Fortinet black logo

OCI Administration Guide

Configuring active-passive HA

Copy Link
Copy Doc ID ec495562-6887-11ea-9384-00505692583a:648945
Download PDF

Configuring active-passive HA

This step shows you how to configure A-P HA settings by using CLI commands on the GUI or via SSH. If using SSH, the FortiGate may lose connection due to routing table changes, so configuring HA via the GUI is recommended.

To configure the HA interfaces on FGT-A-AD1:

config system interface

edit "port1"

set mode static

set ip 10.0.14.21 255.255.255.0

set allowaccess ping https ssh snmp http

next

edit "port2"

set ip 10.0.11.21 255.255.255.0

set allowaccess ping https ssh snmp http

next

edit "port3"

set ip 10.0.12.21 255.255.255.0

set allowaccess ping https ssh snmp http

next

edit "port4"

set ip 10.0.13.21 255.255.255.0

set allowaccess ping https ssh snmp http

next

end

To configure the HA interfaces on FGT-B-AD2:

config system interface

edit "port1"

set mode static

set ip 10.0.24.22 255.255.255.0

set allowaccess ping https ssh snmp http

next

edit "port2"

set ip 10.0.21.22 255.255.255.0

set allowaccess ping https ssh snmp http

next

edit "port3"

set ip 10.0.22.22 255.255.255.0

set allowaccess ping https ssh snmp http

next

edit "port4"

set ip 10.0.23.22 255.255.255.0

set allowaccess ping https ssh snmp http

next

end

To configure the routing tables on FGT-A-AD1:

config router static

edit 1

set gateway 10.0.11.1

set device "port2"

next

edit 2

set dst 10.0.22.0 255.255.255.0

set gateway 10.0.12.1

set device "port3"

next

end

To configure the routing tables on FGT-B-AD2:

config router static

edit 1

set gateway 10.0.21.1

set device "port2"

next

edit 2

set dst 10.0.12.0 255.255.255.0

set gateway 10.0.22.1

set device "port3"

next

end

To configure the OCI Fabric connector on FGT-A-AD1 and FGT-B-AD2:

config system sdn-connector

edit "FGT-OCI-SDN"

set type oci

set use-metadata-iam disable

set ha-status enable

set tenant-id "ocid1.tenancy.oc1..aaaaaaaambr3uzztoyhweohbzqqdo775h7d3t54zpmzkp4b2cf35vs55ck3a"

set user-id "ocid1.user.oc1..aaaaaaaakgeja4xkdvgfcsfyctpj5gxwjlogq4iv3l673wsaljbfluegzh3q"

set compartment-id "ocid1.tenancy.oc1..aaaaaaaambr3uzztoyhweohbzqqdo775h7d3t54zpmzkp4b2cf35vs55ck3a"

set oci-region "us-ashburn-1"

set oci-cert "Fortinet_Factory"

next

end

Note

The Fabric connector settings are the same on both FortiGates. Ensure that you imported the oci-cert public key as an OCI user API key. You can print the certificate public key in the FortiOS CLI with the diagnose oci pubkey command.

To configure the firewall policy on FGT-A-AD1 and FGT-B-AD2:

config firewall policy

edit 1

set srcintf "port3"

set dstintf "port2"

set srcaddr "all"

set dstaddr "all"

set action accept

set schedule "always"

set service "ALL"

set nat enable

next

end

To configure HA settings on FGT-A-AD1:

config system ha

set group-name "ha-cross-ad"

set mode a-p

set hbdev "port4" 50

set ha-mgmt-status enable

config ha-mgmt-interfaces

edit 1

set interface "port1"

set gateway 10.0.14.1

next

end

set unicast-hb enable

set unicast-hb-peerip 10.0.23.22

end

To configure HA settings on FGT-B-AD2:

You must set the FGT-B HA priority to a value lower than FGT-A's priority level. The node with the lower priority level is determined as the secondary node.

config system ha

set group-name "ha-cross-ad"

set mode a-p

set hbdev "port4" 50

set ha-mgmt-status enable

config ha-mgmt-interfaces

edit 1

set interface "port1"

set gateway 10.0.24.1

next

end

set priority 64

set unicast-hb enable

set unicast-hb-peerip 10.0.13.21

end

Configuring active-passive HA

This step shows you how to configure A-P HA settings by using CLI commands on the GUI or via SSH. If using SSH, the FortiGate may lose connection due to routing table changes, so configuring HA via the GUI is recommended.

To configure the HA interfaces on FGT-A-AD1:

config system interface

edit "port1"

set mode static

set ip 10.0.14.21 255.255.255.0

set allowaccess ping https ssh snmp http

next

edit "port2"

set ip 10.0.11.21 255.255.255.0

set allowaccess ping https ssh snmp http

next

edit "port3"

set ip 10.0.12.21 255.255.255.0

set allowaccess ping https ssh snmp http

next

edit "port4"

set ip 10.0.13.21 255.255.255.0

set allowaccess ping https ssh snmp http

next

end

To configure the HA interfaces on FGT-B-AD2:

config system interface

edit "port1"

set mode static

set ip 10.0.24.22 255.255.255.0

set allowaccess ping https ssh snmp http

next

edit "port2"

set ip 10.0.21.22 255.255.255.0

set allowaccess ping https ssh snmp http

next

edit "port3"

set ip 10.0.22.22 255.255.255.0

set allowaccess ping https ssh snmp http

next

edit "port4"

set ip 10.0.23.22 255.255.255.0

set allowaccess ping https ssh snmp http

next

end

To configure the routing tables on FGT-A-AD1:

config router static

edit 1

set gateway 10.0.11.1

set device "port2"

next

edit 2

set dst 10.0.22.0 255.255.255.0

set gateway 10.0.12.1

set device "port3"

next

end

To configure the routing tables on FGT-B-AD2:

config router static

edit 1

set gateway 10.0.21.1

set device "port2"

next

edit 2

set dst 10.0.12.0 255.255.255.0

set gateway 10.0.22.1

set device "port3"

next

end

To configure the OCI Fabric connector on FGT-A-AD1 and FGT-B-AD2:

config system sdn-connector

edit "FGT-OCI-SDN"

set type oci

set use-metadata-iam disable

set ha-status enable

set tenant-id "ocid1.tenancy.oc1..aaaaaaaambr3uzztoyhweohbzqqdo775h7d3t54zpmzkp4b2cf35vs55ck3a"

set user-id "ocid1.user.oc1..aaaaaaaakgeja4xkdvgfcsfyctpj5gxwjlogq4iv3l673wsaljbfluegzh3q"

set compartment-id "ocid1.tenancy.oc1..aaaaaaaambr3uzztoyhweohbzqqdo775h7d3t54zpmzkp4b2cf35vs55ck3a"

set oci-region "us-ashburn-1"

set oci-cert "Fortinet_Factory"

next

end

Note

The Fabric connector settings are the same on both FortiGates. Ensure that you imported the oci-cert public key as an OCI user API key. You can print the certificate public key in the FortiOS CLI with the diagnose oci pubkey command.

To configure the firewall policy on FGT-A-AD1 and FGT-B-AD2:

config firewall policy

edit 1

set srcintf "port3"

set dstintf "port2"

set srcaddr "all"

set dstaddr "all"

set action accept

set schedule "always"

set service "ALL"

set nat enable

next

end

To configure HA settings on FGT-A-AD1:

config system ha

set group-name "ha-cross-ad"

set mode a-p

set hbdev "port4" 50

set ha-mgmt-status enable

config ha-mgmt-interfaces

edit 1

set interface "port1"

set gateway 10.0.14.1

next

end

set unicast-hb enable

set unicast-hb-peerip 10.0.23.22

end

To configure HA settings on FGT-B-AD2:

You must set the FGT-B HA priority to a value lower than FGT-A's priority level. The node with the lower priority level is determined as the secondary node.

config system ha

set group-name "ha-cross-ad"

set mode a-p

set hbdev "port4" 50

set ha-mgmt-status enable

config ha-mgmt-interfaces

edit 1

set interface "port1"

set gateway 10.0.24.1

next

end

set priority 64

set unicast-hb enable

set unicast-hb-peerip 10.0.13.21

end