Fortinet Document Library

Version:

Version:

Version:


Table of Contents

Cookbook

Download PDF
Copy Link

FGCP Virtual Clustering with four FortiGates (expert)

This example describes how to set up a FortiGate Clustering Protocol (FGCP) virtual clustering configuration with two FortiGates to provide redundancy and failover protection for two networks. The FortiGate configuration includes two VDOMs. The root VDOM handles internal network traffic and the engineering VDOM handles engineering network traffic. This example shows a simple two-VDOM configuration. The same principles apply to a virtual cluster with more VDOMs.

In this virtual cluster configuration, the primary FortiGate processes all internal network traffic and the backup FortiGate processes all engineering network traffic. Virtual clustering enables override and uses device priorities to distribute traffic between the primary and backup FortiGates. For details, see Configuring virtual clustering.

This example uses four FortiGate-51Es. FortiGate-51Es have a 5-port switch LAN interface. Before configuring HA, the LAN interface was converted to five separate interfaces (lan1 to lan5).

The third FortiGate (this example names it Backup-2) acts as a backup to the primary FortiGate. If the primary FortiGate fails, all primary FortiGate network traffic transfers to the Backup-2 FortiGate as it becomes the new primary FortiGate.

The fourth FortiGate (Backup-3) acts as a backup to the backup FortiGate. If the backup FortiGate fails, all backup FortiGate network traffic transfers to the Backup-3 FortiGate as it becomes the new backup FortiGate.

Caution

Before adding the management VDOM to virtual cluster 2, ensure you have added all the backup FortiGates and they have joined the cluster; otherwise the configuration of the primary FortiGate might be overwritten by the backup FortiGate.

Before you start, ensure the FortiGates are running the same FortiOS firmware version and their interfaces are not configured to get addresses from DHCP or PPPoE.

Note

The FGCP does not support using a switch interface for the HA heartbeat. As an alternative to using the lan4 and lan5 interfaces as described in this example, you can use the wan1 and wan2 interfaces for the HA heartbeat.

For an example of how to configure virtual clustering by converting a FortiGate with VDOMs to HA mode and then adding another FortiGate to form a cluster, see High availability with FGCP (expert).

FGCP Virtual Clustering with four FortiGates (expert)

This example describes how to set up a FortiGate Clustering Protocol (FGCP) virtual clustering configuration with two FortiGates to provide redundancy and failover protection for two networks. The FortiGate configuration includes two VDOMs. The root VDOM handles internal network traffic and the engineering VDOM handles engineering network traffic. This example shows a simple two-VDOM configuration. The same principles apply to a virtual cluster with more VDOMs.

In this virtual cluster configuration, the primary FortiGate processes all internal network traffic and the backup FortiGate processes all engineering network traffic. Virtual clustering enables override and uses device priorities to distribute traffic between the primary and backup FortiGates. For details, see Configuring virtual clustering.

This example uses four FortiGate-51Es. FortiGate-51Es have a 5-port switch LAN interface. Before configuring HA, the LAN interface was converted to five separate interfaces (lan1 to lan5).

The third FortiGate (this example names it Backup-2) acts as a backup to the primary FortiGate. If the primary FortiGate fails, all primary FortiGate network traffic transfers to the Backup-2 FortiGate as it becomes the new primary FortiGate.

The fourth FortiGate (Backup-3) acts as a backup to the backup FortiGate. If the backup FortiGate fails, all backup FortiGate network traffic transfers to the Backup-3 FortiGate as it becomes the new backup FortiGate.

Caution

Before adding the management VDOM to virtual cluster 2, ensure you have added all the backup FortiGates and they have joined the cluster; otherwise the configuration of the primary FortiGate might be overwritten by the backup FortiGate.

Before you start, ensure the FortiGates are running the same FortiOS firmware version and their interfaces are not configured to get addresses from DHCP or PPPoE.

Note

The FGCP does not support using a switch interface for the HA heartbeat. As an alternative to using the lan4 and lan5 interfaces as described in this example, you can use the wan1 and wan2 interfaces for the HA heartbeat.

For an example of how to configure virtual clustering by converting a FortiGate with VDOMs to HA mode and then adding another FortiGate to form a cluster, see High availability with FGCP (expert).