate-6000 before setting up the HA cluster. This includes licensing for FortiCare, IPS, AntiVirus, Web Filtering, Mobile Malware, FortiClient, FortiCloud, and additional virtual domains (VDOMs).
  • Both FortiGate-6000s in the cluster must have the same level of licensing for FortiGuard, FortiCloud, FortiClient, and VDOMs.
  • FortiToken licenses can be added at any time because they are synchronized to all cluster members.
  • Both FortiGate-6501Fs or FortiGate-6301Fs in a cluster must have the same number of active hard disks and the same RAID configuration. Use the execute disk list command to confirm the log disk and RAID configuration of each device.

On each FortiGate-6000, make sure the configurations of the FPCs are synchronized before starting to configure HA. You can use the following command to verify the configuration status of the FPCs. The following example shows the results for a FortiGate-6300F.

diagnose sys confsync showchsum | grep all

all: c0 68 d2 67 e1 23 d9 3a 10 50 45 c5 50 f1 e6 8e

all: c0 68 d2 67 e1 23 d9 3a 10 50 45 c5 50 f1 e6 8e

all: c0 68 d2 67 e1 23 d9 3a 10 50 45 c5 50 f1 e6 8e

all: c0 68 d2 67 e1 23 d9 3a 10 50 45 c5 50 f1 e6 8e

all: c0 68 d2 67 e1 23 d9 3a 10 50 45 c5 50 f1 e6 8e

all: c0 68 d2 67 e1 23 d9 3a 10 50 45 c5 50 f1 e6 8e

all: c0 68 d2 67 e1 23 d9 3a 10 50 45 c5 50 f1 e6 8e

If the FPCs are synchronized, the listed checksums should all be the same.

You can also use the following command to list the FPCs that are synchronized. The example output, for a FortiGate-6300F, shows all six FPCs have been configured for HA and added to the cluster.

diagnose sys confsync status | grep in_sync
F6KF313E17900031, Secondary, uptime=232441.23, priority=2, slot_id=1:0, idx=0, flag=0x10, in_sync=1
F6KF313E17900031, Secondary, uptime=232441.23, priority=2, slot_id=1:0, idx=0, flag=0x10, in_sync=1
F6KF313E17900031, Secondary, uptime=232441.23, priority=2, slot_id=1:0, idx=0, flag=0x10, in_sync=1
F6KF313E17900031, Secondary, uptime=232441.23, priority=2, slot_id=1:0, idx=0, flag=0x10, in_sync=1
F6KF313E17900031, Secondary, uptime=232441.23, priority=2, slot_id=1:0, idx=0, flag=0x10, in_sync=1
F6KF313E17900031, Primary, uptime=232441.23, priority=1, slot_id=1:0, idx=0, flag=0x10, in_sync=1
F6KF313E17900031, Secondary, uptime=232441.23, priority=2, slot_id=1:0, idx=0, flag=0x10, in_sync=1
FPC6KF3E17900209, Secondary, uptime=231561.99, priority=24, slot_id=1:6, idx=6, flag=0x24, in_sync=1
FPC6KF3E17900215, Secondary, uptime=231524.81, priority=22, slot_id=1:4, idx=7, flag=0x24, in_sync=1
FPC6KF3E17900217, Secondary, uptime=232289.83, priority=120, slot_id=1:5, idx=8, flag=0x24, in_sync=1
FPC6KF3E17900229, Secondary, uptime=232271.59, priority=118, slot_id=1:3, idx=10, flag=0x24, in_sync=1
FPC6KF3E17900230, Secondary, uptime=232330.19, priority=116, slot_id=1:1, idx=11, flag=0x24, in_sync=1
FPC6KF3E17900291, Secondary, uptime=232314.29, priority=117, slot_id=1:2, idx=13, flag=0x24, in_sync=1

In this command output in_sync=1 means the FPC is synchronized with the management board and in_sync=0 means the FPC is not synchronized.

Before you begin configuring HA

Before you begin:

  • The FortiGate-6000s must be running the same FortiOS firmware version
  • The FortiGate-6000s must be in the same VDOM mode (Multi VDOM or Split-Task VDOM mode).
  • To successfully form an FGCP HA cluster, both FortiGate-6000s must be operating in the same VDOM mode (Multi or Split-Task). You should change both FortiGate-6000s to the VDOM mode that you want them to operate in before configuring HA. To change the VDOM mode of an operating cluster, you need remove the backup FortiGate-6000 from the cluster, switch both FortiGate-6000s to the other VDOM mode and then re-form the cluster. This process will cause traffic interruptions.

  • Interfaces should be configured with static IP addresses (not DHCP or PPPoE).
  • Register and apply licenses to each FortiGate-6000 before setting up the HA cluster. This includes licensing for FortiCare, IPS, AntiVirus, Web Filtering, Mobile Malware, FortiClient, FortiCloud, and additional virtual domains (VDOMs).
  • Both FortiGate-6000s in the cluster must have the same level of licensing for FortiGuard, FortiCloud, FortiClient, and VDOMs.
  • FortiToken licenses can be added at any time because they are synchronized to all cluster members.
  • Both FortiGate-6501Fs or FortiGate-6301Fs in a cluster must have the same number of active hard disks and the same RAID configuration. Use the execute disk list command to confirm the log disk and RAID configuration of each device.

On each FortiGate-6000, make sure the configurations of the FPCs are synchronized before starting to configure HA. You can use the following command to verify the configuration status of the FPCs. The following example shows the results for a FortiGate-6300F.

diagnose sys confsync showchsum | grep all

all: c0 68 d2 67 e1 23 d9 3a 10 50 45 c5 50 f1 e6 8e

all: c0 68 d2 67 e1 23 d9 3a 10 50 45 c5 50 f1 e6 8e

all: c0 68 d2 67 e1 23 d9 3a 10 50 45 c5 50 f1 e6 8e

all: c0 68 d2 67 e1 23 d9 3a 10 50 45 c5 50 f1 e6 8e

all: c0 68 d2 67 e1 23 d9 3a 10 50 45 c5 50 f1 e6 8e

all: c0 68 d2 67 e1 23 d9 3a 10 50 45 c5 50 f1 e6 8e

all: c0 68 d2 67 e1 23 d9 3a 10 50 45 c5 50 f1 e6 8e

If the FPCs are synchronized, the listed checksums should all be the same.

You can also use the following command to list the FPCs that are synchronized. The example output, for a FortiGate-6300F, shows all six FPCs have been configured for HA and added to the cluster.

diagnose sys confsync status | grep in_sync
F6KF313E17900031, Secondary, uptime=232441.23, priority=2, slot_id=1:0, idx=0, flag=0x10, in_sync=1
F6KF313E17900031, Secondary, uptime=232441.23, priority=2, slot_id=1:0, idx=0, flag=0x10, in_sync=1
F6KF313E17900031, Secondary, uptime=232441.23, priority=2, slot_id=1:0, idx=0, flag=0x10, in_sync=1
F6KF313E17900031, Secondary, uptime=232441.23, priority=2, slot_id=1:0, idx=0, flag=0x10, in_sync=1
F6KF313E17900031, Secondary, uptime=232441.23, priority=2, slot_id=1:0, idx=0, flag=0x10, in_sync=1
F6KF313E17900031, Primary, uptime=232441.23, priority=1, slot_id=1:0, idx=0, flag=0x10, in_sync=1
F6KF313E17900031, Secondary, uptime=232441.23, priority=2, slot_id=1:0, idx=0, flag=0x10, in_sync=1
FPC6KF3E17900209, Secondary, uptime=231561.99, priority=24, slot_id=1:6, idx=6, flag=0x24, in_sync=1
FPC6KF3E17900215, Secondary, uptime=231524.81, priority=22, slot_id=1:4, idx=7, flag=0x24, in_sync=1
FPC6KF3E17900217, Secondary, uptime=232289.83, priority=120, slot_id=1:5, idx=8, flag=0x24, in_sync=1
FPC6KF3E17900229, Secondary, uptime=232271.59, priority=118, slot_id=1:3, idx=10, flag=0x24, in_sync=1
FPC6KF3E17900230, Secondary, uptime=232330.19, priority=116, slot_id=1:1, idx=11, flag=0x24, in_sync=1
FPC6KF3E17900291, Secondary, uptime=232314.29, priority=117, slot_id=1:2, idx=13, flag=0x24, in_sync=1

In this command output in_sync=1 means the FPC is synchronized with the management board and in_sync=0 means the FPC is not synchronized.