Fortinet black logo

Cookbook

Adding a third FortiGate to an FGCP cluster (expert)

Copy Link
Copy Doc ID a4a06ec3-12a7-11e9-b86b-00505692583a:104761
Download PDF

Adding a third FortiGate to an FGCP cluster (expert)

This use case describes how to add a third FortiGate to an already established FGCP cluster (the cluster fromHigh Availability with FGCP (expert)) and configure active-active HA.

You prepare the new FortiGate by:

  1. Setting it to factory defaults to wipe any configuration changes.
  2. Licensing it (if required).
  3. Enabling HA without changing the device priority and without enabling override.
  4. Connecting it to the FGCP cluster already on the network.

The new FortiGate becomes a second backup FortiGate; its configuration synchronized to match the configuration of the cluster.

Before you start, the new FortiGate should be running the same FortiOS firmware version as the cluster and its interfaces should not be configured to get addresses from DHCP or PPPoE.

After the third FortiGate joins the cluster, this recipe also describes how to switch the cluster to operate in active-active (or a-a) mode. Active-active HA enables proxy-based NGFW/UTM load-balancing to allow the three FortiGates to share proxy-based NGFW/UTM processing. If the cluster handles a large amount of NGFW/UTM traffic, active-active HA with three FortiGates may enhance performance.

This use case features three FortiGate-51Es. These FortiGate models include a 5-port switch lan interface. Before configuring HA, the lan interface was converted to five separate interfaces (lan1 to lan5). The lan1 interface connects to the internal network and the wan1 interface connects to the Internet. The lan4 and lan5 interfaces become the HA heartbeat interfaces.

Note

The FGCP does not support using a switch interface for the HA heartbeat. As an alternative to using the lan4 and lan5 interfaces as described in this recipe, you can use the wan1 and wan2 interfaces for the HA heartbeat.

Adding a third FortiGate to an FGCP cluster (expert)

This use case describes how to add a third FortiGate to an already established FGCP cluster (the cluster fromHigh Availability with FGCP (expert)) and configure active-active HA.

You prepare the new FortiGate by:

  1. Setting it to factory defaults to wipe any configuration changes.
  2. Licensing it (if required).
  3. Enabling HA without changing the device priority and without enabling override.
  4. Connecting it to the FGCP cluster already on the network.

The new FortiGate becomes a second backup FortiGate; its configuration synchronized to match the configuration of the cluster.

Before you start, the new FortiGate should be running the same FortiOS firmware version as the cluster and its interfaces should not be configured to get addresses from DHCP or PPPoE.

After the third FortiGate joins the cluster, this recipe also describes how to switch the cluster to operate in active-active (or a-a) mode. Active-active HA enables proxy-based NGFW/UTM load-balancing to allow the three FortiGates to share proxy-based NGFW/UTM processing. If the cluster handles a large amount of NGFW/UTM traffic, active-active HA with three FortiGates may enhance performance.

This use case features three FortiGate-51Es. These FortiGate models include a 5-port switch lan interface. Before configuring HA, the lan interface was converted to five separate interfaces (lan1 to lan5). The lan1 interface connects to the internal network and the wan1 interface connects to the Internet. The lan4 and lan5 interfaces become the HA heartbeat interfaces.

Note

The FGCP does not support using a switch interface for the HA heartbeat. As an alternative to using the lan4 and lan5 interfaces as described in this recipe, you can use the wan1 and wan2 interfaces for the HA heartbeat.