Fortinet black logo

FortiGate-7000 Handbook

Introduction to FortiGate-7000 FGCP HA

Copy Link
Copy Doc ID ebdd05d3-21ea-11ea-9384-00505692583a:906613
Download PDF

Introduction to FortiGate-7000 FGCP HA

FortiGate-7000 supports active-passive FortiGate Clustering Protocol (FGCP) HA between two (and only two) identical FortiGate-7000s. You can configure FortiGate-7000 HA in much the same way as any FortiGate HA setup except that only active-passive HA is supported, and even though FortiGate-7000s are configured with VDOMS, virtual clustering is not supported.

You must use the 10Gbit M1 and M2 interfaces for HA heartbeat communication. See Connect the M1 and M2 interfaces for HA heartbeat communication. Heartbeat packets are VLAN-tagged and you can configure the VLANs used. You must configure the switch interfaces used to connect the M1 and M2 interfaces in trunk mode and the switches must allow the VLAN-tagged packets.

As part of the FortiGate-7000 HA configuration, you assign each of the FortiGate-7000s in the HA cluster a chassis ID of 1 or 2. The chassis IDs just allow you to identify individual FortiGate-7000s and do not influence primary unit selection.

Note

If both FortiGate-7000s in a cluster are configured with the same chassis ID, when the FortiGate-7000s negotiate to form a cluster, the device with the lowest serial number will be shut down. The other device will begin operating as a standalone FortiGate-7000 in HA mode. You can resolve this chassis ID conflict by restarting the shut down FortiGate-7000 and configuring the FortiGate-7000s in the cluster with different chassis IDs. Once both FortiGate-7000s are operating in HA mode with different chassis IDs, they will negotiate to form a cluster, and if their chassis IDs are different, the cluster will begin to operate normally.

Example FortiGate-7040 HA configuration

In a FortiGate-7000 FGCP HA configuration, the primary (or master) FortiGate-7000 processes all traffic. The secondary FortiGate-7000 operates in hot standby mode. The FGCP synchronizes the configuration, active sessions, routing information, and so on to the secondary FortiGate-7000. If the primary FortiGate-7000 fails, traffic automatically fails over to the secondary.

The FGCP selects the primary FortiGate-7000 based on standard FGCP primary unit selection:

  • Connected monitored interfaces
  • Age
  • Device Priority
  • Serial Number

In most cases and with default settings, if everything is connected and operating normally, the FortiGate-7000 with the highest serial number becomes the primary FortiGate-7000. You can set the device priority higher on one of the FortiGate-7000s if you want it to become the primary FortiGate-7000. You can also enable override along with setting a higher device priority to make sure the same FortiGate-7000 always becomes the primary FortiGate-7000.

Introduction to FortiGate-7000 FGCP HA

FortiGate-7000 supports active-passive FortiGate Clustering Protocol (FGCP) HA between two (and only two) identical FortiGate-7000s. You can configure FortiGate-7000 HA in much the same way as any FortiGate HA setup except that only active-passive HA is supported, and even though FortiGate-7000s are configured with VDOMS, virtual clustering is not supported.

You must use the 10Gbit M1 and M2 interfaces for HA heartbeat communication. See Connect the M1 and M2 interfaces for HA heartbeat communication. Heartbeat packets are VLAN-tagged and you can configure the VLANs used. You must configure the switch interfaces used to connect the M1 and M2 interfaces in trunk mode and the switches must allow the VLAN-tagged packets.

As part of the FortiGate-7000 HA configuration, you assign each of the FortiGate-7000s in the HA cluster a chassis ID of 1 or 2. The chassis IDs just allow you to identify individual FortiGate-7000s and do not influence primary unit selection.

Note

If both FortiGate-7000s in a cluster are configured with the same chassis ID, when the FortiGate-7000s negotiate to form a cluster, the device with the lowest serial number will be shut down. The other device will begin operating as a standalone FortiGate-7000 in HA mode. You can resolve this chassis ID conflict by restarting the shut down FortiGate-7000 and configuring the FortiGate-7000s in the cluster with different chassis IDs. Once both FortiGate-7000s are operating in HA mode with different chassis IDs, they will negotiate to form a cluster, and if their chassis IDs are different, the cluster will begin to operate normally.

Example FortiGate-7040 HA configuration

In a FortiGate-7000 FGCP HA configuration, the primary (or master) FortiGate-7000 processes all traffic. The secondary FortiGate-7000 operates in hot standby mode. The FGCP synchronizes the configuration, active sessions, routing information, and so on to the secondary FortiGate-7000. If the primary FortiGate-7000 fails, traffic automatically fails over to the secondary.

The FGCP selects the primary FortiGate-7000 based on standard FGCP primary unit selection:

  • Connected monitored interfaces
  • Age
  • Device Priority
  • Serial Number

In most cases and with default settings, if everything is connected and operating normally, the FortiGate-7000 with the highest serial number becomes the primary FortiGate-7000. You can set the device priority higher on one of the FortiGate-7000s if you want it to become the primary FortiGate-7000. You can also enable override along with setting a higher device priority to make sure the same FortiGate-7000 always becomes the primary FortiGate-7000.