High availability
FortiGate-VM high availability (HA) supports having two VMs in an HA cluster on the same physical platform or different platforms. The primary consideration is that all interfaces involved can communicate efficiently over TCP/IP connection sessions.
Heartbeat
There are two options for setting up the HA heartbeat: unicast and broadcast. Broadcast is the default HA heartbeat configuration. However, the broadcast configuration may not be ideal for FortiGate-VM because it may require special settings on the host. In most cases, the unicast configuration is preferable.
Differences between the unicast and broadcast heartbeat setups are:
- The unicast method does not change the FortiGate-VM interface MAC addresses to virtual MAC addresses.
- Unicast HA only supports two FortiGate-VMs.
- Unicast HA heartbeat interfaces must be connected to the same network and you must add IP addresses to these interfaces.
Unicast
You can configure the unicast settings in the FortiOS CLI:
config system ha
set unicast-hb {enable/disable}
set unicast-hb-peerip {Peer heartbeat interface IP address}
end
Setting |
Description |
---|---|
|
Enable or disable default unicast HA heartbeat. |
|
IP address of the HA heartbeat interface of the other FortiGate-VM in the HA cluster. |
Broadcast
Broadcast HA heartbeat packets are non-TCP packets that use Ethertype values 0x8892, 0x8891, and 0x8890. These packets use automatically assigned link-local IPv4 addresses in the 169.254.0.x range for HA heartbeat interface IP addresses.
For FortiGate-VMs to support a broadcast HA heartbeat configuration, you must configure the virtual switches that connect heartbeat interfaces to
In addition, you must configure the VM platform to allow MAC address spoofing for the FortiGate-VM data interfaces. This is required because in broadcast mode, the FGCP applies virtual MAC addresses to FortiGate data interfaces, and these virtual MAC addresses mean that matching interfaces of the FortiGate-VM instances in the cluster have the same virtual MAC addresses.
Promiscuous mode
KVM's Virtual Machine Manager does not have the ability to set a virtual network interface to promiscuous mode. This is done to the host's physical network interface. When KVM creates a VM, it also creates a tap interface as well as a new MAC address for it. Once the host's physical interface is set to promiscuous mode, it must be connected to a bridge device that is used by the VM to connect to the network outside of the host.
Because this configuration is done on the host and not the VM, the methodology depends on the host's operating system distribution and version.
Setting up the network interfaces and bridge devices requires using an account with root privileges.