Fortinet black logo

FortiGate-7000 Handbook

Before you begin configuring HA

Copy Link
Copy Doc ID 13098487-2a56-11e9-94bf-00505692583a:700676
Download PDF

Before you begin configuring HA

Before you begin, the FortiGate-7000s should be running the same FortiOS firmware version and interfaces should not be configured to get their addresses from DHCP or PPPoE. Register and apply licenses to the each FortiGate-7000 before setting up the HA cluster. This includes licensing for FortiCare, IPS, AntiVirus, Web Filtering, Mobile Malware, FortiClient, FortiCloud, and additional virtual domains (VDOMs). Both FortiGate-7000s in the cluster must have the same level of licensing for FortiGuard, FortiCloud, FortiClient, and VDOMs. FortiToken licenses can be added at any time because they are synchronized to all cluster members.

If required, you should configure split ports on the FIMs on both chassis before configuring HA because the modules have to reboot to enable the split port configuration. For example, to split the C1, C2, and C4 interfaces of an FIM-7910E in slot 1, enter the following command:

config system global

set split-port 1-C1 2-C1 2-C4

end

After configuring split ports, the FortiGate-7000 reboots and synchronizes the configuration.

On each FortiGate-7000, make sure configurations of the modules are synchronized before starting to configure HA. You can use the following command to verify that the configurations of all of the modules are synchronized:

diagnose sys confsync showchsum | grep all

all: c0 68 d2 67 e1 23 d9 3a 10 50 45 c5 50 f1 e6 8e

all: c0 68 d2 67 e1 23 d9 3a 10 50 45 c5 50 f1 e6 8e

all: c0 68 d2 67 e1 23 d9 3a 10 50 45 c5 50 f1 e6 8e

all: c0 68 d2 67 e1 23 d9 3a 10 50 45 c5 50 f1 e6 8e

all: c0 68 d2 67 e1 23 d9 3a 10 50 45 c5 50 f1 e6 8e

all: c0 68 d2 67 e1 23 d9 3a 10 50 45 c5 50 f1 e6 8e

all: c0 68 d2 67 e1 23 d9 3a 10 50 45 c5 50 f1 e6 8e

all: c0 68 d2 67 e1 23 d9 3a 10 50 45 c5 50 f1 e6 8e

If the modules are synchronized, the checksums displayed should all be the same.

You can also use the following command to list the modules that are synchronized. The example output shows all four modules in a FortiGate-7040E have been configured for HA and added to the cluster.

diagnose sys configsync status | grep in_sync

Master, uptime=692224.19, priority=1, slot_1d=1:1, idx=0, flag=0x0, in_sync=1

Slave, uptime=676789.70, priority=2, slot_1d=1:2, idx=1, flag=0x0, in_sync=1

Slave, uptime=692222.01, priority=17, slot_1d=1:4, idx=2, flag=0x64, in_sync=1

Slave, uptime=692271.30, priority=16, slot_1d=1:3, idx=3, flag=0x64, in_sync=1

In this command output in_sync=1 means the module is synchronized with the primary FIM and in_sync=0 means the module is not synchronized.

Before you begin configuring HA

Before you begin, the FortiGate-7000s should be running the same FortiOS firmware version and interfaces should not be configured to get their addresses from DHCP or PPPoE. Register and apply licenses to the each FortiGate-7000 before setting up the HA cluster. This includes licensing for FortiCare, IPS, AntiVirus, Web Filtering, Mobile Malware, FortiClient, FortiCloud, and additional virtual domains (VDOMs). Both FortiGate-7000s in the cluster must have the same level of licensing for FortiGuard, FortiCloud, FortiClient, and VDOMs. FortiToken licenses can be added at any time because they are synchronized to all cluster members.

If required, you should configure split ports on the FIMs on both chassis before configuring HA because the modules have to reboot to enable the split port configuration. For example, to split the C1, C2, and C4 interfaces of an FIM-7910E in slot 1, enter the following command:

config system global

set split-port 1-C1 2-C1 2-C4

end

After configuring split ports, the FortiGate-7000 reboots and synchronizes the configuration.

On each FortiGate-7000, make sure configurations of the modules are synchronized before starting to configure HA. You can use the following command to verify that the configurations of all of the modules are synchronized:

diagnose sys confsync showchsum | grep all

all: c0 68 d2 67 e1 23 d9 3a 10 50 45 c5 50 f1 e6 8e

all: c0 68 d2 67 e1 23 d9 3a 10 50 45 c5 50 f1 e6 8e

all: c0 68 d2 67 e1 23 d9 3a 10 50 45 c5 50 f1 e6 8e

all: c0 68 d2 67 e1 23 d9 3a 10 50 45 c5 50 f1 e6 8e

all: c0 68 d2 67 e1 23 d9 3a 10 50 45 c5 50 f1 e6 8e

all: c0 68 d2 67 e1 23 d9 3a 10 50 45 c5 50 f1 e6 8e

all: c0 68 d2 67 e1 23 d9 3a 10 50 45 c5 50 f1 e6 8e

all: c0 68 d2 67 e1 23 d9 3a 10 50 45 c5 50 f1 e6 8e

If the modules are synchronized, the checksums displayed should all be the same.

You can also use the following command to list the modules that are synchronized. The example output shows all four modules in a FortiGate-7040E have been configured for HA and added to the cluster.

diagnose sys configsync status | grep in_sync

Master, uptime=692224.19, priority=1, slot_1d=1:1, idx=0, flag=0x0, in_sync=1

Slave, uptime=676789.70, priority=2, slot_1d=1:2, idx=1, flag=0x0, in_sync=1

Slave, uptime=692222.01, priority=17, slot_1d=1:4, idx=2, flag=0x64, in_sync=1

Slave, uptime=692271.30, priority=16, slot_1d=1:3, idx=3, flag=0x64, in_sync=1

In this command output in_sync=1 means the module is synchronized with the primary FIM and in_sync=0 means the module is not synchronized.