Fortinet black logo

FortiGate-7000F Handbook

Virtual clustering

Copy Link
Copy Doc ID fd130345-bc33-11ec-9fd1-fa163e15d75b:753664
Download PDF

Virtual clustering

FortiGate-7000F supports virtual clustering with two FortiGate-7000Fs operating in Multi VDOM mode. Virtual clustering is not supported for Split-Task VDOM mode.

A virtual cluster consists of two FortiGate-7000Fs operating in active-passive HA mode with Multi VDOM mode enabled. Virtual clustering is an extension of FGCP HA that uses VDOM partitioning to send traffic for some VDOMs to the primary FortiGate-7000F and traffic for other VDOMs to the secondary FortiGate-7000F. Distributing traffic between the FortiGate-7000Fs in a virtual cluster is similar to load balancing and can potentially improve overall throughput. You can adjust VDOM partitioning at any time to optimize traffic distribution without interrupting traffic flow.

VDOM partitioning distributes VDOMs between two virtual clusters (virtual cluster 1 and virtual cluster 2). When configuring virtual clustering you would normally set the device priority of virtual cluster 1 higher for the primary FortiGate-7000F and the device priority of virtual cluster 2 higher for the secondary FortiGate-7000F. With this configuration, all traffic in the VDOMs in virtual cluster 1 is processed by the primary FortiGate-7000F and all traffic in the VDOMs in virtual cluster 2 is processed by the secondary FortiGate-7000F. The FGCP selects the primary and secondary FortiGate-7000F whenever the cluster negotiates. The primary FortiGate-7000F can dynamically change based on FGCP HA primary unit selection criteria.

If a failure occurs and only one FortiGate-7000F continues to operate, all traffic fails over to that FortiGate-7000F, similar to normal FGCP HA. When the failed FortiGate-7000Frejoins the cluster, the configured traffic distribution is restored.

For more information about virtual clustering see:

Note

If you don't want active-passive virtual clustering to distribute traffic between FortiGate-7000Fs, you can configure VDOM partitioning to send traffic for all VDOMs to the primary FortiGate-7000F. The result is the same as standard active-passive FCGP HA, all traffic is processed by the primary FortiGate-7000F.

Virtual clustering creates a cluster between instances of each VDOM on the two FortiGate-7000Fs in the virtual cluster. All traffic to and from a given VDOM is sent to one of the FortiGate-7000Fs where it stays within its VDOM and is only processed by that VDOM. One FortiGate-7000F is the primary FortiGate-7000F for each VDOM and one FortiGate-7000F is the secondary FortiGate-7000F for each VDOM. The primary FortiGate-7000F processes all traffic for its VDOMs. The secondary FortiGate-7000F processes all traffic for its VDOMs.

The HA heartbeat and session synchronization provides the same HA services in a virtual clustering configuration as in a standard HA configuration. One set of HA heartbeat interfaces and one session synchronization LAG provides HA heartbeat services for all of the VDOMs in the cluster. You do not have to add a heartbeat interface or session synchronization LAG for each VDOM.

Virtual clustering

FortiGate-7000F supports virtual clustering with two FortiGate-7000Fs operating in Multi VDOM mode. Virtual clustering is not supported for Split-Task VDOM mode.

A virtual cluster consists of two FortiGate-7000Fs operating in active-passive HA mode with Multi VDOM mode enabled. Virtual clustering is an extension of FGCP HA that uses VDOM partitioning to send traffic for some VDOMs to the primary FortiGate-7000F and traffic for other VDOMs to the secondary FortiGate-7000F. Distributing traffic between the FortiGate-7000Fs in a virtual cluster is similar to load balancing and can potentially improve overall throughput. You can adjust VDOM partitioning at any time to optimize traffic distribution without interrupting traffic flow.

VDOM partitioning distributes VDOMs between two virtual clusters (virtual cluster 1 and virtual cluster 2). When configuring virtual clustering you would normally set the device priority of virtual cluster 1 higher for the primary FortiGate-7000F and the device priority of virtual cluster 2 higher for the secondary FortiGate-7000F. With this configuration, all traffic in the VDOMs in virtual cluster 1 is processed by the primary FortiGate-7000F and all traffic in the VDOMs in virtual cluster 2 is processed by the secondary FortiGate-7000F. The FGCP selects the primary and secondary FortiGate-7000F whenever the cluster negotiates. The primary FortiGate-7000F can dynamically change based on FGCP HA primary unit selection criteria.

If a failure occurs and only one FortiGate-7000F continues to operate, all traffic fails over to that FortiGate-7000F, similar to normal FGCP HA. When the failed FortiGate-7000Frejoins the cluster, the configured traffic distribution is restored.

For more information about virtual clustering see:

Note

If you don't want active-passive virtual clustering to distribute traffic between FortiGate-7000Fs, you can configure VDOM partitioning to send traffic for all VDOMs to the primary FortiGate-7000F. The result is the same as standard active-passive FCGP HA, all traffic is processed by the primary FortiGate-7000F.

Virtual clustering creates a cluster between instances of each VDOM on the two FortiGate-7000Fs in the virtual cluster. All traffic to and from a given VDOM is sent to one of the FortiGate-7000Fs where it stays within its VDOM and is only processed by that VDOM. One FortiGate-7000F is the primary FortiGate-7000F for each VDOM and one FortiGate-7000F is the secondary FortiGate-7000F for each VDOM. The primary FortiGate-7000F processes all traffic for its VDOMs. The secondary FortiGate-7000F processes all traffic for its VDOMs.

The HA heartbeat and session synchronization provides the same HA services in a virtual clustering configuration as in a standard HA configuration. One set of HA heartbeat interfaces and one session synchronization LAG provides HA heartbeat services for all of the VDOMs in the cluster. You do not have to add a heartbeat interface or session synchronization LAG for each VDOM.