Fortinet white logo
Fortinet white logo

FortiGate-7000 Handbook

Basic FortiGate-7000 HA configuration

Basic FortiGate-7000 HA configuration

Use the following steps to set up HA between two FortiGate-7000s. To configure HA, you assign a chassis ID (1 and 2) to each of the FortiGate-7000s. These IDs allow the FGCP to identify the chassis and do not influence primary FortiGate selection. Before you start, determine which FortiGate-7000 should be chassis 1 and which should be chassis 2.

Caution

Make sure you give each FortiGate-7000 a different chassis ID. If both FortiGate-7000s in a cluster are configured with the same chassis ID, both chassis begin operating in HA mode without forming a cluster. A message similar to the following is displayed on the CLI console of both devices:

HA cannot be formed because this box's chassis-id 1 is the same from the HA peer 'F76E9D3E17000001' chassis-id 1.

As well, a log message similar to the following is created:

Jan 29 16:29:46 10.160.45.70 date=2020-01-29 time=16:29:51 devname="CH-02" devid="F76E9D3E17000001" slot=1 logid="0108037904" type="event" subtype="ha" level="error" vd="mgmt-vdom" eventtime=1580344192162305962 tz="-0800" logdesc="Device set as HA master" msg="HA group detected chassis-id conflict" ha_group=7 sn="F76E9DT018900001 chassis-id=1"

You can resolve this issue by logging into one of the FortiGate-7000s and changing its Chassis ID to 2. When this happens, the two chassis will form a cluster.

  1. Set up HA heartbeat communication as described in Connect the M1 and M2 interfaces for HA heartbeat communication.

  2. Log into the GUI or CLI of the FIM in slot 1 of the FortiGate-7000 that will become chassis 1.
    Usually you would do this by connecting the management IP address of this FortiGate-7000.

  3. Use the following CLI command to change the host name. This step is optional, but setting a host name makes the FortiGate-7000 easier to identify after the cluster has formed.

    config system global

    set hostname 7K-Chassis-1

    end

    From the GUI you can configure the host name by going to System > Settings and changing the Host name.

  4. Enter the following command to configure basic HA settings for the chassis 1 FortiGate-7000:

    config system ha

    set group-id <id>

    set group-name My-7K-Cluster

    set mode a-p

    set hbdev 1-M1 50 1-M2 50 2-M1 50 2-M2 50

    set chassis-id 1

    set hbdev-vlan-id 4086

    set hbdev-second-vlan-id 4087

    set password <password>

    end

    From the GUI you can configure HA by going to System > HA. Set the Mode to Active-Passive, set the Group Name, add a Password, select the Chassis identifier (or chassis ID), and set the Heartbeat Interface Priority for the heartbeat interfaces (1-M1, 1-M2, 2-M1, and 2-M2). You must configure the group ID from the CLI.

  5. Log into the chassis 2 FortiGate-7000 and configure its host name, for example:

    config system global

    set hostname 7K-Chassis-2

    end

    From the GUI you can configure the host name by going to System > Settings and changing the Host name.

  6. Enter the following command to configure basic HA settings. The configuration must be the same as the chassis 1 configuration, except for the chassis ID.

    config system ha

    set group-id <id>

    set group-name My-7K-Cluster

    set mode a-p

    set hbdev 1-M1 50 1-M2 50 2-M1 50 2-M2 50

    set chassis-id 2

    set hbdev-vlan-id 4086

    set hbdev-second-vlan-id 4087

    set password <password>

    end

    From the GUI you can configure HA by going to System > HA. Set the Mode to Active-Passive, set the Group Name, add a Password, select the Chassis identifier (or chassis ID), and set the Heartbeat Interface Priority for the heartbeat interfaces (1-M1, 1-M2, 2-M1, and 2-M2). You must configure the group ID from the CLI.

    Once you save your configuration changes, if the HA heartbeat interfaces are connected, the FortiGate-7000s negotiate to establish a cluster. You may temporarily lose connectivity with the FortiGate-7000s as the cluster negotiates and the FGCP changes the MAC addresses of the FortiGate-7000 interfaces. .

  7. Log into the cluster and view the HA Status dashboard widget or enter the get system ha status command to confirm that the cluster has formed and is operating normally.

    If the cluster is operating normally, you can connect network equipment, add your configuration, and start operating the cluster.

Verifying that the cluster is operating normally

You view the cluster status from the HA Status dashboard widget, by going to System > HA, or by using the get system ha status command.

If the HA Status widget or the get system ha status command shows a cluster has not formed, check the HA heartbeat connections. They should be configured as described in Connect the M1 and M2 interfaces for HA heartbeat communication.

You should also review the HA configurations of the FortiGate-7000s. When checking the configurations, make sure both FortiGate-7000s have the same HA configuration, including identical HA group IDs, group names, passwords, and HA heartbeat VLAN IDs. Also make sure the FortiGate-6000s have different chassis IDs.

The following example FortiGate-7000 get system ha status output shows a FortiGate-7000 cluster that is operating normally. The output shows which FortiGate-7000 has become the primary (master) FortiGate-7000 and how it was chosen. You can also see CPU and memory use data, HA heartbeat VLAN IDs, and so on.

get system ha status
HA Health Status: OK
Model: FortiGate-7000E
Mode: HA A-P
Group: 7
Debug: 0
Cluster Uptime: 0 days 16:42:5
Cluster state change time: 2019-01-14 16:26:30
Master selected using:
    <2019/01/14 16:26:30> FG74E83E16000016 is selected as the master because it has more active switch blade.
    <2019/01/14 16:26:12> FG74E83E16000016 is selected as the master because it's the only member in the cluster.
ses_pickup: disable
override: disable
Configuration Status:
	FG74E83E16000016(updated 3 seconds ago): in-sync
	FG74E83E16000016 chksum dump: 7c 74 ce 81 83 c0 54 c1 01 1d 4f a9 c9 fd 17 df 
	FG74E83E16000015(updated 4 seconds ago): in-sync
	FG74E83E16000015 chksum dump: 7c 74 ce 81 83 c0 54 c1 01 1d 4f a9 c9 fd 17 df 
System Usage stats:
    FG74E83E16000016(updated 4 seconds ago):
        sessions=198, average-cpu-user/nice/system/idle=1%/0%/0%/97%, memory=5%
    FG74E83E16000015(updated 0 seconds ago):
        sessions=0, average-cpu-user/nice/system/idle=2%/0%/0%/96%, memory=6%
HBDEV stats:
    FG74E83E16000016(updated 4 seconds ago):
        1-M1: physical/10000full, up, rx-bytes/packets/dropped/errors=227791977/902055/0/0, tx=85589814/300318/0/0, vlan-id=4086
        2-M1: physical/10000full, up, rx-bytes/packets/dropped/errors=227119632/900048/0/0, tx=85589814/300318/0/0, vlan-id=4086
        1-M2: physical/10000full, up, rx-bytes/packets/dropped/errors=227791977/902055/0/0, tx=85589814/300318/0/0, vlan-id=4087
        2-M2: physical/10000full, up, rx-bytes/packets/dropped/errors=227119632/900048/0/0, tx=85589814/300318/0/0, vlan-id=4087
    FG74E83E16000015(updated 0 seconds ago):
        1-M1: physical/10000full, up, rx-bytes/packets/dropped/errors=0/0/0/0, tx=85067/331/0/0, vlan-id=4086
        2-M1: physical/10000full, up, rx-bytes/packets/dropped/errors=947346/3022/0/0, tx=206768/804/0/0, vlan-id=4086
        1-M2: physical/10000full, up, rx-bytes/packets/dropped/errors=0/0/0/0, tx=85067/331/0/0, vlan-id=4087
        2-M2: physical/10000full, up, rx-bytes/packets/dropped/errors=946804/3020/0/0, tx=206768/804/0/0, vlan-id=4087
Master: 7K-Chassis-1    , FG74E83E16000016, cluster index = 0
Slave : 7K-Chassis-2    , FG74E83E16000015, cluster index = 1
number of vcluster: 1
vcluster 1: work 10.101.11.20
Master: FG74E83E16000016, operating cluster index = 0
Slave : FG74E83E16000015, operating cluster index = 1
Chassis Status: (Local chassis ID: 2)
    Chassis ID 1: Slave Chassis
        Slot ID 1: Master Slot
        Slot ID 2: Slave Slot
    Chassis ID 2: Master Chassis
        Slot ID 1: Master Slot
        Slot ID 2: Slave Slot

Basic FortiGate-7000 HA configuration

Basic FortiGate-7000 HA configuration

Use the following steps to set up HA between two FortiGate-7000s. To configure HA, you assign a chassis ID (1 and 2) to each of the FortiGate-7000s. These IDs allow the FGCP to identify the chassis and do not influence primary FortiGate selection. Before you start, determine which FortiGate-7000 should be chassis 1 and which should be chassis 2.

Caution

Make sure you give each FortiGate-7000 a different chassis ID. If both FortiGate-7000s in a cluster are configured with the same chassis ID, both chassis begin operating in HA mode without forming a cluster. A message similar to the following is displayed on the CLI console of both devices:

HA cannot be formed because this box's chassis-id 1 is the same from the HA peer 'F76E9D3E17000001' chassis-id 1.

As well, a log message similar to the following is created:

Jan 29 16:29:46 10.160.45.70 date=2020-01-29 time=16:29:51 devname="CH-02" devid="F76E9D3E17000001" slot=1 logid="0108037904" type="event" subtype="ha" level="error" vd="mgmt-vdom" eventtime=1580344192162305962 tz="-0800" logdesc="Device set as HA master" msg="HA group detected chassis-id conflict" ha_group=7 sn="F76E9DT018900001 chassis-id=1"

You can resolve this issue by logging into one of the FortiGate-7000s and changing its Chassis ID to 2. When this happens, the two chassis will form a cluster.

  1. Set up HA heartbeat communication as described in Connect the M1 and M2 interfaces for HA heartbeat communication.

  2. Log into the GUI or CLI of the FIM in slot 1 of the FortiGate-7000 that will become chassis 1.
    Usually you would do this by connecting the management IP address of this FortiGate-7000.

  3. Use the following CLI command to change the host name. This step is optional, but setting a host name makes the FortiGate-7000 easier to identify after the cluster has formed.

    config system global

    set hostname 7K-Chassis-1

    end

    From the GUI you can configure the host name by going to System > Settings and changing the Host name.

  4. Enter the following command to configure basic HA settings for the chassis 1 FortiGate-7000:

    config system ha

    set group-id <id>

    set group-name My-7K-Cluster

    set mode a-p

    set hbdev 1-M1 50 1-M2 50 2-M1 50 2-M2 50

    set chassis-id 1

    set hbdev-vlan-id 4086

    set hbdev-second-vlan-id 4087

    set password <password>

    end

    From the GUI you can configure HA by going to System > HA. Set the Mode to Active-Passive, set the Group Name, add a Password, select the Chassis identifier (or chassis ID), and set the Heartbeat Interface Priority for the heartbeat interfaces (1-M1, 1-M2, 2-M1, and 2-M2). You must configure the group ID from the CLI.

  5. Log into the chassis 2 FortiGate-7000 and configure its host name, for example:

    config system global

    set hostname 7K-Chassis-2

    end

    From the GUI you can configure the host name by going to System > Settings and changing the Host name.

  6. Enter the following command to configure basic HA settings. The configuration must be the same as the chassis 1 configuration, except for the chassis ID.

    config system ha

    set group-id <id>

    set group-name My-7K-Cluster

    set mode a-p

    set hbdev 1-M1 50 1-M2 50 2-M1 50 2-M2 50

    set chassis-id 2

    set hbdev-vlan-id 4086

    set hbdev-second-vlan-id 4087

    set password <password>

    end

    From the GUI you can configure HA by going to System > HA. Set the Mode to Active-Passive, set the Group Name, add a Password, select the Chassis identifier (or chassis ID), and set the Heartbeat Interface Priority for the heartbeat interfaces (1-M1, 1-M2, 2-M1, and 2-M2). You must configure the group ID from the CLI.

    Once you save your configuration changes, if the HA heartbeat interfaces are connected, the FortiGate-7000s negotiate to establish a cluster. You may temporarily lose connectivity with the FortiGate-7000s as the cluster negotiates and the FGCP changes the MAC addresses of the FortiGate-7000 interfaces. .

  7. Log into the cluster and view the HA Status dashboard widget or enter the get system ha status command to confirm that the cluster has formed and is operating normally.

    If the cluster is operating normally, you can connect network equipment, add your configuration, and start operating the cluster.

Verifying that the cluster is operating normally

You view the cluster status from the HA Status dashboard widget, by going to System > HA, or by using the get system ha status command.

If the HA Status widget or the get system ha status command shows a cluster has not formed, check the HA heartbeat connections. They should be configured as described in Connect the M1 and M2 interfaces for HA heartbeat communication.

You should also review the HA configurations of the FortiGate-7000s. When checking the configurations, make sure both FortiGate-7000s have the same HA configuration, including identical HA group IDs, group names, passwords, and HA heartbeat VLAN IDs. Also make sure the FortiGate-6000s have different chassis IDs.

The following example FortiGate-7000 get system ha status output shows a FortiGate-7000 cluster that is operating normally. The output shows which FortiGate-7000 has become the primary (master) FortiGate-7000 and how it was chosen. You can also see CPU and memory use data, HA heartbeat VLAN IDs, and so on.

get system ha status
HA Health Status: OK
Model: FortiGate-7000E
Mode: HA A-P
Group: 7
Debug: 0
Cluster Uptime: 0 days 16:42:5
Cluster state change time: 2019-01-14 16:26:30
Master selected using:
    <2019/01/14 16:26:30> FG74E83E16000016 is selected as the master because it has more active switch blade.
    <2019/01/14 16:26:12> FG74E83E16000016 is selected as the master because it's the only member in the cluster.
ses_pickup: disable
override: disable
Configuration Status:
	FG74E83E16000016(updated 3 seconds ago): in-sync
	FG74E83E16000016 chksum dump: 7c 74 ce 81 83 c0 54 c1 01 1d 4f a9 c9 fd 17 df 
	FG74E83E16000015(updated 4 seconds ago): in-sync
	FG74E83E16000015 chksum dump: 7c 74 ce 81 83 c0 54 c1 01 1d 4f a9 c9 fd 17 df 
System Usage stats:
    FG74E83E16000016(updated 4 seconds ago):
        sessions=198, average-cpu-user/nice/system/idle=1%/0%/0%/97%, memory=5%
    FG74E83E16000015(updated 0 seconds ago):
        sessions=0, average-cpu-user/nice/system/idle=2%/0%/0%/96%, memory=6%
HBDEV stats:
    FG74E83E16000016(updated 4 seconds ago):
        1-M1: physical/10000full, up, rx-bytes/packets/dropped/errors=227791977/902055/0/0, tx=85589814/300318/0/0, vlan-id=4086
        2-M1: physical/10000full, up, rx-bytes/packets/dropped/errors=227119632/900048/0/0, tx=85589814/300318/0/0, vlan-id=4086
        1-M2: physical/10000full, up, rx-bytes/packets/dropped/errors=227791977/902055/0/0, tx=85589814/300318/0/0, vlan-id=4087
        2-M2: physical/10000full, up, rx-bytes/packets/dropped/errors=227119632/900048/0/0, tx=85589814/300318/0/0, vlan-id=4087
    FG74E83E16000015(updated 0 seconds ago):
        1-M1: physical/10000full, up, rx-bytes/packets/dropped/errors=0/0/0/0, tx=85067/331/0/0, vlan-id=4086
        2-M1: physical/10000full, up, rx-bytes/packets/dropped/errors=947346/3022/0/0, tx=206768/804/0/0, vlan-id=4086
        1-M2: physical/10000full, up, rx-bytes/packets/dropped/errors=0/0/0/0, tx=85067/331/0/0, vlan-id=4087
        2-M2: physical/10000full, up, rx-bytes/packets/dropped/errors=946804/3020/0/0, tx=206768/804/0/0, vlan-id=4087
Master: 7K-Chassis-1    , FG74E83E16000016, cluster index = 0
Slave : 7K-Chassis-2    , FG74E83E16000015, cluster index = 1
number of vcluster: 1
vcluster 1: work 10.101.11.20
Master: FG74E83E16000016, operating cluster index = 0
Slave : FG74E83E16000015, operating cluster index = 1
Chassis Status: (Local chassis ID: 2)
    Chassis ID 1: Slave Chassis
        Slot ID 1: Master Slot
        Slot ID 2: Slave Slot
    Chassis ID 2: Master Chassis
        Slot ID 1: Master Slot
        Slot ID 2: Slave Slot