Fortinet black logo

Cookbook

Configuring the primary FortiGate

Copy Link
Copy Doc ID 4d801240-7ccc-11e9-81a4-00505692583a:614179
Download PDF

Configuring the primary FortiGate

  1. On the primary FortiGate, go to System > Settings and change the Host name to identify this as the primary FortiGate in the HA cluster.

    You can also enter this CLI command:

    config system global

    set hostname External-Primary

    end

  2. Register and apply licenses to the primary FortiGate before configuring it for HA operation. This includes licensing for FortiCare Support, IPS, AntiVirus, Web Filtering, Mobile Malware, FortiClient, FortiCloud, and additional virtual domains (VDOMs).

    All FortiGates in the cluster must have the same level of licensing for FortiGuard, FortiCloud, FortiClient, and VDOMs. You can add FortiToken licenses at any time because they're synchronized with all cluster members.

    Note

    If the FortiGates in the cluster will run FortiOS Carrier, apply the FortiOS Carrier license before you apply other licenses and before you configure the cluster. When you apply the FortiOS Carrier license, the FortiGate resets its configuration to factory defaults, requiring you to repeat steps performed before applying the license.

  3. You can also install any third-party certificates on the primary FortiGate before forming the cluster. Once the cluster is formed, third-party certificates are synchronized with the backup FortiGate(s).
  4. Enter these CLI commands to set the HA mode to active-passive, set a group id, group name and password, set a higher device priority (for example, 250), and enable override.

    config system ha

    set mode a-p

    set group-id 25

    set group-name External-HA-Cluster

    set password <password>

    set priority 250

    set override enable

    set hbdev port3 200 port4 100

    end

    Enabling override and increasing the device priority sets this FortiGate to always be the primary unit.

    If you have more than one cluster on the same network, set a different group id for each cluster. Changing the group id changes the cluster interface virtual MAC addresses. If your group id causes a MAC address conflict on your network, you can select a different group id.

    This command also selects port3 and port4 to be the heartbeat interfaces and sets their priorities to 200 and 100. Although not required, a best practice is to set different priorities for the heartbeat interfaces.

    You can configure most of these settings using the GUI in System > HA. You must configure the group-id and override using the CLI.

    When you enable HA, each FortiGate negotiates to establish an HA cluster. You might temporarily lose connectivity during FGCP negotiation and the MAC addresses of the FortiGate interfaces change to HA virtual MAC addresses.

    Note

    If these steps don't start HA mode, make sure that none of the FortiGate's interfaces use DHCP or PPPoE addressing.

    To reconnect sooner, you can update the ARP table of your management PC by deleting the ARP table entry for the FortiGate unit (or deleting all ARP table entries). You can usually delete the ARP table from a command prompt using a command similar to arp -d.

    The FGCP uses virtual MAC addresses for failover. The virtual MAC address assigned to each FortiGate interface depends on the HA group ID. A group ID of 100 sets FortiGate interfaces to the following MAC addresses: 00:09:0f:09:64:00, 00:09:0f:09:64:01, 00:09:0f:09:64:02 and so on. For details, see Cluster virtual MAC addresses.

    You can verify that the FGCP has set the virtual MAC addresses by viewing the configuration of each FortiGate interface from the GUI (in Network > Interfaces) or by entering the following CLI command:

    get hardware nic port3
    ...
    Current_HWaddr 00:09:0f:09:64:01
    Permanent_HWaddr 70:4c:a5:98:11:54
    ...

    You can also use the diagnose hardware deviceinfo nic port3 command to display this information.

    The output shows the current hardware (MAC) address (the virtual MAC set by the FGCP) and the permanent hardware (MAC) address for the interface.

Configuring the primary FortiGate

  1. On the primary FortiGate, go to System > Settings and change the Host name to identify this as the primary FortiGate in the HA cluster.

    You can also enter this CLI command:

    config system global

    set hostname External-Primary

    end

  2. Register and apply licenses to the primary FortiGate before configuring it for HA operation. This includes licensing for FortiCare Support, IPS, AntiVirus, Web Filtering, Mobile Malware, FortiClient, FortiCloud, and additional virtual domains (VDOMs).

    All FortiGates in the cluster must have the same level of licensing for FortiGuard, FortiCloud, FortiClient, and VDOMs. You can add FortiToken licenses at any time because they're synchronized with all cluster members.

    Note

    If the FortiGates in the cluster will run FortiOS Carrier, apply the FortiOS Carrier license before you apply other licenses and before you configure the cluster. When you apply the FortiOS Carrier license, the FortiGate resets its configuration to factory defaults, requiring you to repeat steps performed before applying the license.

  3. You can also install any third-party certificates on the primary FortiGate before forming the cluster. Once the cluster is formed, third-party certificates are synchronized with the backup FortiGate(s).
  4. Enter these CLI commands to set the HA mode to active-passive, set a group id, group name and password, set a higher device priority (for example, 250), and enable override.

    config system ha

    set mode a-p

    set group-id 25

    set group-name External-HA-Cluster

    set password <password>

    set priority 250

    set override enable

    set hbdev port3 200 port4 100

    end

    Enabling override and increasing the device priority sets this FortiGate to always be the primary unit.

    If you have more than one cluster on the same network, set a different group id for each cluster. Changing the group id changes the cluster interface virtual MAC addresses. If your group id causes a MAC address conflict on your network, you can select a different group id.

    This command also selects port3 and port4 to be the heartbeat interfaces and sets their priorities to 200 and 100. Although not required, a best practice is to set different priorities for the heartbeat interfaces.

    You can configure most of these settings using the GUI in System > HA. You must configure the group-id and override using the CLI.

    When you enable HA, each FortiGate negotiates to establish an HA cluster. You might temporarily lose connectivity during FGCP negotiation and the MAC addresses of the FortiGate interfaces change to HA virtual MAC addresses.

    Note

    If these steps don't start HA mode, make sure that none of the FortiGate's interfaces use DHCP or PPPoE addressing.

    To reconnect sooner, you can update the ARP table of your management PC by deleting the ARP table entry for the FortiGate unit (or deleting all ARP table entries). You can usually delete the ARP table from a command prompt using a command similar to arp -d.

    The FGCP uses virtual MAC addresses for failover. The virtual MAC address assigned to each FortiGate interface depends on the HA group ID. A group ID of 100 sets FortiGate interfaces to the following MAC addresses: 00:09:0f:09:64:00, 00:09:0f:09:64:01, 00:09:0f:09:64:02 and so on. For details, see Cluster virtual MAC addresses.

    You can verify that the FGCP has set the virtual MAC addresses by viewing the configuration of each FortiGate interface from the GUI (in Network > Interfaces) or by entering the following CLI command:

    get hardware nic port3
    ...
    Current_HWaddr 00:09:0f:09:64:01
    Permanent_HWaddr 70:4c:a5:98:11:54
    ...

    You can also use the diagnose hardware deviceinfo nic port3 command to display this information.

    The output shows the current hardware (MAC) address (the virtual MAC set by the FGCP) and the permanent hardware (MAC) address for the interface.