Setting up FortiGate-VM HA for a VMware vMotion environment
This guide provides sample configuration of vMotion FortiGate-VM high availability (HA) in a VMware environment. VMware vMotion enables the live migration of a running FortiGate-VM from one physical server to another with zero downtime, continuous service availability, and complete transaction integrity. It also provides transparency to users.
In VM environments that do not support broadcast communication, you can set up a unicast HA heartbeat when configuring HA. Setting up a unicast HA heartbeat consists of enabling the feature and adding a peer IP address. The peer IP address is the IP address of the HA heartbeat interface of the other FortiGate-VM in the HA cluster.
The following depicts the network topology for this sample deployment. In this sample deployment, there are two hosts, Host 82 (10.6.30.82) and Host 83 (10.6.30.83), which are members of Cluster 1 in the DataCenter 1. The vCenter server (10.6.30.81) is managing DataCenter 1.
This configuration requires the following prerequisites:
- The vCenter server has been set up and the data center and cluster have been created.
- Host 82 and Host 83 are part of the cluster.
- A Gigabit Ethernet network interface card with a VMkernel port enabled for vMotion exists on both ESXi hosts.
- Two FortiGate-VM nodes, FGT-HA-1@Host-82 and FGT-HA-2@Host-83 are set up and factory reset. In this example, FGT-HA-1 is the primary side on Host 82, while FGT-HA-2 is the primary side on Host 83. HA is in sync.
To set up FortiGate-VM HA for a VMware vMotion environment:
- Log into the vSphere web client.
- Verify the current location of FGT-HA-1:
- Go to FGT-HA-1.
- On the Summary tab, check the Host.In this example, the host is currently Host 82 (10.6.30.82).
- Repeat step 2 for FGT-HA-2. For FGT-HA2, the host should be Host 83 (10.6.30.83).
- Log into FortiOS on FGT-HA-1 and FGT-HA-2 and run the following commands in the CLI:
- Run the following commands on FGT-HA-1:
config system interface edit "port3" set ip 192.168.40.91 255.255.255.0 set allowaccess ping https ssh snmp http telnet next edit "port4" set ip 10.6.30.91 255.255.255.0 set allowaccess ping https ssh snmp http telnet next end
config system ha set group-name "FGT-VM-HA" set mode a-p set hbdev "port3" 50 set session-pickup enable set ha-mgmt-status enable config ha-mgmt-interfaces edit 1 set interface "port4" set gateway 10.6.30.254 next end set unicast-hb enable set unicast-hb-peerip 192.168.40.92 end
config router static edit 1 set gateway 172.16.200.254 set device "port1" next end config firewall policy edit 1 set srcintf "port2" set dstintf "port1" set srcaddr "all" set dstaddr "all" set action accept set schedule "always" set service "ALL" set nat enable next end
- Run the following commands on FGT-HA-2:
config system interface edit "port3" set ip 192.168.40.92 255.255.255.0 set allowaccess ping https ssh snmp http telnet next edit "port4" set ip 10.6.30.92 255.255.255.0 set allowaccess ping https ssh snmp http telnet next end
config system ha set group-name "FGT-VM-HA" set mode a-p set hbdev "port3" 50 set session-pickup enable set ha-mgmt-status enable config ha-mgmt-interfaces edit 1 set interface "port4" set gateway 10.6.30.254 next end set unicast-hb enable set unicast-hb-peerip 192.168.40.91 end
- Run the following commands on FGT-HA-1:
- Check the HA status:
- To check the HA status in the GUI, in FortiOS, go to System > HA.
- To check the HA status in the CLI, run the
get system ha status
command. The output should be as follows. You should expect both FGT-HA-1 and FGT-HA-2 to have an in-sync configuration status.FGT-HA-1 # get system ha status HA Health Status: OK Model: FortiGate-VM64 Mode: HA A-P Group: 0 Debug: 0 Cluster Uptime: 0 days 1:35:12 Cluster state change time: 2019-05-16 14:53:05 Master selected using: <2019/05/16 14:53:05> FGVMEVLQOG33WM3D is selected as the master because it has the largest value of uptime. <2019/05/16 14:45:53> FGVMEVLQOG33WM3D is selected as the master because it's the only member in the cluster. ses_pickup: enable, ses_pickup_delay=disable override: disable unicast_hb: peerip=192.168.40.92, myip=192.168.40.91, hasync_port='port3' Configuration Status: FGVMEVLQOG33WM3D(updated 2 seconds ago): in-sync FGVMEVGCJNHFYI4A(updated 0 seconds ago): in-sync
- Before initiating the migration, open the CLI for both FGT-HA-1 and FGT-HA-2 to check on traffic during the migration. During the migration, you can enter the
diagnose sniffer packet any 'icmp and host 8.8.8.8'
command to check if traffic is stable. If no traffic is lost during migration and the FortiGate-VM SSH session does not break, the output resembles the following: - Migrate FGT-HA-1, the primary node, from Host 82 to Host 83, then migrate it from Host 83 back to Host 82. Refer to vMotion in a VMware ESXi environment for migration details.
- Migrate FGT-HA-2, the secondary node, from Host 83 to Host 82, then migrate it from Host 82 back to Host 83. Again, refer to vMotion in a VMware ESXi environment for migration details.