Fortinet black logo

FortiGate-7000F Handbook

Configuring virtual clustering

Copy Link
Copy Doc ID 4c59a569-e998-11eb-97f7-00505692583a:583163
Download PDF

Configuring virtual clustering

Configuring virtual clustering is the same as configuring standard FCGP HA with the addition of VDOM partitioning. Using VDOM partitioning, you can control the distribution of VDOMs, and the traffic they process, between the FortiGates in the cluster.

VDOM partitioning can be thought of in two parts. First, there is configuring the distribution of VDOMs between two virtual clusters. By default, all VDOMS are in virtual cluster 1, virtual cluster 1 is associated with the primary FortiGate-7000F, and the primary FortiGate-7000F processes all traffic. If you want traffic to be processed by the secondary FortiGate-7000F, you need to enable virtual cluster 2, move some of the VDOMs to it, and associate virtual cluster 2 with the secondary FortiGate-7000F.

You associate a virtual cluster with a FortiGate-7000F using device priorities. The FortiGate-7000F with the highest device priority is associated with virtual cluster 1. To associate a FortiGate-7000F with virtual cluster 2, you must enable virtual cluster 2 and set virtual cluster 2 device priorities on each FortiGate-7000F. The FortiGate-7000F with the highest virtual cluster 2 device priority processes traffic for the VDOMs added to virtual cluster 2. (Reminder: device priorities are not synchronized.)

Normally, you would set the virtual cluster 1 device priority for the primary FortiGate-7000F and the virtual cluster 2 device priority higher for the secondary FortiGate-7000F. Then the primary FortiGate-7000F would process virtual cluster 1 traffic and the secondary FortiGate-7000F would process virtual cluster 2 traffic.

Enabling virtual cluster 2 also turns on HA override for virtual cluster 1 and 2. Enabling override is required for virtual clustering to function as configured. Enabling override causes the cluster to negotiate every time the cluster state changes. If override is not enabled, the cluster may not negotiate as often. While more frequent negotiation may cause more minor traffic disruptions, with virtual clustering its more important to negotiate after any state change to make sure the configured traffic flows are maintained.

The figure below shows a simple FortiGate-7000F virtual cluster that provides redundancy and failover for two networks. The configuration includes two VDOMs. The root VDOM handles internal network traffic and the Engineering VDOM handles Engineering network traffic. VDOM partitioning has been set up to send all root VDOM traffic to the primary FortiGate and all Engineering VDOM traffic to the secondary FortiGate.

Example virtual clustering configuration

Primary FortiGate-7000F configuration

The primary FortiGate-7000F configuration:

  • Sets the primary FortiGate-7000F to be chassis 1.
  • Enables virtual cluster 2 (vcluster2) to enable virtual clustering.
  • Enables override for virtual cluster 1.
  • Sets the virtual cluster 1 device priority to 200.
  • Enables override for virtual cluster 2 (secondary-vcluster).
  • Sets the virtual cluster 2 device priority to 50.
  • Adds the Engineering VDOM to virtual cluster 2 (all VDOMs remain in virtual cluster 1 unless you add them to virtual cluster 2).

    config system ha

    set group-id 6

    set group-name <name>

    set mode a-p

    set password <password>

    set hbdev 1-M3 100 2-M3 100

    set chassis-id 1

    set session-sync-dev Ses-Sync-Lag

    set session-pickup enable

    set session-pickup-connectionless enable

    set session-pickup-expectation enable

    set vcluster2 enable

    set override enable

    set priority 200

    config secondary-vcluster

    set override enable

    set priority 50

    set vdom Engineering

    end

Secondary FortiGate configuration

The secondary FortiGate configuration:

  • Sets the secondary FortiGate to be chassis 2.
  • Enables virtual cluster 2 (vcluster2) to enable virtual clustering.
  • Enables override for virtual cluster 1.
  • Sets the device priority of virtual cluster 1 to 50.
  • Enables override for virtual cluster 2 (secondary-vcluster).
  • Sets the virtual cluster 2 device priority to 200.
  • You do not need the add the Engineering VDOM to virtual cluster 2, the configuration of the VDOMs in virtual cluster 2 is synchronized from the primary FortiGate.

    config system ha

    set group-id 6

    set group-name <name>

    set mode a-p

    set password <password>

    set hbdev 1-M3 100 2-M3 100

    set chassis-id 2

    set session-sync-dev Ses-Sync-Lag

    set session-pickup enable

    set session-pickup-connectionless enable

    set session-pickup-expectation enable

    set vcluster2 enable

    set override enable

    set priority 50

    config secondary-vcluster

    set override enable

    set priority 200

    set vdom Engineering

    end

    Note

    Since the primary FortiGate-7000F has the highest device priority, it processes all traffic for the VDOMs in virtual cluster 1. Since the secondary FortiGate-7000F has the highest virtual cluster 2 device priority, it processes all traffic for the VDOM in virtual cluster 2. The primary FortiGate-7000F configuration adds the VDOMs to virtual cluster 2. All you have to configure on the secondary FortiGate-7000F for virtual cluster 2 is the virtual cluster 2 (or secondary-vcluster) device priority.

    Virtual cluster GUI configuration

    From the GUI, you configure virtual clustering from the Global menu by going to System > HA, configuring HA settings and VDOM Partitioning.

    Primary FortiGate VDOM partitioning

    Secondary FortiGate VDOM partitioning

Configuring virtual clustering

Configuring virtual clustering is the same as configuring standard FCGP HA with the addition of VDOM partitioning. Using VDOM partitioning, you can control the distribution of VDOMs, and the traffic they process, between the FortiGates in the cluster.

VDOM partitioning can be thought of in two parts. First, there is configuring the distribution of VDOMs between two virtual clusters. By default, all VDOMS are in virtual cluster 1, virtual cluster 1 is associated with the primary FortiGate-7000F, and the primary FortiGate-7000F processes all traffic. If you want traffic to be processed by the secondary FortiGate-7000F, you need to enable virtual cluster 2, move some of the VDOMs to it, and associate virtual cluster 2 with the secondary FortiGate-7000F.

You associate a virtual cluster with a FortiGate-7000F using device priorities. The FortiGate-7000F with the highest device priority is associated with virtual cluster 1. To associate a FortiGate-7000F with virtual cluster 2, you must enable virtual cluster 2 and set virtual cluster 2 device priorities on each FortiGate-7000F. The FortiGate-7000F with the highest virtual cluster 2 device priority processes traffic for the VDOMs added to virtual cluster 2. (Reminder: device priorities are not synchronized.)

Normally, you would set the virtual cluster 1 device priority for the primary FortiGate-7000F and the virtual cluster 2 device priority higher for the secondary FortiGate-7000F. Then the primary FortiGate-7000F would process virtual cluster 1 traffic and the secondary FortiGate-7000F would process virtual cluster 2 traffic.

Enabling virtual cluster 2 also turns on HA override for virtual cluster 1 and 2. Enabling override is required for virtual clustering to function as configured. Enabling override causes the cluster to negotiate every time the cluster state changes. If override is not enabled, the cluster may not negotiate as often. While more frequent negotiation may cause more minor traffic disruptions, with virtual clustering its more important to negotiate after any state change to make sure the configured traffic flows are maintained.

The figure below shows a simple FortiGate-7000F virtual cluster that provides redundancy and failover for two networks. The configuration includes two VDOMs. The root VDOM handles internal network traffic and the Engineering VDOM handles Engineering network traffic. VDOM partitioning has been set up to send all root VDOM traffic to the primary FortiGate and all Engineering VDOM traffic to the secondary FortiGate.

Example virtual clustering configuration

Primary FortiGate-7000F configuration

The primary FortiGate-7000F configuration:

  • Sets the primary FortiGate-7000F to be chassis 1.
  • Enables virtual cluster 2 (vcluster2) to enable virtual clustering.
  • Enables override for virtual cluster 1.
  • Sets the virtual cluster 1 device priority to 200.
  • Enables override for virtual cluster 2 (secondary-vcluster).
  • Sets the virtual cluster 2 device priority to 50.
  • Adds the Engineering VDOM to virtual cluster 2 (all VDOMs remain in virtual cluster 1 unless you add them to virtual cluster 2).

    config system ha

    set group-id 6

    set group-name <name>

    set mode a-p

    set password <password>

    set hbdev 1-M3 100 2-M3 100

    set chassis-id 1

    set session-sync-dev Ses-Sync-Lag

    set session-pickup enable

    set session-pickup-connectionless enable

    set session-pickup-expectation enable

    set vcluster2 enable

    set override enable

    set priority 200

    config secondary-vcluster

    set override enable

    set priority 50

    set vdom Engineering

    end

Secondary FortiGate configuration

The secondary FortiGate configuration:

  • Sets the secondary FortiGate to be chassis 2.
  • Enables virtual cluster 2 (vcluster2) to enable virtual clustering.
  • Enables override for virtual cluster 1.
  • Sets the device priority of virtual cluster 1 to 50.
  • Enables override for virtual cluster 2 (secondary-vcluster).
  • Sets the virtual cluster 2 device priority to 200.
  • You do not need the add the Engineering VDOM to virtual cluster 2, the configuration of the VDOMs in virtual cluster 2 is synchronized from the primary FortiGate.

    config system ha

    set group-id 6

    set group-name <name>

    set mode a-p

    set password <password>

    set hbdev 1-M3 100 2-M3 100

    set chassis-id 2

    set session-sync-dev Ses-Sync-Lag

    set session-pickup enable

    set session-pickup-connectionless enable

    set session-pickup-expectation enable

    set vcluster2 enable

    set override enable

    set priority 50

    config secondary-vcluster

    set override enable

    set priority 200

    set vdom Engineering

    end

    Note

    Since the primary FortiGate-7000F has the highest device priority, it processes all traffic for the VDOMs in virtual cluster 1. Since the secondary FortiGate-7000F has the highest virtual cluster 2 device priority, it processes all traffic for the VDOM in virtual cluster 2. The primary FortiGate-7000F configuration adds the VDOMs to virtual cluster 2. All you have to configure on the secondary FortiGate-7000F for virtual cluster 2 is the virtual cluster 2 (or secondary-vcluster) device priority.

    Virtual cluster GUI configuration

    From the GUI, you configure virtual clustering from the Global menu by going to System > HA, configuring HA settings and VDOM Partitioning.

    Primary FortiGate VDOM partitioning

    Secondary FortiGate VDOM partitioning