Fortinet black logo

Cookbook

Configuring clustering

Copy Link
Copy Doc ID 4d801240-7ccc-11e9-81a4-00505692583a:739742
Download PDF

Configuring clustering

  1. On the primary FortiGate, enter the following CLI command to set the HA mode to active-passive, set a group-id, group name and password, increase the device priority to 200, enable override, and configure the heartbeat interfaces (lan4 and lan5 in this example).

    config system ha

    set mode a-p

    set group-id 88

    set group-name My-vcluster

    set password <password>

    set priority 200

    set override enable

    set hbdev lan4 200 lan5 100

    end

    Enabling override and increasing the device priority sets this FortiGate to always be the primary unit.

    If you have more than one cluster on the same network, set a different group id for each cluster. Changing the group id changes the cluster interface virtual MAC addresses. If your group id causes a MAC address conflict on your network, you can select a different group id.

    You can configure most of these settings using the GUI in Global > System > HA. You must configure the group-id and override using the CLI.

  2. On the backup FortiGate, duplicate the primary FortiGate HA mode, group-id, group-name, password, override, and heartbeat device settings. Set the device priority to 50.

    config system ha

    set mode a-p

    set group-id 88

    set group-name My-vcluster

    set password <password>

    set priority 50

    set override enable

    set hbdev lan4 200 lan5 100

    end

    When you enable HA, each FortiGate negotiates to establish an HA cluster. You might temporarily lose connectivity during FGCP negotiation and the MAC addresses of the FortiGate interfaces change to HA virtual MAC addresses.

    Note

    If these steps don't start HA mode, make sure that none of the FortiGate's interfaces use DHCP or PPPoE addressing.

    To reconnect sooner, you can update the ARP table of your management PC by deleting the ARP table entry for the FortiGate unit (or deleting all ARP table entries). You can usually delete the ARP table from a command prompt using a command similar to arp -d.

    The FGCP uses virtual MAC addresses for failover. The virtual MAC address assigned to each FortiGate interface depends on the HA group ID. A group ID of 88 sets FortiGate interfaces to the following MAC addresses: 00:09:0f:09:58:00, 00:09:0f:09:58:01, 00:09:0f:09:58:02 and so on. For details, see Cluster virtual MAC addresses.

    You can verify that the FGCP has set the virtual MAC addresses by viewing the configuration of each FortiGate interface from the GUI (in Network > Interfaces) or by entering the following CLI command (shown below for lan2 on a FortiGate-51E):

    get hardware nic lan2

    ...

    Current_HWaddr 00:09:0f:09:58:01

    Permanent_HWaddr 70:4c:a5:98:11:54

    ...

    You can also use the diagnose hardware deviceinfo nic lan2 command to display this information.

    The output shows the current hardware (MAC) address (the virtual MAC set by the FGCP) and the permanent hardware (MAC) address for the interface.

Configuring clustering

  1. On the primary FortiGate, enter the following CLI command to set the HA mode to active-passive, set a group-id, group name and password, increase the device priority to 200, enable override, and configure the heartbeat interfaces (lan4 and lan5 in this example).

    config system ha

    set mode a-p

    set group-id 88

    set group-name My-vcluster

    set password <password>

    set priority 200

    set override enable

    set hbdev lan4 200 lan5 100

    end

    Enabling override and increasing the device priority sets this FortiGate to always be the primary unit.

    If you have more than one cluster on the same network, set a different group id for each cluster. Changing the group id changes the cluster interface virtual MAC addresses. If your group id causes a MAC address conflict on your network, you can select a different group id.

    You can configure most of these settings using the GUI in Global > System > HA. You must configure the group-id and override using the CLI.

  2. On the backup FortiGate, duplicate the primary FortiGate HA mode, group-id, group-name, password, override, and heartbeat device settings. Set the device priority to 50.

    config system ha

    set mode a-p

    set group-id 88

    set group-name My-vcluster

    set password <password>

    set priority 50

    set override enable

    set hbdev lan4 200 lan5 100

    end

    When you enable HA, each FortiGate negotiates to establish an HA cluster. You might temporarily lose connectivity during FGCP negotiation and the MAC addresses of the FortiGate interfaces change to HA virtual MAC addresses.

    Note

    If these steps don't start HA mode, make sure that none of the FortiGate's interfaces use DHCP or PPPoE addressing.

    To reconnect sooner, you can update the ARP table of your management PC by deleting the ARP table entry for the FortiGate unit (or deleting all ARP table entries). You can usually delete the ARP table from a command prompt using a command similar to arp -d.

    The FGCP uses virtual MAC addresses for failover. The virtual MAC address assigned to each FortiGate interface depends on the HA group ID. A group ID of 88 sets FortiGate interfaces to the following MAC addresses: 00:09:0f:09:58:00, 00:09:0f:09:58:01, 00:09:0f:09:58:02 and so on. For details, see Cluster virtual MAC addresses.

    You can verify that the FGCP has set the virtual MAC addresses by viewing the configuration of each FortiGate interface from the GUI (in Network > Interfaces) or by entering the following CLI command (shown below for lan2 on a FortiGate-51E):

    get hardware nic lan2

    ...

    Current_HWaddr 00:09:0f:09:58:01

    Permanent_HWaddr 70:4c:a5:98:11:54

    ...

    You can also use the diagnose hardware deviceinfo nic lan2 command to display this information.

    The output shows the current hardware (MAC) address (the virtual MAC set by the FGCP) and the permanent hardware (MAC) address for the interface.