Fortinet white logo
Fortinet docs logo DOCUMENT LIBRARY
Fortinet white logo
Fortinet docs logo DOCUMENT LIBRARY
Products Best Practices Hardware Guides Products A-Z
Summary
By Solution
By 4D Pillars
By Cloud
Secure Networking
Unified SASE
Security Operations
Secure SD-WAN
Secure Access Service Edge (SASE)
ZTNA
LAN Edge
Identity and Access Management
Next Generation Firewall
Public Cloud
Private Cloud
FortiCloud
Secure Networking
  • Hybrid Mesh Firewall
  • NOC Management
  • LAN
  • WAN
    • More >>
    Unified SASE
  • Single Vendor SASE
  • Cloud Network Security
  • Secure Endpoint Connectivity
  • Web Application / API Protection
    • More >>
    Security Operations
  • Security Operations Automation
  • Identity
  • Early Detection & Prevention
    • More >>
    Secure Networking
  • Hybrid Mesh Firewall
  • NOC Management
  • LAN
  • WAN
  • Communication & Surveillance
    • Unified SASE
  • Single Vendor SASE
  • Secure Endpoint Connectivity
  • Cloud Network Security
  • Cloud-Native Security
  • Web Application / API Protection
    • Security Operations
  • Security Operations Automation
  • Endpoint
  • Data Protection
  • Identity
  • Email
  • Early Detection & Prevention
  • Expert Services
  • Edge Firewall
  • Orchestration & management
  • SD Branch
  • Application Delivery
  • Single Vendor SASE
  • Secure Endpoint Connectivity
  • Secure Private Access
  • Thin Edge
  • Identity
  • Application Gateway
  • Enterprise Asset Management
  • Endpoint Agent
  • Agentless Security Posture
  • Identity
  • Wireless
  • Switching
  • Identity
  • Privilege Acccess Management
  • Next Generation Firewall
  • Orchestration & management
  • Expert Services
  • All
  • All
  • Account Management
  • SAAS Management
  • SAAS Application Security
  • Managed Services
  • Platform as a service (PAAS)
  • Other SAAS Services
    • 4D Resources
    Solution Hubs
  • 4D Pillars
  • Cloud
  • Popular Solutions

    • FortiGate-7000F Handbook

    Home FortiGate-7000 7.0.12 FortiGate-7000F Handbook
    7.0.12
    7.0.16
    7.0.15
    7.0.14
    7.0.13
    7.0.12
    7.0.10
    7.0.5
    6.4.15
    6.4.14
    6.4.13
    6.4.12
    6.4.10
    6.4.8
    6.4.6
    6.2.16
    6.2.16
    6.2.15
    6.2.13
    6.2.12
    6.2.11
    6.2.10
    6.2.9
    6.2.7
    6.2.6

    Using M3 interfaces for HA heartbeat and M1 interfaces in a LAG for session synchronization

    Using M3 interfaces for HA heartbeat and M1 interfaces in a LAG for session synchronization

    This example shows how to set up the following HA heartbeat and session synchronization connections between two FortiGate 7121F chassis:

    • Redundant HA heartbeat communication over the 1-M3 and 2-M3 interfaces of each chassis. The HA heartbeat interfaces are connected together with a FortiSwitch.

    • Session synchronization over a LAG consisting of the 1-M1 and 2-M1 interfaces of each chassis. The session synchronization LAGs are also connected together with a FortiSwitch.

    This example uses FortiSwitches, but you can use any compatible switch configuration.

    FortiGate 7121F HA configuration

    On both chassis, create the following LAG for session synchronization communication:

    config system interface

    edit MLag

    set type aggregate

    set member 1-M1 2-M1

    end

    Chassis 1 would have the following HA configuration:

    config system ha

    set group-id <id>

    set group-name <name>

    set mode a-p

    set hbdev 1-M3 100 2-M3 100

    set chassis-id 1

    set hbdev-vlan-id 4092

    set hbdev-second-vlan-id 4091

    set session-sync-dev MLag

    set session-pickup enable

    set session-pickup-connectionless enable

    set session-pickup-expectation enable

    set password <password>

    end

    Chassis 2 would have the following HA configuration:

    config system ha

    set group-id <id>

    set group-name <name>

    set mode a-p

    set hbdev 1-M3 100 2-M3 100

    set chassis-id 2

    set hbdev-vlan-id 4092

    set hbdev-second-vlan-id 4091

    set session-sync-dev MLag

    set session-pickup enable

    set session-pickup-connectionless enable

    set session-pickup-expectation enable

    set password <password>

    end

    HA heartbeat switch configuration

    The FortiSwitch has the following configuration for the HA heartbeat interfaces:

    Switch interface port23.1 is connected to the 1-M3 interface of chassis 1.

    config switch interface

    edit port23.1

    set native-vlan 295

    set allowed-vlans 4092

    set auto-discovery-fortilink enable

    set snmp-index 23

    end

    Switch interface port23.3 is connected to the 2-M3 interface of chassis 1.

    config switch interface

    edit port23.3

    set native-vlan 294

    set allowed-vlans 4091

    set stp-state disabled

    set auto-discovery-fortilink enable

    set snmp-index 59

    end

    Switch interface port24.1 is connected to the 1-M3 interface of chassis 2.

    config switch interface

    edit port24.1

    set native-vlan 295

    set allowed-vlans 4092

    set auto-discovery-fortilink enable

    set snmp-index 24

    end

    Switch interface port24.3 is connected to the 2-M3 interface of chassis 2.

    config switch interface

    edit port24.3

    set native-vlan 294

    set allowed-vlans 4091

    set stp-state disabled

    set auto-discovery-fortilink enable

    set snmp-index 48

    end

    Session synchronization switch configuration

    The FortiSwitch has the following configuration for the session synchronization interfaces:

    Create the following trunk for the Chassis 1 LAG:

    config switch trunk

    edit CH1_13_Mlag

    set mode lacp-active

    set members port25 port29

    end

    Create the following trunk for the Chassis 2 LAG:

    config switch trunk

    edit CH2_11_Mlag

    set mode lacp-active

    set members port26 port30

    end

    Configure the Chassis 1 LAG trunk interface:

    config switch interface

    edit CH1_12_MLag

    set native-vlan 297

    set snmp-index 46

    end

    Configure the Chassis 2 LAG trunk interface:

    config switch interface

    edit CH2_11_Mlag

    set native-vlan 297

    set snmp-index 51

    end

    Previous
    Next

    Using M3 interfaces for HA heartbeat and M1 interfaces in a LAG for session synchronization

    Using M3 interfaces for HA heartbeat and M1 interfaces in a LAG for session synchronization

    This example shows how to set up the following HA heartbeat and session synchronization connections between two FortiGate 7121F chassis:

    • Redundant HA heartbeat communication over the 1-M3 and 2-M3 interfaces of each chassis. The HA heartbeat interfaces are connected together with a FortiSwitch.

    • Session synchronization over a LAG consisting of the 1-M1 and 2-M1 interfaces of each chassis. The session synchronization LAGs are also connected together with a FortiSwitch.

    This example uses FortiSwitches, but you can use any compatible switch configuration.

    FortiGate 7121F HA configuration

    On both chassis, create the following LAG for session synchronization communication:

    config system interface

    edit MLag

    set type aggregate

    set member 1-M1 2-M1

    end

    Chassis 1 would have the following HA configuration:

    config system ha

    set group-id <id>

    set group-name <name>

    set mode a-p

    set hbdev 1-M3 100 2-M3 100

    set chassis-id 1

    set hbdev-vlan-id 4092

    set hbdev-second-vlan-id 4091

    set session-sync-dev MLag

    set session-pickup enable

    set session-pickup-connectionless enable

    set session-pickup-expectation enable

    set password <password>

    end

    Chassis 2 would have the following HA configuration:

    config system ha

    set group-id <id>

    set group-name <name>

    set mode a-p

    set hbdev 1-M3 100 2-M3 100

    set chassis-id 2

    set hbdev-vlan-id 4092

    set hbdev-second-vlan-id 4091

    set session-sync-dev MLag

    set session-pickup enable

    set session-pickup-connectionless enable

    set session-pickup-expectation enable

    set password <password>

    end

    HA heartbeat switch configuration

    The FortiSwitch has the following configuration for the HA heartbeat interfaces:

    Switch interface port23.1 is connected to the 1-M3 interface of chassis 1.

    config switch interface

    edit port23.1

    set native-vlan 295

    set allowed-vlans 4092

    set auto-discovery-fortilink enable

    set snmp-index 23

    end

    Switch interface port23.3 is connected to the 2-M3 interface of chassis 1.

    config switch interface

    edit port23.3

    set native-vlan 294

    set allowed-vlans 4091

    set stp-state disabled

    set auto-discovery-fortilink enable

    set snmp-index 59

    end

    Switch interface port24.1 is connected to the 1-M3 interface of chassis 2.

    config switch interface

    edit port24.1

    set native-vlan 295

    set allowed-vlans 4092

    set auto-discovery-fortilink enable

    set snmp-index 24

    end

    Switch interface port24.3 is connected to the 2-M3 interface of chassis 2.

    config switch interface

    edit port24.3

    set native-vlan 294

    set allowed-vlans 4091

    set stp-state disabled

    set auto-discovery-fortilink enable

    set snmp-index 48

    end

    Session synchronization switch configuration

    The FortiSwitch has the following configuration for the session synchronization interfaces:

    Create the following trunk for the Chassis 1 LAG:

    config switch trunk

    edit CH1_13_Mlag

    set mode lacp-active

    set members port25 port29

    end

    Create the following trunk for the Chassis 2 LAG:

    config switch trunk

    edit CH2_11_Mlag

    set mode lacp-active

    set members port26 port30

    end

    Configure the Chassis 1 LAG trunk interface:

    config switch interface

    edit CH1_12_MLag

    set native-vlan 297

    set snmp-index 46

    end

    Configure the Chassis 2 LAG trunk interface:

    config switch interface

    edit CH2_11_Mlag

    set native-vlan 297

    set snmp-index 51

    end

    Previous
    Next