Configuring the primary FortiGate
- On the primary FortiGate, go to System > Settings and change the Host name to identify this as the primary FortiGate in the HA cluster.
You can also enter this CLI command:
config system global
set hostname External-Primary
- Register and apply licenses to the primary FortiGate before configuring it for HA operation. This includes licensing for FortiCare Support, IPS, AntiVirus, Web Filtering, Mobile Malware, FortiClient, FortiCloud, and additional virtual domains (VDOMs).
All FortiGates in the cluster must have the same level of licensing for FortiGuard, FortiCloud, FortiClient, and VDOMs. You can add FortiToken licenses at any time because they're synchronized with all cluster members.
If the FortiGates in the cluster will run FortiOS Carrier, apply the FortiOS Carrier license before you apply other licenses and before you configure the cluster. When you apply the FortiOS Carrier license, the FortiGate resets its configuration to factory defaults, requiring you to repeat steps performed before applying the license.
- You can also install any third-party certificates on the primary FortiGate before forming the cluster. Once the cluster is formed, third-party certificates are synchronized with the backup FortiGate(s).
- Enter these CLI commands to set the HA mode to active-passive, set a group id, group name and password, set a higher device priority (for example, 250), and enable override.
config system ha
set mode a-p
set group-id 25
set group-name External-HA-Cluster
set password <password>
set priority 250
set override enable
set hbdev port3 200 port4 100
Enabling override and increasing the device priority sets this FortiGate to always be the primary unit.
If you have more than one cluster on the same network, set a different group id for each cluster. Changing the group id changes the cluster interface virtual MAC addresses. If your group id causes a MAC address conflict on your network, you can select a different group id.
This command also selects
port4to be the heartbeat interfaces and sets their priorities to 200 and 100. Although not required, a best practice is to set different priorities for the heartbeat interfaces.
You can configure most of these settings using the GUI in System > HA. You must configure the group-id and override using the CLI.
When you enable HA, each FortiGate negotiates to establish an HA cluster. You might temporarily lose connectivity during FGCP negotiation and the MAC addresses of the FortiGate interfaces change to HA virtual MAC addresses.
If these steps don't start HA mode, make sure that none of the FortiGate's interfaces use DHCP or PPPoE addressing.
To reconnect sooner, you can update the ARP table of your management PC by deleting the ARP table entry for the FortiGate unit (or deleting all ARP table entries). You can usually delete the ARP table from a command prompt using a command similar to
The FGCP uses virtual MAC addresses for failover. The virtual MAC address assigned to each FortiGate interface depends on the HA group ID. A group ID of 100 sets FortiGate interfaces to the following MAC addresses: 00:09:0f:09:64:00, 00:09:0f:09:64:01, 00:09:0f:09:64:02 and so on. For details, see Cluster virtual MAC addresses.
You can verify that the FGCP has set the virtual MAC addresses by viewing the configuration of each FortiGate interface from the GUI (in Network > Interfaces) or by entering the following CLI command:
get hardware nic port3
You can also use the
diagnose hardware deviceinfo nic port3command to display this information.
The output shows the current hardware (MAC) address (the virtual MAC set by the FGCP) and the permanent hardware (MAC) address for the interface.