Version:

Version:

Version:

Version:

Version:


Table of Contents

FortiGate-7000E Handbook

Before you begin configuring HA

Before you begin:

  • The FortiGate-7000Es must be running the same FortiOS firmware version.
  • The FortiGate-7000Es must be in the same VDOM mode (Multi VDOM or Split-Task VDOM mode).
  • To successfully form an FGCP HA cluster, both FortiGate-7000Es must be operating in the same VDOM mode (Multi or Split-Task). You should change both FortiGate-7000Es to the VDOM mode that you want them to operate in before configuring HA. To change the VDOM mode of an operating cluster, you need remove the backup FortiGate-7000E from the cluster, switch both FortiGate-7000Es to the other VDOM mode and then re-form the cluster. This process will cause traffic interruptions.

  • Interfaces should be configured with static IP addresses (not DHCP or PPPoE).
  • Register and apply licenses to each FortiGate-7000E before setting up the HA cluster. This includes licensing for FortiCare, IPS, AntiVirus, Web Filtering, Mobile Malware, FortiClient, FortiCloud, and additional virtual domains (VDOMs).
  • Both FortiGate-7000Es in the cluster must have the same level of licensing for FortiGuard, FortiCloud, FortiClient, and VDOMs.
  • FortiToken licenses can be added at any time because they are synchronized to all cluster members.

Configure split interfaces before configuring HA

You should configure split interfaces or change interfaces types on both FortiGate-7000Es before forming an FGCP HA cluster. If you decide to change the split interfaces or interface type configuration after forming a cluster, you need to remove the backup FortiGate-7000E from the cluster and change interface configuration on both FortiGate-7000Es separately. After the FortiGate-7000Es restart, you can re-form the cluster. This process will cause traffic interruptions.

For example, to split the C1, C2, and C4 interfaces of an FIM-7910E in slot 1, enter the following command:

config system global

set split-port 1-C1 2-C1 2-C4

end

After configuring split ports, the FortiGate-7000E reboots and synchronizes the configuration.

On each FortiGate-7000E, make sure configurations of the FIMs and FPMs are synchronized before starting to configure HA. You can use the following command to verify the synchronization status of all modules:

diagnose sys confsync showchsum | grep all

all: c0 68 d2 67 e1 23 d9 3a 10 50 45 c5 50 f1 e6 8e

all: c0 68 d2 67 e1 23 d9 3a 10 50 45 c5 50 f1 e6 8e

all: c0 68 d2 67 e1 23 d9 3a 10 50 45 c5 50 f1 e6 8e

all: c0 68 d2 67 e1 23 d9 3a 10 50 45 c5 50 f1 e6 8e

all: c0 68 d2 67 e1 23 d9 3a 10 50 45 c5 50 f1 e6 8e

all: c0 68 d2 67 e1 23 d9 3a 10 50 45 c5 50 f1 e6 8e

all: c0 68 d2 67 e1 23 d9 3a 10 50 45 c5 50 f1 e6 8e

all: c0 68 d2 67 e1 23 d9 3a 10 50 45 c5 50 f1 e6 8e

If the FIMs and FPMs are synchronized, the checksums displayed should all be the same.

You can also use the following command to list the FIMs and FPMs that are synchronized. The example output shows all four modules in a FortiGate-7040E have been configured for HA and added to the cluster.

diagnose sys confsync status | grep in_sync
FIM10E3E16000062, Slave, uptime=58852.50, priority=2, slot_id=2:2, idx=3, flag=0x10, in_sync=1
FIM04E3E16000010, Slave, uptime=58726.83, priority=3, slot_id=1:1, idx=0, flag=0x10, in_sync=1
FIM04E3E16000014, Master, uptime=58895.30, priority=1, slot_id=2:1, idx=1, flag=0x10, in_sync=1
FIM10E3E16000040, Slave, uptime=58857.80, priority=4, slot_id=1:2, idx=2, flag=0x10, in_sync=1
FPM20E3E16900234, Slave, uptime=58895.00, priority=16, slot_id=2:3, idx=4, flag=0x64, in_sync=1
FPM20E3E16900269, Slave, uptime=58333.37, priority=120, slot_id=2:4, idx=5, flag=0x64, in_sync=1
FPM20E3E17900113, Slave, uptime=58858.90, priority=116, slot_id=1:3, idx=6, flag=0x64, in_sync=1
FPM20E3E17900217, Slave, uptime=58858.93, priority=117, slot_id=1:4, idx=7, flag=0x64, in_sync=1
...

In this command output, in_sync=1 means the module is synchronized with the primary FIM and in_sync=0 means the module is not synchronized.

Before you begin configuring HA

Before you begin:

  • The FortiGate-7000Es must be running the same FortiOS firmware version.
  • The FortiGate-7000Es must be in the same VDOM mode (Multi VDOM or Split-Task VDOM mode).
  • To successfully form an FGCP HA cluster, both FortiGate-7000Es must be operating in the same VDOM mode (Multi or Split-Task). You should change both FortiGate-7000Es to the VDOM mode that you want them to operate in before configuring HA. To change the VDOM mode of an operating cluster, you need remove the backup FortiGate-7000E from the cluster, switch both FortiGate-7000Es to the other VDOM mode and then re-form the cluster. This process will cause traffic interruptions.

  • Interfaces should be configured with static IP addresses (not DHCP or PPPoE).
  • Register and apply licenses to each FortiGate-7000E before setting up the HA cluster. This includes licensing for FortiCare, IPS, AntiVirus, Web Filtering, Mobile Malware, FortiClient, FortiCloud, and additional virtual domains (VDOMs).
  • Both FortiGate-7000Es in the cluster must have the same level of licensing for FortiGuard, FortiCloud, FortiClient, and VDOMs.
  • FortiToken licenses can be added at any time because they are synchronized to all cluster members.

Configure split interfaces before configuring HA

You should configure split interfaces or change interfaces types on both FortiGate-7000Es before forming an FGCP HA cluster. If you decide to change the split interfaces or interface type configuration after forming a cluster, you need to remove the backup FortiGate-7000E from the cluster and change interface configuration on both FortiGate-7000Es separately. After the FortiGate-7000Es restart, you can re-form the cluster. This process will cause traffic interruptions.

For example, to split the C1, C2, and C4 interfaces of an FIM-7910E in slot 1, enter the following command:

config system global

set split-port 1-C1 2-C1 2-C4

end

After configuring split ports, the FortiGate-7000E reboots and synchronizes the configuration.

On each FortiGate-7000E, make sure configurations of the FIMs and FPMs are synchronized before starting to configure HA. You can use the following command to verify the synchronization status of all modules:

diagnose sys confsync showchsum | grep all

all: c0 68 d2 67 e1 23 d9 3a 10 50 45 c5 50 f1 e6 8e

all: c0 68 d2 67 e1 23 d9 3a 10 50 45 c5 50 f1 e6 8e

all: c0 68 d2 67 e1 23 d9 3a 10 50 45 c5 50 f1 e6 8e

all: c0 68 d2 67 e1 23 d9 3a 10 50 45 c5 50 f1 e6 8e

all: c0 68 d2 67 e1 23 d9 3a 10 50 45 c5 50 f1 e6 8e

all: c0 68 d2 67 e1 23 d9 3a 10 50 45 c5 50 f1 e6 8e

all: c0 68 d2 67 e1 23 d9 3a 10 50 45 c5 50 f1 e6 8e

all: c0 68 d2 67 e1 23 d9 3a 10 50 45 c5 50 f1 e6 8e

If the FIMs and FPMs are synchronized, the checksums displayed should all be the same.

You can also use the following command to list the FIMs and FPMs that are synchronized. The example output shows all four modules in a FortiGate-7040E have been configured for HA and added to the cluster.

diagnose sys confsync status | grep in_sync
FIM10E3E16000062, Slave, uptime=58852.50, priority=2, slot_id=2:2, idx=3, flag=0x10, in_sync=1
FIM04E3E16000010, Slave, uptime=58726.83, priority=3, slot_id=1:1, idx=0, flag=0x10, in_sync=1
FIM04E3E16000014, Master, uptime=58895.30, priority=1, slot_id=2:1, idx=1, flag=0x10, in_sync=1
FIM10E3E16000040, Slave, uptime=58857.80, priority=4, slot_id=1:2, idx=2, flag=0x10, in_sync=1
FPM20E3E16900234, Slave, uptime=58895.00, priority=16, slot_id=2:3, idx=4, flag=0x64, in_sync=1
FPM20E3E16900269, Slave, uptime=58333.37, priority=120, slot_id=2:4, idx=5, flag=0x64, in_sync=1
FPM20E3E17900113, Slave, uptime=58858.90, priority=116, slot_id=1:3, idx=6, flag=0x64, in_sync=1
FPM20E3E17900217, Slave, uptime=58858.93, priority=117, slot_id=1:4, idx=7, flag=0x64, in_sync=1
...

In this command output, in_sync=1 means the module is synchronized with the primary FIM and in_sync=0 means the module is not synchronized.