Fortinet black logo

VMware ESXi Administration Guide

HA

Copy Link
Copy Doc ID 0a82d134-eb56-11ed-8e6d-fa163e15d75b:397100
Download PDF

HA

FortiGate-VM high availability (HA) supports having two virtual machines in an HA cluster on the same physical server or on different physical servers. In both cases, the two VMs run on the same hypervisor, such as VMware ESXi. The primary consideration is that all interfaces involved can communicate efficiently over TCP/IP connection sessions.

Heartbeat

There are two options for setting up the HA heartbeat: unicast and broadcast. Broadcast is the default HA heartbeat configuration. However, the broadcast configuration may not be ideal for FortiGate-VM because it may require special settings on the host. In most cases, the unicast configuration is preferable.

Differences between the unicast and broadcast heartbeat setups are:

  • The unicast method does not change the FortiGate-VM interface MAC addresses to virtual MAC addresses.
  • Unicast HA only supports two FortiGate-VMs.
  • Unicast HA heartbeat interfaces must be connected to the same network and you must add IP addresses to these interfaces.

Unicast

You can configure the unicast settings in the FortiOS CLI:

config system ha

set unicast-hb {enable/disable}

set unicast-hb-peerip {Peer heartbeat interface IP address}

end

Setting

Description

unicast-hb

Enable or disable default unicast HA heartbeat.

unicast-hb-peerip

IP address of the HA heartbeat interface of the other FortiGate-VM in the HA cluster.

Broadcast

Broadcast HA heartbeat packets are non-TCP packets that use Ethertype values 0x8892, 0x8891, and 0x8890. These packets use automatically assigned link-local IPv4 addresses in the 169.254.0.x range for HA heartbeat interface IP addresses.

For FortiGate-VMs to support a broadcast HA heartbeat configuration, you must configure the virtual switches that connect heartbeat interfaces to operate in promiscuous mode and support MAC address spoofing.

In addition, you must configure the VM platform to allow MAC address spoofing for the FortiGate-VM data interfaces. This is required because in broadcast mode, the FGCP applies virtual MAC addresses to FortiGate data interfaces, and these virtual MAC addresses mean that matching interfaces of the FortiGate-VM instances in the cluster have the same virtual MAC addresses.

To configure a virtual switch that connects heartbeat interfaces:
  1. In the vSphere client, select your VMware server, then select the Configuration tab.
  2. In Hardware, select Networking.
  3. Select the virtual switch Properties.
  4. In the Properties window, select vSwitch, then select Edit.
  5. Select the Security tab, set Promiscuous Mode to Accept, then select OK.
  6. Select Close.

You must also configure the virtual switches connected to other FortiGate-VM interfaces to allow MAC address changes and accept forged transmits. This is required because the FGCP sets virtual MAC addresses for all FortiGate-VM interfaces and the same interfaces on the different FortiGate-VM instances in the cluster will have the same virtual MAC addresses.

To configure a virtual switch that connects FortiGate-VM interfaces:
  1. In the vSphere client, select your VMware server, then select the Configuration tab.
  2. In Hardware, select Networking.
  3. Select Properties of the virtual switch.
  4. Set MAC Address Changes to Accept.
  5. Set Forged Transmits to Accept.

HA

FortiGate-VM high availability (HA) supports having two virtual machines in an HA cluster on the same physical server or on different physical servers. In both cases, the two VMs run on the same hypervisor, such as VMware ESXi. The primary consideration is that all interfaces involved can communicate efficiently over TCP/IP connection sessions.

Heartbeat

There are two options for setting up the HA heartbeat: unicast and broadcast. Broadcast is the default HA heartbeat configuration. However, the broadcast configuration may not be ideal for FortiGate-VM because it may require special settings on the host. In most cases, the unicast configuration is preferable.

Differences between the unicast and broadcast heartbeat setups are:

  • The unicast method does not change the FortiGate-VM interface MAC addresses to virtual MAC addresses.
  • Unicast HA only supports two FortiGate-VMs.
  • Unicast HA heartbeat interfaces must be connected to the same network and you must add IP addresses to these interfaces.

Unicast

You can configure the unicast settings in the FortiOS CLI:

config system ha

set unicast-hb {enable/disable}

set unicast-hb-peerip {Peer heartbeat interface IP address}

end

Setting

Description

unicast-hb

Enable or disable default unicast HA heartbeat.

unicast-hb-peerip

IP address of the HA heartbeat interface of the other FortiGate-VM in the HA cluster.

Broadcast

Broadcast HA heartbeat packets are non-TCP packets that use Ethertype values 0x8892, 0x8891, and 0x8890. These packets use automatically assigned link-local IPv4 addresses in the 169.254.0.x range for HA heartbeat interface IP addresses.

For FortiGate-VMs to support a broadcast HA heartbeat configuration, you must configure the virtual switches that connect heartbeat interfaces to operate in promiscuous mode and support MAC address spoofing.

In addition, you must configure the VM platform to allow MAC address spoofing for the FortiGate-VM data interfaces. This is required because in broadcast mode, the FGCP applies virtual MAC addresses to FortiGate data interfaces, and these virtual MAC addresses mean that matching interfaces of the FortiGate-VM instances in the cluster have the same virtual MAC addresses.

To configure a virtual switch that connects heartbeat interfaces:
  1. In the vSphere client, select your VMware server, then select the Configuration tab.
  2. In Hardware, select Networking.
  3. Select the virtual switch Properties.
  4. In the Properties window, select vSwitch, then select Edit.
  5. Select the Security tab, set Promiscuous Mode to Accept, then select OK.
  6. Select Close.

You must also configure the virtual switches connected to other FortiGate-VM interfaces to allow MAC address changes and accept forged transmits. This is required because the FGCP sets virtual MAC addresses for all FortiGate-VM interfaces and the same interfaces on the different FortiGate-VM instances in the cluster will have the same virtual MAC addresses.

To configure a virtual switch that connects FortiGate-VM interfaces:
  1. In the vSphere client, select your VMware server, then select the Configuration tab.
  2. In Hardware, select Networking.
  3. Select Properties of the virtual switch.
  4. Set MAC Address Changes to Accept.
  5. Set Forged Transmits to Accept.