Fortinet white logo
Fortinet white logo

FortiGate-7000E Handbook

Configuring virtual clustering

Configuring virtual clustering

Configuring virtual clustering is the same as configuring standard FCGP HA with the addition of VDOM partitioning. Using VDOM partitioning, you can control the distribution of VDOMs, and the traffic they process, between the FortiGates in the cluster.

VDOM partitioning can be thought of in two parts. First, there is configuring the distribution of VDOMs between two virtual clusters. By default, all VDOMS are in virtual cluster 1, virtual cluster 1 is associated with the primary FortiGate-7000, and the primary FortiGate-7000 processes all traffic. If you want traffic to be processed by the secondary FortiGate-7000, you need to enable virtual cluster 2, move some of the VDOMs to it, and associate virtual cluster 2 with the secondary FortiGate-7000.

You associate a virtual cluster with a FortiGate-7000 using device priorities. The FortiGate-7000 with the highest device priority is associated with virtual cluster 1. To associate a FortiGate-7000 with virtual cluster 2, you must enable virtual cluster 2 and set virtual cluster 2 device priorities on each FortiGate-7000. The FortiGate-7000 with the highest virtual cluster 2 device priority processes traffic for the VDOMs added to virtual cluster 2. (Reminder: device priorities are not synchronized.)

Normally, you would set the virtual cluster 1 device priority for the primary FortiGate-7000 and the virtual cluster 2 device priority higher for the secondary FortiGate-7000. Then the primary FortiGate-7000 would process virtual cluster 1 traffic and the secondary FortiGate-7000 would process virtual cluster 2 traffic.

Enabling virtual cluster 2 also turns on HA override for virtual cluster 1 and 2. Enabling override is required for virtual clustering to function as configured. Enabling override causes the cluster to negotiate every time the cluster state changes. If override is not enabled, the cluster may not negotiate as often. While more frequent negotiation may cause more minor traffic disruptions, with virtual clustering its more important to negotiate after any state change to make sure the configured traffic flows are maintained.

The figure below shows a simple FortiGate-7000 virtual cluster that provides redundancy and failover for two networks. The configuration includes two VDOMs. The root VDOM handles internal network traffic and the Engineering VDOM handles Engineering network traffic. VDOM partitioning has been set up to send all root VDOM traffic to the primary FortiGate and all Engineering VDOM traffic to the secondary FortiGate.

Example virtual clustering configuration

Primary FortiGate-7000 configuration

The primary FortiGate-7000 configuration:

  • Sets the primary FortiGate-7000 to be chassis 1.
  • Enables virtual cluster 2 (vcluster2) to enable virtual clustering.
  • Enables override for virtual cluster 1.
  • Sets the virtual cluster 1 device priority to 200.
  • Enables override for virtual cluster 2 (secondary-vcluster).
  • Sets the virtual cluster 2 device priority to 50.
  • Adds the Engineering VDOM to virtual cluster 2 (all VDOMs remain in virtual cluster 1 unless you add them to virtual cluster 2).

    config system ha

    set group-id 6

    set group-name <name>

    set mode a-p

    set password <password>

    set hbdev 1-M1 50 2-M1 50 1-M2 50 2-M2 50

    set chassis-id 1

    set vcluster2 enable

    set override enable

    set priority 200

    config secondary-vcluster

    set override enable

    set priority 50

    set vdom Engineering

    end

Secondary FortiGate configuration

The secondary FortiGate configuration:

  • Sets the secondary FortiGate to be chassis 2.
  • Enables virtual cluster 2 (vcluster2) to enable virtual clustering.
  • Enables override for virtual cluster 1.
  • Sets the device priority of virtual cluster 1 to 50.
  • Enables override for virtual cluster 2 (secondary-vcluster).
  • Sets the virtual cluster 2 device priority to 200.
  • You do not need the add the Engineering VDOM to virtual cluster 2, the configuration of the VDOMs in virtual cluster 2 is synchronized from the primary FortiGate.

    config system ha

    set group-id 6

    set group-name <name>

    set mode a-p

    set password <password>

    set bdev "1-M1" 50 "2-M1" 50 "1-M2" 50 "2-M2" 50

    set chassis-id 2

    set vcluster2 enable

    set override enable

    set priority 50

    config secondary-vcluster

    set override enable

    set priority 200

    set vdom Engineering

    end

    Note

    Since the primary FortiGate-7000 has the highest device priority, it processes all traffic for the VDOMs in virtual cluster 1. Since the secondary FortiGate-7000 has the highest virtual cluster 2 device priority, it processes all traffic for the VDOM in virtual cluster 2. The primary FortiGate-7000 configuration adds the VDOMs to virtual cluster 2. All you have to configure on the secondary FortiGate-7000 for virtual cluster 2 is the virtual cluster 2 (or secondary-vcluster) device priority.

    Virtual cluster GUI configuration

    From the GUI, you configure virtual clustering from the Global menu by going to System > HA, configuring HA settings and VDOM Partitioning.

    Primary FortiGate VDOM partitioning

    Secondary FortiGate VDOM partitioning

Configuring virtual clustering

Configuring virtual clustering

Configuring virtual clustering is the same as configuring standard FCGP HA with the addition of VDOM partitioning. Using VDOM partitioning, you can control the distribution of VDOMs, and the traffic they process, between the FortiGates in the cluster.

VDOM partitioning can be thought of in two parts. First, there is configuring the distribution of VDOMs between two virtual clusters. By default, all VDOMS are in virtual cluster 1, virtual cluster 1 is associated with the primary FortiGate-7000, and the primary FortiGate-7000 processes all traffic. If you want traffic to be processed by the secondary FortiGate-7000, you need to enable virtual cluster 2, move some of the VDOMs to it, and associate virtual cluster 2 with the secondary FortiGate-7000.

You associate a virtual cluster with a FortiGate-7000 using device priorities. The FortiGate-7000 with the highest device priority is associated with virtual cluster 1. To associate a FortiGate-7000 with virtual cluster 2, you must enable virtual cluster 2 and set virtual cluster 2 device priorities on each FortiGate-7000. The FortiGate-7000 with the highest virtual cluster 2 device priority processes traffic for the VDOMs added to virtual cluster 2. (Reminder: device priorities are not synchronized.)

Normally, you would set the virtual cluster 1 device priority for the primary FortiGate-7000 and the virtual cluster 2 device priority higher for the secondary FortiGate-7000. Then the primary FortiGate-7000 would process virtual cluster 1 traffic and the secondary FortiGate-7000 would process virtual cluster 2 traffic.

Enabling virtual cluster 2 also turns on HA override for virtual cluster 1 and 2. Enabling override is required for virtual clustering to function as configured. Enabling override causes the cluster to negotiate every time the cluster state changes. If override is not enabled, the cluster may not negotiate as often. While more frequent negotiation may cause more minor traffic disruptions, with virtual clustering its more important to negotiate after any state change to make sure the configured traffic flows are maintained.

The figure below shows a simple FortiGate-7000 virtual cluster that provides redundancy and failover for two networks. The configuration includes two VDOMs. The root VDOM handles internal network traffic and the Engineering VDOM handles Engineering network traffic. VDOM partitioning has been set up to send all root VDOM traffic to the primary FortiGate and all Engineering VDOM traffic to the secondary FortiGate.

Example virtual clustering configuration

Primary FortiGate-7000 configuration

The primary FortiGate-7000 configuration:

  • Sets the primary FortiGate-7000 to be chassis 1.
  • Enables virtual cluster 2 (vcluster2) to enable virtual clustering.
  • Enables override for virtual cluster 1.
  • Sets the virtual cluster 1 device priority to 200.
  • Enables override for virtual cluster 2 (secondary-vcluster).
  • Sets the virtual cluster 2 device priority to 50.
  • Adds the Engineering VDOM to virtual cluster 2 (all VDOMs remain in virtual cluster 1 unless you add them to virtual cluster 2).

    config system ha

    set group-id 6

    set group-name <name>

    set mode a-p

    set password <password>

    set hbdev 1-M1 50 2-M1 50 1-M2 50 2-M2 50

    set chassis-id 1

    set vcluster2 enable

    set override enable

    set priority 200

    config secondary-vcluster

    set override enable

    set priority 50

    set vdom Engineering

    end

Secondary FortiGate configuration

The secondary FortiGate configuration:

  • Sets the secondary FortiGate to be chassis 2.
  • Enables virtual cluster 2 (vcluster2) to enable virtual clustering.
  • Enables override for virtual cluster 1.
  • Sets the device priority of virtual cluster 1 to 50.
  • Enables override for virtual cluster 2 (secondary-vcluster).
  • Sets the virtual cluster 2 device priority to 200.
  • You do not need the add the Engineering VDOM to virtual cluster 2, the configuration of the VDOMs in virtual cluster 2 is synchronized from the primary FortiGate.

    config system ha

    set group-id 6

    set group-name <name>

    set mode a-p

    set password <password>

    set bdev "1-M1" 50 "2-M1" 50 "1-M2" 50 "2-M2" 50

    set chassis-id 2

    set vcluster2 enable

    set override enable

    set priority 50

    config secondary-vcluster

    set override enable

    set priority 200

    set vdom Engineering

    end

    Note

    Since the primary FortiGate-7000 has the highest device priority, it processes all traffic for the VDOMs in virtual cluster 1. Since the secondary FortiGate-7000 has the highest virtual cluster 2 device priority, it processes all traffic for the VDOM in virtual cluster 2. The primary FortiGate-7000 configuration adds the VDOMs to virtual cluster 2. All you have to configure on the secondary FortiGate-7000 for virtual cluster 2 is the virtual cluster 2 (or secondary-vcluster) device priority.

    Virtual cluster GUI configuration

    From the GUI, you configure virtual clustering from the Global menu by going to System > HA, configuring HA settings and VDOM Partitioning.

    Primary FortiGate VDOM partitioning

    Secondary FortiGate VDOM partitioning