Fortinet black logo

Handbook

Configuration

6.0.0
Copy Link
Copy Doc ID 4afb0436-a998-11e9-81a4-00505692583a:369005
Download PDF

Configuration

Configuring virtual clustering is the same as configuring standard FCGP HA with the addition of VDOM partitioning. Using VDOM partitioning you can control the distribution of VDOMs, and the traffic they process, between the FortiGates in the cluster.

VDOM partitioning can be thought of in two parts. First there is configuring the distribution of VDOMs between two virtual clusters. By default, all VDOMS are in virtual cluster 1 and virtual cluster 1 is associated with the primary FortiGate. In this configuration, the primary FortiGate processes all traffic. If you want traffic to be processed by the backup FortiGate, you need to enable virtual cluster 2, move some of the VDOMs to it, and associate virtual cluster 2 with the backup FortiGate.

note icon Since there are only two virtual clusters, even in a virtual clustering configuration of three or four FortiGates only two of the FortiGates process traffic. The third and fourth FortiGates operate in standby mode and process traffic after a failover.

By default, all VDOMS are in virtual cluster 1 and the primary FortiGate processes all traffic.

You associate a virtual cluster with a FortiGate using priorities. The FortiGate with the highest device priority is associated with virtual cluster 1. To associate a FortiGate with virtual cluster 2 you must enable virtual cluster 2 and set the virtual cluster 2 device priority. The FortiGate with the highest virtual cluster 2 device priority processes traffic for the VDOMs added to virtual cluster 2. (Reminder: device priorities are not synchronized.)

If both FortiGates have the same device priority, virtual cluster 1 is associated with the primary FortiGate. If both FortiGates have the same virtual cluster 2 device priority, virtual cluster 2 is associated with the primary FortiGate.

note icon

The root VDOM can only be associated with virtual cluster 1.

The VDOM that is assigned as the management VDOM can also only be associated with virtual cluster 1.

Virtual clustering and the override setting

Enabling virtual cluster 2 also turns on the HA override setting. Enabling override is required for virtual clustering to function as configured. Enabling override causes the cluster to negotiate every time a failure occurs. If override is not enabled, the cluster will not negotiate after all failures. While more frequent negotiation may cause more minor traffic disruptions, with virtual clustering its more important to negotiate after any failure to make sure the correct traffic flows are maintained.

Example virtual clustering configuration

For example, consider a configuration that includes four VDOMs: root, Engineering, Marketing, and Finance. You can use the following configuration to send root and Engineering traffic to the primary FortiGate and Marketing and Finance traffic to the backup FortiGate.

First, on the primary FortiGate:

  • Set the device priority to 200
  • Enable virtual cluster 2 (vcluster2)
  • Set the virtual cluster 2 device priority (secondary-vcluster) to 50
  • Add the Marketing and Finance VDOMs to virtual cluster 2 (secondary-vcluster)

    note icon When you enable multiple VDOMs, virtual cluster 2 is enabled by default. Even so the command to enable virtual cluster 2 is included in this example in case for some reason it has been disabled. Enabling virtual cluster 2 also enables override.

    config global

    config system ha

    set mode a-p

    set group-name mygroup

    set password <password>

    set priority 200

    set vcluster2 enable

    config secondary-vcluster

    set vdom Marketing Finance

    set priority 50

    end

    end

Then on the backup FortiGate:

  • Set the device priority to 50 (lower than the primary FortiGate)
  • Enable virtual cluster 2 (vcluster2)
  • Set the virtual cluster 2 device priority (secondary-vcluster) to 200 (higher than the primary FortiGate).

    config global

    config system ha

    set mode a-p

    set group-name mygroup

    set password <password>

    set priority 50

    set vcluster2 enable

    config secondary-vcluster

    set priority 200

    end

    end

    note icon Since the primary FortiGate has the highest device priority, the primary unit processes all traffic for the VDOMs in virtual cluster 1. Since the backup FortiGate has the highest virtual cluster 2 device priority, the backup FortiGate processes all traffic for the VDOMs in virtual cluster 2. The primary FortiGate configuration adds the VDOMs to virtual cluster 2. All you have to configure on the backup FortiGate for virtual cluster 2 is the virtual cluster 2 (or secondary-vcluster) device priority.

Adding a third FortiGate to the virtual cluster

You can add a third FortiGate to the virtual cluster and configure it so that if the primary FortiGate fails, the third FortiGate becomes the new primary FortiGate or if the backup FortiGate fails, the third FortiGate becomes the new backup FortiGate.

On the third FortiGate:

  • Set the device priority to 150 (lower than the primary FortiGate but higher than the backup FortiGate)
  • Enable virtual cluster 2 (vcluster2)
  • Set the virtual cluster 2 device priority (secondary-vcluster) to 100 (higher than the primary FortiGate but lower than the backup FortiGate)

    config global

    config system ha

    set mode a-p

    set group-name mygroup

    set password <password>

    set priority 150

    set vcluster2 enable

    config secondary-vcluster

    set priority 100

    end

    end

Adding a fourth FortiGate to the virtual cluster

You can add a fourth FortiGate to the virtual cluster and configure it so that:

  • If the primary FortiGate fails, the third FortiGate becomes the new primary FortiGate, the backup FortiGate continues to operate as the backup FortiGate.
  • If the backup FortiGate fails, the fourth FortiGate becomes the new backup FortiGate.
  • If both the primary and backup FortiGates fail, the third FortiGate becomes the primary FortiGate and the fourth FortiGate becomes the backup FortiGate.

On the fourth FortiGate:

  • Set the device priority to 100 (lower than the primary and third FortiGate but higher than the backup FortiGate)
  • Enable virtual cluster 2 (vcluster2)
  • Set the virtual cluster 2 device priority (secondary-vcluster) to 150 (higher than the primary FortiGate and the third FortiGate but lower than the backup FortiGate)

    config global

    config system ha

    set mode a-p

    set group-name mygroup

    set password <password>

    set priority 100

    set vcluster2 enable

    config secondary-vcluster

    set priority 150

    end

    end

Virtual clustering with four FortiGates recommended configuration

As described in the previous sections, here is a recommended device priority configuration for a virtual cluster consisting of four FortiGates. Other configurations are also supported depending on how you want the virtual cluster to respond to a failure.

FortiGate Device Priority Virtual Cluster 2 Device Priority
Primary 200 50
Backup 50 100
Third 150 200
Fourth 100 150

Virtual clustering GUI configuration

From the GUI, you configure virtual clustering from the Global menu by going to System > HA setting the Mode to Active-Passive and enabling VDOM Partitioning.

Example primary FortiGate virtual clustering configuration

Configuration

Configuring virtual clustering is the same as configuring standard FCGP HA with the addition of VDOM partitioning. Using VDOM partitioning you can control the distribution of VDOMs, and the traffic they process, between the FortiGates in the cluster.

VDOM partitioning can be thought of in two parts. First there is configuring the distribution of VDOMs between two virtual clusters. By default, all VDOMS are in virtual cluster 1 and virtual cluster 1 is associated with the primary FortiGate. In this configuration, the primary FortiGate processes all traffic. If you want traffic to be processed by the backup FortiGate, you need to enable virtual cluster 2, move some of the VDOMs to it, and associate virtual cluster 2 with the backup FortiGate.

note icon Since there are only two virtual clusters, even in a virtual clustering configuration of three or four FortiGates only two of the FortiGates process traffic. The third and fourth FortiGates operate in standby mode and process traffic after a failover.

By default, all VDOMS are in virtual cluster 1 and the primary FortiGate processes all traffic.

You associate a virtual cluster with a FortiGate using priorities. The FortiGate with the highest device priority is associated with virtual cluster 1. To associate a FortiGate with virtual cluster 2 you must enable virtual cluster 2 and set the virtual cluster 2 device priority. The FortiGate with the highest virtual cluster 2 device priority processes traffic for the VDOMs added to virtual cluster 2. (Reminder: device priorities are not synchronized.)

If both FortiGates have the same device priority, virtual cluster 1 is associated with the primary FortiGate. If both FortiGates have the same virtual cluster 2 device priority, virtual cluster 2 is associated with the primary FortiGate.

note icon

The root VDOM can only be associated with virtual cluster 1.

The VDOM that is assigned as the management VDOM can also only be associated with virtual cluster 1.

Virtual clustering and the override setting

Enabling virtual cluster 2 also turns on the HA override setting. Enabling override is required for virtual clustering to function as configured. Enabling override causes the cluster to negotiate every time a failure occurs. If override is not enabled, the cluster will not negotiate after all failures. While more frequent negotiation may cause more minor traffic disruptions, with virtual clustering its more important to negotiate after any failure to make sure the correct traffic flows are maintained.

Example virtual clustering configuration

For example, consider a configuration that includes four VDOMs: root, Engineering, Marketing, and Finance. You can use the following configuration to send root and Engineering traffic to the primary FortiGate and Marketing and Finance traffic to the backup FortiGate.

First, on the primary FortiGate:

  • Set the device priority to 200
  • Enable virtual cluster 2 (vcluster2)
  • Set the virtual cluster 2 device priority (secondary-vcluster) to 50
  • Add the Marketing and Finance VDOMs to virtual cluster 2 (secondary-vcluster)

    note icon When you enable multiple VDOMs, virtual cluster 2 is enabled by default. Even so the command to enable virtual cluster 2 is included in this example in case for some reason it has been disabled. Enabling virtual cluster 2 also enables override.

    config global

    config system ha

    set mode a-p

    set group-name mygroup

    set password <password>

    set priority 200

    set vcluster2 enable

    config secondary-vcluster

    set vdom Marketing Finance

    set priority 50

    end

    end

Then on the backup FortiGate:

  • Set the device priority to 50 (lower than the primary FortiGate)
  • Enable virtual cluster 2 (vcluster2)
  • Set the virtual cluster 2 device priority (secondary-vcluster) to 200 (higher than the primary FortiGate).

    config global

    config system ha

    set mode a-p

    set group-name mygroup

    set password <password>

    set priority 50

    set vcluster2 enable

    config secondary-vcluster

    set priority 200

    end

    end

    note icon Since the primary FortiGate has the highest device priority, the primary unit processes all traffic for the VDOMs in virtual cluster 1. Since the backup FortiGate has the highest virtual cluster 2 device priority, the backup FortiGate processes all traffic for the VDOMs in virtual cluster 2. The primary FortiGate configuration adds the VDOMs to virtual cluster 2. All you have to configure on the backup FortiGate for virtual cluster 2 is the virtual cluster 2 (or secondary-vcluster) device priority.

Adding a third FortiGate to the virtual cluster

You can add a third FortiGate to the virtual cluster and configure it so that if the primary FortiGate fails, the third FortiGate becomes the new primary FortiGate or if the backup FortiGate fails, the third FortiGate becomes the new backup FortiGate.

On the third FortiGate:

  • Set the device priority to 150 (lower than the primary FortiGate but higher than the backup FortiGate)
  • Enable virtual cluster 2 (vcluster2)
  • Set the virtual cluster 2 device priority (secondary-vcluster) to 100 (higher than the primary FortiGate but lower than the backup FortiGate)

    config global

    config system ha

    set mode a-p

    set group-name mygroup

    set password <password>

    set priority 150

    set vcluster2 enable

    config secondary-vcluster

    set priority 100

    end

    end

Adding a fourth FortiGate to the virtual cluster

You can add a fourth FortiGate to the virtual cluster and configure it so that:

  • If the primary FortiGate fails, the third FortiGate becomes the new primary FortiGate, the backup FortiGate continues to operate as the backup FortiGate.
  • If the backup FortiGate fails, the fourth FortiGate becomes the new backup FortiGate.
  • If both the primary and backup FortiGates fail, the third FortiGate becomes the primary FortiGate and the fourth FortiGate becomes the backup FortiGate.

On the fourth FortiGate:

  • Set the device priority to 100 (lower than the primary and third FortiGate but higher than the backup FortiGate)
  • Enable virtual cluster 2 (vcluster2)
  • Set the virtual cluster 2 device priority (secondary-vcluster) to 150 (higher than the primary FortiGate and the third FortiGate but lower than the backup FortiGate)

    config global

    config system ha

    set mode a-p

    set group-name mygroup

    set password <password>

    set priority 100

    set vcluster2 enable

    config secondary-vcluster

    set priority 150

    end

    end

Virtual clustering with four FortiGates recommended configuration

As described in the previous sections, here is a recommended device priority configuration for a virtual cluster consisting of four FortiGates. Other configurations are also supported depending on how you want the virtual cluster to respond to a failure.

FortiGate Device Priority Virtual Cluster 2 Device Priority
Primary 200 50
Backup 50 100
Third 150 200
Fourth 100 150

Virtual clustering GUI configuration

From the GUI, you configure virtual clustering from the Global menu by going to System > HA setting the Mode to Active-Passive and enabling VDOM Partitioning.

Example primary FortiGate virtual clustering configuration