Fortinet black logo

Cookbook

Configuring the FortiGate for HA

Copy Link
Copy Doc ID a4a06ec3-12a7-11e9-b86b-00505692583a:590070
Download PDF

Configuring the FortiGate for HA

  1. Change the Host name to identify this FortiGate as the primary FortiGate. From the System Information dashboard widget, select Configure settings in System > Settings.

    You can also enter this CLI command:

    config system global

    set hostname Primary

    end

  2. Register and apply licenses to the primary FortiGate before configuring it for HA operation.

  3. Enter this CLI command to set the HA mode to active-passive; set a group ID, group name and password; increase the device priority to a higher value (for example, 250); and enable override.

    config system ha

    set mode a-p

    set group-id 100

    set group-name My-cluster

    set password <password>

    set priority 250

    set override enable

    set hbdev lan4 200 lan5 100

    end

    Enabling override and increasing the device priority means this FortiGate always becomes the primary unit.

    This configuration also selects lan4 and lan5 to be the heartbeat interfaces and sets their priorities to 200 and 100 respectively. It's a best practice to set different priorities for the heartbeat interfaces (but not a requirement).

    If you have more than one cluster on the same network, each cluster should have a different group ID. Changing the group id changes the cluster interface virtual MAC addresses. If your group ID causes a MAC address conflict on your network, you can select a different group ID.

    Override and the group ID can only be configured from the CLI.

    config system ha

    set group-id 100

    set override enable

    end

  4. You can also configure most of these settings from the GUI (go to System > HA).

    After you enter the CLI command or make changes from the GUI, the FortiGate negotiates to establish an HA cluster. You may temporarily lose connectivity with the FortiGate as FGCP negotiation takes place and the MAC addresses of the FortiGate interfaces are changed to HA virtual MAC addresses.

    Note

    If these steps don't start HA mode, make sure that none of the FortiGate's interfaces use DHCP or PPPoE addressing.

    To reconnect sooner, you can update the ARP table of your management PC by deleting the ARP table entry for the FortiGate unit (or just deleting all ARP table entries). You can usually delete the ARP table from a command prompt using a command similar to arp -d.

Configuring the FortiGate for HA

  1. Change the Host name to identify this FortiGate as the primary FortiGate. From the System Information dashboard widget, select Configure settings in System > Settings.

    You can also enter this CLI command:

    config system global

    set hostname Primary

    end

  2. Register and apply licenses to the primary FortiGate before configuring it for HA operation.

  3. Enter this CLI command to set the HA mode to active-passive; set a group ID, group name and password; increase the device priority to a higher value (for example, 250); and enable override.

    config system ha

    set mode a-p

    set group-id 100

    set group-name My-cluster

    set password <password>

    set priority 250

    set override enable

    set hbdev lan4 200 lan5 100

    end

    Enabling override and increasing the device priority means this FortiGate always becomes the primary unit.

    This configuration also selects lan4 and lan5 to be the heartbeat interfaces and sets their priorities to 200 and 100 respectively. It's a best practice to set different priorities for the heartbeat interfaces (but not a requirement).

    If you have more than one cluster on the same network, each cluster should have a different group ID. Changing the group id changes the cluster interface virtual MAC addresses. If your group ID causes a MAC address conflict on your network, you can select a different group ID.

    Override and the group ID can only be configured from the CLI.

    config system ha

    set group-id 100

    set override enable

    end

  4. You can also configure most of these settings from the GUI (go to System > HA).

    After you enter the CLI command or make changes from the GUI, the FortiGate negotiates to establish an HA cluster. You may temporarily lose connectivity with the FortiGate as FGCP negotiation takes place and the MAC addresses of the FortiGate interfaces are changed to HA virtual MAC addresses.

    Note

    If these steps don't start HA mode, make sure that none of the FortiGate's interfaces use DHCP or PPPoE addressing.

    To reconnect sooner, you can update the ARP table of your management PC by deleting the ARP table entry for the FortiGate unit (or just deleting all ARP table entries). You can usually delete the ARP table from a command prompt using a command similar to arp -d.