Version:

Version:

Version:


Table of Contents

FortiGate-7000F Handbook

Download PDF
Copy Link

Basic FortiGate-7000F HA configuration

Use the following steps to set up HA between two FortiGate-7000Fs. To configure HA, you assign a chassis ID (1 and 2) to each of the FortiGate-7000Fs. These IDs allow the FGCP to identify the chassis and do not influence primary selection. Before you start, determine which FortiGate-7000F should be chassis 1 and which should be chassis 2.

Caution

Make sure you give each FortiGate-7000F a different chassis ID. If both FortiGate-7000Fs in a cluster are configured with the same chassis ID, both chassis begin operating in HA mode without forming a cluster. A message similar to the following is displayed on the CLI console of both devices:

HA cannot be formed because this box's chassis-id 1 is the same from the HA peer 'F7CF1ATB20000014' chassis-id 1.

As well, a log message similar to the following is created:

Jan 29 16:29:46 10.160.45.70 date=2020-01-29 time=16:29:51 devname="CH-02" devid="F7CF1ATB20000014" slot=1 logid="0108037904" type="event" subtype="ha" level="error" vd="mgmt-vdom" eventtime=1580344192162305962 tz="-0800" logdesc="Device set as HA master" msg="HA group detected chassis-id conflict" ha_group=7 sn="F7CF1ATB20000014 chassis-id=1"

You can resolve this issue by logging into one of the FortiGate-7000Fs and changing its Chassis ID to 2. When this happens, the two chassis will form a cluster.

Before you configure HA, use the execute disk list command on each FIM in both FortiGate-7000Fs in the cluster to verify that all of the FIMs have the same disk and RAID configuration. If the RAID configurations are different, when the cluster forms the FortiGate-7000F that would become the secondary will be shut down. You can use the execute disk format command to format the disks and the execute disk raid command to set both FortiGates to the same RAID mode.

  1. Select two FIM management interfaces to use as HA heartbeat interfaces. For example you could use the M3 interface of the FIM in slot 1 and the M3 interface of the FIM in slot 2.
    Connect the HA heartbeat interfaces as follows:

    1. Connect the M3 interfaces of the FIMs in chassis slot 1 together. You can use a direct cable connection or a switch. If using a switch, the switch must allow VLANs. In this example, the M3 interfaces are directly connected and the first HA heartbeat interface uses VLAN ID 4092.

    2. Connect the M3 interfaces of the FIMs in chassis slot 2 together. You can use a direct cable connection or a switch. If using a switch, the switch must allow VLANs. In this example, the M3 interfaces are directly connected and the second HA heartbeat interface uses VLAN ID 4091.

  2. Select two or more interfaces to use for session synchronization. For example, you could use the M1 interface of the FIM in slot 1 and the M1 interface of the FIM in slot 2.

    Connect the session synchronization interfaces as follows:

    1. Connect the M1 interfaces of the FIMs in chassis slot 1 together. You can use a direct cable connection or a switch. Session synchronization traffic does not use VLANS. In this example, the M1 interfaces are directly connected .

    2. Connect the M1 interfaces of the FIMs in chassis slot 2 together. You can use a direct cable connection or a switch. Session synchronization traffic does not use VLANS. In this example, the M1 interfaces are directly connected.

    Note

    For more HA heartbeat and session synchronization scenarios, see Example HA heartbeat and session synchronization configurations.

  3. Log into the GUI or CLI of the FIM in slot 1 of the FortiGate-7000F that will become chassis 1.
    Usually you would do this by connecting the management IP address of the MGMT-1 interface of the FIM in slot 1.

  4. Use the following CLI command to change the host name. This step is optional, but setting a host name makes the FortiGate-7000F easier to identify after the cluster has formed.

    config system global

    set hostname 7KF-Chassis-1

    end

    From the GUI you can configure the host name by going to System > Settings and changing the Host name.

  5. Enter the following command to configure basic HA settings for the chassis 1 FortiGate-7000F:

    config system ha

    set group-id <id>

    set group-name My-7KF-Cluster

    set mode a-p

    set hbdev 1-M3 100 2-M3 100

    set chassis-id 1

    set hbdev-vlan-id 4092

    set hbdev-second-vlan-id 4091

    set session-sync-dev 1-M1 2-M1

    set session-pickup enable

    set session-pickup-connectionless enable

    set session-pickup-expectation enable

    set password <password>

    end

    From the GUI you can configure HA by going to System > HA. Set the Mode to Active-Passive, set the Group Name, add a Password, select the Chassis identifier (or chassis ID) to 1, enable Session Pickup, set 1-M3 and 2-M3 as the Heartbeat Interfaces, and set the Heartbeat Interface Priority for both heartbeat interfaces to 100. You must configure other settings from the CLI.

  6. Log into the chassis 2 FortiGate-7000F and configure its host name, for example:

    config system global

    set hostname 7KF-Chassis-2

    end

    From the GUI you can configure the host name by going to System > Settings and changing the Host name.

  7. Enter the following command to configure basic HA settings. The configuration must be the same as the chassis 1 configuration, except for the chassis ID.

    1. config system ha

      set group-id <id>

      set group-name My-7KF-Cluster

      set mode a-p

      set hbdev 1-M3 100 2-M3 100

      set chassis-id 2

      set hbdev-vlan-id 4092

      set hbdev-second-vlan-id 4091

      set session-sync-dev 1-M1 2-M1

      set session-pickup enable

      set session-pickup-connectionless enable

      set session-pickup-expectation enable

      set password <password>

      end

    From the GUI you can configure HA by going to System > HA. Set the Mode to Active-Passive, set the Group Name, add a Password, select the Chassis identifier (or chassis ID) to 2, enable Session Pickup, set 1-M3 and 2-M3 as the Heartbeat Interfaces, and set the Heartbeat Interface Priority for both heartbeat interfaces to 100. You must configure other settings from the CLI.

    Once you save your configuration changes, if the HA heartbeat and session synchronization interfaces are connected, the FortiGate-7000Fs negotiate to establish a cluster. You may temporarily lose connectivity with the FortiGate-7000Fs as the cluster negotiates and the FGCP changes the MAC addresses of the FortiGate-7000F interfaces.

  8. Log into the cluster and view the HA Status dashboard widget or enter the get system ha status command to confirm that the cluster has formed and is operating normally.

    If the cluster is operating normally, you can connect network equipment, add your configuration, and start operating the cluster.

Verifying that the cluster is operating normally

You view the cluster status from the HA Status dashboard widget, by going to System > HA, or by using the get system ha status command.

If the HA Status widget or the get system ha status command shows a cluster has not formed, check the HA heartbeat and session synchronization connections.

You should also review the HA configurations of the FortiGate-7000Fs. When checking the configurations, make sure both FortiGate-7000Fs have the same HA configuration, including identical HA group IDs, group names, passwords, and HA heartbeat and session synchronization VLAN IDs. Also make sure the FortiGate-7000Fs have different chassis IDs.

Basic FortiGate-7000F HA configuration

Use the following steps to set up HA between two FortiGate-7000Fs. To configure HA, you assign a chassis ID (1 and 2) to each of the FortiGate-7000Fs. These IDs allow the FGCP to identify the chassis and do not influence primary selection. Before you start, determine which FortiGate-7000F should be chassis 1 and which should be chassis 2.

Caution

Make sure you give each FortiGate-7000F a different chassis ID. If both FortiGate-7000Fs in a cluster are configured with the same chassis ID, both chassis begin operating in HA mode without forming a cluster. A message similar to the following is displayed on the CLI console of both devices:

HA cannot be formed because this box's chassis-id 1 is the same from the HA peer 'F7CF1ATB20000014' chassis-id 1.

As well, a log message similar to the following is created:

Jan 29 16:29:46 10.160.45.70 date=2020-01-29 time=16:29:51 devname="CH-02" devid="F7CF1ATB20000014" slot=1 logid="0108037904" type="event" subtype="ha" level="error" vd="mgmt-vdom" eventtime=1580344192162305962 tz="-0800" logdesc="Device set as HA master" msg="HA group detected chassis-id conflict" ha_group=7 sn="F7CF1ATB20000014 chassis-id=1"

You can resolve this issue by logging into one of the FortiGate-7000Fs and changing its Chassis ID to 2. When this happens, the two chassis will form a cluster.

Before you configure HA, use the execute disk list command on each FIM in both FortiGate-7000Fs in the cluster to verify that all of the FIMs have the same disk and RAID configuration. If the RAID configurations are different, when the cluster forms the FortiGate-7000F that would become the secondary will be shut down. You can use the execute disk format command to format the disks and the execute disk raid command to set both FortiGates to the same RAID mode.

  1. Select two FIM management interfaces to use as HA heartbeat interfaces. For example you could use the M3 interface of the FIM in slot 1 and the M3 interface of the FIM in slot 2.
    Connect the HA heartbeat interfaces as follows:

    1. Connect the M3 interfaces of the FIMs in chassis slot 1 together. You can use a direct cable connection or a switch. If using a switch, the switch must allow VLANs. In this example, the M3 interfaces are directly connected and the first HA heartbeat interface uses VLAN ID 4092.

    2. Connect the M3 interfaces of the FIMs in chassis slot 2 together. You can use a direct cable connection or a switch. If using a switch, the switch must allow VLANs. In this example, the M3 interfaces are directly connected and the second HA heartbeat interface uses VLAN ID 4091.

  2. Select two or more interfaces to use for session synchronization. For example, you could use the M1 interface of the FIM in slot 1 and the M1 interface of the FIM in slot 2.

    Connect the session synchronization interfaces as follows:

    1. Connect the M1 interfaces of the FIMs in chassis slot 1 together. You can use a direct cable connection or a switch. Session synchronization traffic does not use VLANS. In this example, the M1 interfaces are directly connected .

    2. Connect the M1 interfaces of the FIMs in chassis slot 2 together. You can use a direct cable connection or a switch. Session synchronization traffic does not use VLANS. In this example, the M1 interfaces are directly connected.

    Note

    For more HA heartbeat and session synchronization scenarios, see Example HA heartbeat and session synchronization configurations.

  3. Log into the GUI or CLI of the FIM in slot 1 of the FortiGate-7000F that will become chassis 1.
    Usually you would do this by connecting the management IP address of the MGMT-1 interface of the FIM in slot 1.

  4. Use the following CLI command to change the host name. This step is optional, but setting a host name makes the FortiGate-7000F easier to identify after the cluster has formed.

    config system global

    set hostname 7KF-Chassis-1

    end

    From the GUI you can configure the host name by going to System > Settings and changing the Host name.

  5. Enter the following command to configure basic HA settings for the chassis 1 FortiGate-7000F:

    config system ha

    set group-id <id>

    set group-name My-7KF-Cluster

    set mode a-p

    set hbdev 1-M3 100 2-M3 100

    set chassis-id 1

    set hbdev-vlan-id 4092

    set hbdev-second-vlan-id 4091

    set session-sync-dev 1-M1 2-M1

    set session-pickup enable

    set session-pickup-connectionless enable

    set session-pickup-expectation enable

    set password <password>

    end

    From the GUI you can configure HA by going to System > HA. Set the Mode to Active-Passive, set the Group Name, add a Password, select the Chassis identifier (or chassis ID) to 1, enable Session Pickup, set 1-M3 and 2-M3 as the Heartbeat Interfaces, and set the Heartbeat Interface Priority for both heartbeat interfaces to 100. You must configure other settings from the CLI.

  6. Log into the chassis 2 FortiGate-7000F and configure its host name, for example:

    config system global

    set hostname 7KF-Chassis-2

    end

    From the GUI you can configure the host name by going to System > Settings and changing the Host name.

  7. Enter the following command to configure basic HA settings. The configuration must be the same as the chassis 1 configuration, except for the chassis ID.

    1. config system ha

      set group-id <id>

      set group-name My-7KF-Cluster

      set mode a-p

      set hbdev 1-M3 100 2-M3 100

      set chassis-id 2

      set hbdev-vlan-id 4092

      set hbdev-second-vlan-id 4091

      set session-sync-dev 1-M1 2-M1

      set session-pickup enable

      set session-pickup-connectionless enable

      set session-pickup-expectation enable

      set password <password>

      end

    From the GUI you can configure HA by going to System > HA. Set the Mode to Active-Passive, set the Group Name, add a Password, select the Chassis identifier (or chassis ID) to 2, enable Session Pickup, set 1-M3 and 2-M3 as the Heartbeat Interfaces, and set the Heartbeat Interface Priority for both heartbeat interfaces to 100. You must configure other settings from the CLI.

    Once you save your configuration changes, if the HA heartbeat and session synchronization interfaces are connected, the FortiGate-7000Fs negotiate to establish a cluster. You may temporarily lose connectivity with the FortiGate-7000Fs as the cluster negotiates and the FGCP changes the MAC addresses of the FortiGate-7000F interfaces.

  8. Log into the cluster and view the HA Status dashboard widget or enter the get system ha status command to confirm that the cluster has formed and is operating normally.

    If the cluster is operating normally, you can connect network equipment, add your configuration, and start operating the cluster.

Verifying that the cluster is operating normally

You view the cluster status from the HA Status dashboard widget, by going to System > HA, or by using the get system ha status command.

If the HA Status widget or the get system ha status command shows a cluster has not formed, check the HA heartbeat and session synchronization connections.

You should also review the HA configurations of the FortiGate-7000Fs. When checking the configurations, make sure both FortiGate-7000Fs have the same HA configuration, including identical HA group IDs, group names, passwords, and HA heartbeat and session synchronization VLAN IDs. Also make sure the FortiGate-7000Fs have different chassis IDs.