Fortinet Document Library

Version:

Version:

Version:

Version:


Table of Contents

FortiGate-7000 Handbook

Download PDF
Copy Link

Before you begin configuring HA

Before you begin:

  • The FortiGate-7000s should be running the same FortiOS firmware version.
  • Interfaces should be configured with static IP addresses (not DHCP or PPPoE).
  • Register and apply licenses to each FortiGate-7000 before setting up the HA cluster. This includes licensing for FortiCare, IPS, AntiVirus, Web Filtering, Mobile Malware, FortiClient, FortiCloud, and additional virtual domains (VDOMs).
  • Both FortiGate-7000s in the cluster must have the same level of licensing for FortiGuard, FortiCloud, FortiClient, and VDOMs.
  • FortiToken licenses can be added at any time because they are synchronized to all cluster members.

Configure split ports

If required, you should configure split ports on the FIMs on both FortiGate-7000s before configuring HA because the FortiGate-7000 has to reboot if you enable, change, or disable the split port configuration.

For example, to split the C1, C2, and C4 interfaces of an FIM-7910E in slot 1, enter the following command:

config system global

set split-port 1-C1 2-C1 2-C4

end

After configuring split ports, the FortiGate-7000 reboots and synchronizes the configuration.

On each FortiGate-7000, make sure configurations of the FIMs and FPMs are synchronized before starting to configure HA. You can use the following command to verify the synchronization status of all modules:

diagnose sys confsync showchsum | grep all

all: c0 68 d2 67 e1 23 d9 3a 10 50 45 c5 50 f1 e6 8e

all: c0 68 d2 67 e1 23 d9 3a 10 50 45 c5 50 f1 e6 8e

all: c0 68 d2 67 e1 23 d9 3a 10 50 45 c5 50 f1 e6 8e

all: c0 68 d2 67 e1 23 d9 3a 10 50 45 c5 50 f1 e6 8e

all: c0 68 d2 67 e1 23 d9 3a 10 50 45 c5 50 f1 e6 8e

all: c0 68 d2 67 e1 23 d9 3a 10 50 45 c5 50 f1 e6 8e

all: c0 68 d2 67 e1 23 d9 3a 10 50 45 c5 50 f1 e6 8e

all: c0 68 d2 67 e1 23 d9 3a 10 50 45 c5 50 f1 e6 8e

If the FIMs and FPMs are synchronized, the checksums displayed should all be the same.

You can also use the following command to list the FIMs and FPMs that are synchronized. The example output shows all four modules in a FortiGate-7040E have been configured for HA and added to the cluster.

diagnose sys confsync status | grep in_sync
FIM10E3E16000062, Slave, uptime=58852.50, priority=2, slot_id=2:2, idx=3, flag=0x10, in_sync=1
FIM04E3E16000010, Slave, uptime=58726.83, priority=3, slot_id=1:1, idx=0, flag=0x10, in_sync=1
FIM04E3E16000014, Master, uptime=58895.30, priority=1, slot_id=2:1, idx=1, flag=0x10, in_sync=1
FIM10E3E16000040, Slave, uptime=58857.80, priority=4, slot_id=1:2, idx=2, flag=0x10, in_sync=1
FPM20E3E16900234, Slave, uptime=58895.00, priority=16, slot_id=2:3, idx=4, flag=0x64, in_sync=1
FPM20E3E16900269, Slave, uptime=58333.37, priority=120, slot_id=2:4, idx=5, flag=0x64, in_sync=1
FPM20E3E17900113, Slave, uptime=58858.90, priority=116, slot_id=1:3, idx=6, flag=0x64, in_sync=1
FPM20E3E17900217, Slave, uptime=58858.93, priority=117, slot_id=1:4, idx=7, flag=0x64, in_sync=1
...

In this command output, in_sync=1 means the module is synchronized with the primary FIM and in_sync=0 means the module is not synchronized.

Before you begin configuring HA

Before you begin:

  • The FortiGate-7000s should be running the same FortiOS firmware version.
  • Interfaces should be configured with static IP addresses (not DHCP or PPPoE).
  • Register and apply licenses to each FortiGate-7000 before setting up the HA cluster. This includes licensing for FortiCare, IPS, AntiVirus, Web Filtering, Mobile Malware, FortiClient, FortiCloud, and additional virtual domains (VDOMs).
  • Both FortiGate-7000s in the cluster must have the same level of licensing for FortiGuard, FortiCloud, FortiClient, and VDOMs.
  • FortiToken licenses can be added at any time because they are synchronized to all cluster members.

Configure split ports

If required, you should configure split ports on the FIMs on both FortiGate-7000s before configuring HA because the FortiGate-7000 has to reboot if you enable, change, or disable the split port configuration.

For example, to split the C1, C2, and C4 interfaces of an FIM-7910E in slot 1, enter the following command:

config system global

set split-port 1-C1 2-C1 2-C4

end

After configuring split ports, the FortiGate-7000 reboots and synchronizes the configuration.

On each FortiGate-7000, make sure configurations of the FIMs and FPMs are synchronized before starting to configure HA. You can use the following command to verify the synchronization status of all modules:

diagnose sys confsync showchsum | grep all

all: c0 68 d2 67 e1 23 d9 3a 10 50 45 c5 50 f1 e6 8e

all: c0 68 d2 67 e1 23 d9 3a 10 50 45 c5 50 f1 e6 8e

all: c0 68 d2 67 e1 23 d9 3a 10 50 45 c5 50 f1 e6 8e

all: c0 68 d2 67 e1 23 d9 3a 10 50 45 c5 50 f1 e6 8e

all: c0 68 d2 67 e1 23 d9 3a 10 50 45 c5 50 f1 e6 8e

all: c0 68 d2 67 e1 23 d9 3a 10 50 45 c5 50 f1 e6 8e

all: c0 68 d2 67 e1 23 d9 3a 10 50 45 c5 50 f1 e6 8e

all: c0 68 d2 67 e1 23 d9 3a 10 50 45 c5 50 f1 e6 8e

If the FIMs and FPMs are synchronized, the checksums displayed should all be the same.

You can also use the following command to list the FIMs and FPMs that are synchronized. The example output shows all four modules in a FortiGate-7040E have been configured for HA and added to the cluster.

diagnose sys confsync status | grep in_sync
FIM10E3E16000062, Slave, uptime=58852.50, priority=2, slot_id=2:2, idx=3, flag=0x10, in_sync=1
FIM04E3E16000010, Slave, uptime=58726.83, priority=3, slot_id=1:1, idx=0, flag=0x10, in_sync=1
FIM04E3E16000014, Master, uptime=58895.30, priority=1, slot_id=2:1, idx=1, flag=0x10, in_sync=1
FIM10E3E16000040, Slave, uptime=58857.80, priority=4, slot_id=1:2, idx=2, flag=0x10, in_sync=1
FPM20E3E16900234, Slave, uptime=58895.00, priority=16, slot_id=2:3, idx=4, flag=0x64, in_sync=1
FPM20E3E16900269, Slave, uptime=58333.37, priority=120, slot_id=2:4, idx=5, flag=0x64, in_sync=1
FPM20E3E17900113, Slave, uptime=58858.90, priority=116, slot_id=1:3, idx=6, flag=0x64, in_sync=1
FPM20E3E17900217, Slave, uptime=58858.93, priority=117, slot_id=1:4, idx=7, flag=0x64, in_sync=1
...

In this command output, in_sync=1 means the module is synchronized with the primary FIM and in_sync=0 means the module is not synchronized.