Fortinet Document Library

Version:

Version:

Version:

Version:


Table of Contents

FortiGate-7000 Handbook

Download PDF
Copy Link

Configuring virtual clustering

Configuring virtual clustering is the same as configuring standard FCGP HA with the addition of VDOM partitioning. Using VDOM partitioning, you can control the distribution of VDOMs, and the traffic they process, between the FortiGates in the cluster.

VDOM partitioning can be thought of in two parts. First, there is configuring the distribution of VDOMs between two virtual clusters. By default, all VDOMS are in virtual cluster 1, virtual cluster 1 is associated with the primary FortiGate, and the primary FortiGate processes all traffic. If you want traffic to be processed by the secondary FortiGate, you need to enable virtual cluster 2, move some of the VDOMs to it, and associate virtual cluster 2 with the secondary FortiGate.

You associate a virtual cluster with a FortiGate using device priorities. The FortiGate with the highest device priority is associated with virtual cluster 1. To associate a FortiGate with virtual cluster 2, you must enable virtual cluster 2 and set virtual cluster 2 device priorities on each FortiGate. The FortiGate with the highest virtual cluster 2 device priority processes traffic for the VDOMs added to virtual cluster 2. (Reminder: device priorities are not synchronized.)

Normally, you would set the virtual cluster 1 device priority for the primary FortiGate and the virtual cluster 2 device priority higher for the secondary FortiGate. Then the primary FortiGate would process virtual cluster 1 traffic and the secondary FortiGate would process virtual cluster 2 traffic.

Enabling virtual cluster 2 also turns on HA override for virtual cluster 1 and 2. Enabling override is required for virtual clustering to function as configured. Enabling override causes the cluster to negotiate every time the cluster state changes. If override is not enabled, the cluster may not negotiate as often. While more frequent negotiation may cause more minor traffic disruptions, with virtual clustering its more important to negotiate after any state change to make sure the configured traffic flows are maintained.

The figure below shows a simple FortiGate virtual cluster that provides redundancy and failover for two networks. The configuration includes two VDOMs. The root VDOM handles internal network traffic and the Engineering VDOM handles Engineering network traffic. VDOM partitioning has been set up to send all root VDOM traffic to the primary FortiGate and all Engineering VDOM traffic to the secondary FortiGate.

Example virtual clustering configuration

Primary FortiGate configuration

The primary FortiGate configuration:

  • Sets the primary FortiGate to be chassis 1.
  • Enables virtual cluster 2 (vcluster2) to enable virtual clustering.
  • Enables override for virtual cluster 1.
  • Sets the virtual cluster 1 device priority to 200.
  • Enables override for virtual cluster 2 (secondary-vcluster).
  • Sets the virtual cluster 2 device priority to 50.
  • Adds the Engineering VDOM to virtual cluster 2 (all VDOMs remain in virtual cluster 1 unless you add them to virtual cluster 2).

    config system ha

    set group-id 6

    set group-name <name>

    set mode a-p

    set password <password>

    set bdev "1-M1" 50 "2-M1" 50 "1-M2" 50 "2-M2" 50

    set chassis-id 1

    set vcluster2 enable

    set override enable

    set priority 200

    config secondary-vcluster

    set override enable

    set priority 50

    set vdom Engineering

    end

Secondary FortiGate configuration

The secondary FortiGate configuration:

  • Sets the secondary FortiGate to be chassis 2.
  • Enables virtual cluster 2 (vcluster2) to enable virtual clustering.
  • Enables override for virtual cluster 1.
  • Sets the device priority of virtual cluster 1 to 50.
  • Enables override for virtual cluster 2 (secondary-vcluster).
  • Sets the virtual cluster 2 device priority to 200.
  • You do not need the add the Engineering VDOM to virtual cluster 2, the configuration of the VDOMs in virtual cluster 2 is synchronized from the primary FortiGate.

    config system ha

    set group-id 6

    set group-name <name>

    set mode a-p

    set password <password>

    set bdev "1-M1" 50 "2-M1" 50 "1-M2" 50 "2-M2" 50

    set chassis-id 2

    set vcluster2 enable

    set override enable

    set priority 50

    config secondary-vcluster

    set override enable

    set priority 200

    set vdom Engineering

    end

    Note

    Since the primary FortiGate has the highest device priority, it processes all traffic for the VDOMs in virtual cluster 1. Since the secondary FortiGate has the highest virtual cluster 2 device priority, it processes all traffic for the VDOM in virtual cluster 2. The primary FortiGate configuration adds the VDOMs to virtual cluster 2. All you have to configure on the secondary FortiGate for virtual cluster 2 is the virtual cluster 2 (or secondary-vcluster) device priority.

    Virtual cluster GUI configuration

    From the GUI, you configure virtual clustering from the Global menu by going to System > HA, configuring HA settings and VDOM Partitioning.

    Primary FortiGate VDOM partitioning

    Secondary FortiGate VDOM partitioning

Configuring virtual clustering

Configuring virtual clustering is the same as configuring standard FCGP HA with the addition of VDOM partitioning. Using VDOM partitioning, you can control the distribution of VDOMs, and the traffic they process, between the FortiGates in the cluster.

VDOM partitioning can be thought of in two parts. First, there is configuring the distribution of VDOMs between two virtual clusters. By default, all VDOMS are in virtual cluster 1, virtual cluster 1 is associated with the primary FortiGate, and the primary FortiGate processes all traffic. If you want traffic to be processed by the secondary FortiGate, you need to enable virtual cluster 2, move some of the VDOMs to it, and associate virtual cluster 2 with the secondary FortiGate.

You associate a virtual cluster with a FortiGate using device priorities. The FortiGate with the highest device priority is associated with virtual cluster 1. To associate a FortiGate with virtual cluster 2, you must enable virtual cluster 2 and set virtual cluster 2 device priorities on each FortiGate. The FortiGate with the highest virtual cluster 2 device priority processes traffic for the VDOMs added to virtual cluster 2. (Reminder: device priorities are not synchronized.)

Normally, you would set the virtual cluster 1 device priority for the primary FortiGate and the virtual cluster 2 device priority higher for the secondary FortiGate. Then the primary FortiGate would process virtual cluster 1 traffic and the secondary FortiGate would process virtual cluster 2 traffic.

Enabling virtual cluster 2 also turns on HA override for virtual cluster 1 and 2. Enabling override is required for virtual clustering to function as configured. Enabling override causes the cluster to negotiate every time the cluster state changes. If override is not enabled, the cluster may not negotiate as often. While more frequent negotiation may cause more minor traffic disruptions, with virtual clustering its more important to negotiate after any state change to make sure the configured traffic flows are maintained.

The figure below shows a simple FortiGate virtual cluster that provides redundancy and failover for two networks. The configuration includes two VDOMs. The root VDOM handles internal network traffic and the Engineering VDOM handles Engineering network traffic. VDOM partitioning has been set up to send all root VDOM traffic to the primary FortiGate and all Engineering VDOM traffic to the secondary FortiGate.

Example virtual clustering configuration

Primary FortiGate configuration

The primary FortiGate configuration:

  • Sets the primary FortiGate to be chassis 1.
  • Enables virtual cluster 2 (vcluster2) to enable virtual clustering.
  • Enables override for virtual cluster 1.
  • Sets the virtual cluster 1 device priority to 200.
  • Enables override for virtual cluster 2 (secondary-vcluster).
  • Sets the virtual cluster 2 device priority to 50.
  • Adds the Engineering VDOM to virtual cluster 2 (all VDOMs remain in virtual cluster 1 unless you add them to virtual cluster 2).

    config system ha

    set group-id 6

    set group-name <name>

    set mode a-p

    set password <password>

    set bdev "1-M1" 50 "2-M1" 50 "1-M2" 50 "2-M2" 50

    set chassis-id 1

    set vcluster2 enable

    set override enable

    set priority 200

    config secondary-vcluster

    set override enable

    set priority 50

    set vdom Engineering

    end

Secondary FortiGate configuration

The secondary FortiGate configuration:

  • Sets the secondary FortiGate to be chassis 2.
  • Enables virtual cluster 2 (vcluster2) to enable virtual clustering.
  • Enables override for virtual cluster 1.
  • Sets the device priority of virtual cluster 1 to 50.
  • Enables override for virtual cluster 2 (secondary-vcluster).
  • Sets the virtual cluster 2 device priority to 200.
  • You do not need the add the Engineering VDOM to virtual cluster 2, the configuration of the VDOMs in virtual cluster 2 is synchronized from the primary FortiGate.

    config system ha

    set group-id 6

    set group-name <name>

    set mode a-p

    set password <password>

    set bdev "1-M1" 50 "2-M1" 50 "1-M2" 50 "2-M2" 50

    set chassis-id 2

    set vcluster2 enable

    set override enable

    set priority 50

    config secondary-vcluster

    set override enable

    set priority 200

    set vdom Engineering

    end

    Note

    Since the primary FortiGate has the highest device priority, it processes all traffic for the VDOMs in virtual cluster 1. Since the secondary FortiGate has the highest virtual cluster 2 device priority, it processes all traffic for the VDOM in virtual cluster 2. The primary FortiGate configuration adds the VDOMs to virtual cluster 2. All you have to configure on the secondary FortiGate for virtual cluster 2 is the virtual cluster 2 (or secondary-vcluster) device priority.

    Virtual cluster GUI configuration

    From the GUI, you configure virtual clustering from the Global menu by going to System > HA, configuring HA settings and VDOM Partitioning.

    Primary FortiGate VDOM partitioning

    Secondary FortiGate VDOM partitioning