VMware HA
If you want to combine two or more FortiGate-VM instances into a FortiGate Clustering Protocol (FGCP) High Availability (HA) cluster the VMware server’s virtual switches used to connect the heartbeat interfaces must operate in promiscuous mode. This permits HA heartbeat communication between the heartbeat interfaces. HA heartbeat packets are non-TCP packets that use Ethertype values 0x8890, 0x8891, and 0x8893. All synchronization activity takes place over the HA heartbeat link using TCP/703 and UDP/703 packets. The FGCP uses link-local IPv4 addresses in the 169.254.0.x range for HA heartbeat interface IP addresses.
To enable promiscuous mode in VMware:
- In the vSphere client, select your VMware server in the left pane and then select the Configuration tab in the right pane.
- In Hardware, select Networking.
- Select Properties of a virtual switch used to connect heartbeat interfaces.
- In the Properties window left pane, select vSwitch and then select Edit.
- Select the Security tab, set Promiscuous Mode to Accept, then select OK.
- Select Close.
You must also set the virtual switches connected to other FortiGate interfaces to allow MAC address changes and to accept forged transmits. This is required because the FGCP sets virtual MAC addresses for all FortiGate interfaces and the same interfaces on the different VM instances in the cluster will have the same virtual MAC addresses.
To make the required changes in VMware:
- In the vSphere client, select your VMware server in the left pane and then select the Configuration tab in the right pane.
- In Hardware, select Networking.
- Select Properties of a virtual switch used to connect FortiGate VM interfaces.
- Set MAC Address Changes to Accept.
- Set Forged Transmits to Accept.