Fortinet black logo

Cookbook

Connecting the backup FortiGate

Copy Link
Copy Doc ID 4d801240-7ccc-11e9-81a4-00505692583a:134659
Download PDF

Connecting the backup FortiGate

Connect the backup FortiGate to the primary FortiGate and to the network, as shown in the network diagram at the start of this example.

Since making these connections disrupt traffic, make these connections when network traffic is low. If possible, make direct Ethernet connections between the heartbeat interfaces of the two FortiGate units.

This example uses two FortiGate-600Ds and the default heartbeat interfaces (port3 and port4). You can use any interfaces for HA heartbeat interfaces. A best practice is to use interfaces that don't process traffic but this is not a requirement.

If you set up HA between two FortiGates in a VM environment (for example, VMware or Hyper-V), you must enable promiscuous mode and allow MAC address changes for heartbeat communication to work. Since the HA heartbeat interfaces must be on the same broadcast domain, for HA between remote data centers (distributed clustering), you must support layer 2 extensions between the remote data centers using technology such as MPLS or VXLAN.

You must use switches between the cluster and the Internet, and between the cluster and the internal networks, as shown in the network diagram. You can use any good quality switches to make these connections. You can also use one switch for all these connections as long as you configure the switch to separate traffic from different networks.

Connecting the backup FortiGate

Connect the backup FortiGate to the primary FortiGate and to the network, as shown in the network diagram at the start of this example.

Since making these connections disrupt traffic, make these connections when network traffic is low. If possible, make direct Ethernet connections between the heartbeat interfaces of the two FortiGate units.

This example uses two FortiGate-600Ds and the default heartbeat interfaces (port3 and port4). You can use any interfaces for HA heartbeat interfaces. A best practice is to use interfaces that don't process traffic but this is not a requirement.

If you set up HA between two FortiGates in a VM environment (for example, VMware or Hyper-V), you must enable promiscuous mode and allow MAC address changes for heartbeat communication to work. Since the HA heartbeat interfaces must be on the same broadcast domain, for HA between remote data centers (distributed clustering), you must support layer 2 extensions between the remote data centers using technology such as MPLS or VXLAN.

You must use switches between the cluster and the Internet, and between the cluster and the internal networks, as shown in the network diagram. You can use any good quality switches to make these connections. You can also use one switch for all these connections as long as you configure the switch to separate traffic from different networks.