Fortinet black logo

FortiGate-6000 and FortiGate-7000 Release Notes

Example FortiGate-7000E HA heartbeat switch configuration

Example FortiGate-7000E HA heartbeat switch configuration

FortiGate-7000E for FortiOS 6.2.9 allows you use proprietary triple-tagging or double-tagging for HA heartbeat packets.

Example triple-tagging compatible switch configuration

The switch that you use for connecting HA heartbeat interfaces does not have to support IEEE 802.1ad (also known as Q-in-Q, double-tagging), but the switch should be able to forward the double-tagged frames. Fortinet recommends avoiding switches that strip out the inner tag. FortiSwitch D and E series can correctly forward double-tagged frames.

note icon This configuration is not required for FortiGate-7030E HA configurations if you have set up direct connections between the HA heartbeat interfaces.

This example shows how to configure a FortiGate-7000E to use different VLAN IDs for the M1 and M2 HA heartbeat interfaces and then how to configure two ports on a Cisco switch to allow HA heartbeat packets.

note icon This example sets the native VLAN ID for both switch ports to 777. You can use any VLAN ID as the native VLAN ID as long as the native VLAN ID is not the same as the allowed VLAN ID.
  1. On both FortiGate-7000Es in the HA configuration, enter the following command to use different VLAN IDs for the M1 and M2 interfaces. The command sets the M1 VLAN ID to 4086 and the M2 VLAN ID to 4087:

    config system ha

    set ha-port-dtag-mode proprietary

    set hbdev "1-M1" 50 "2-M1" 50 "1-M2" 50 "2-M2" 50

    set hbdev-vlan-id 4086

    set hbdev-second-vlan-id 4087

    end

  2. Use the get system ha or get system ha status command to confirm the VLAN IDs.

    get system ha status
    ...
    HBDEV stats:
     FG74E83E16000015(updated 1 seconds ago):
       1-M1: physical/10000full, up, rx-bytes/packets/dropped/errors=579602089/2290683/0/0, tx=215982465/761929/0/0, vlan-id=4086
       2-M1: physical/10000full, up, rx-bytes/packets/dropped/errors=577890866/2285570/0/0, tx=215966839/761871/0/0, vlan-id=4086
       1-M2: physical/10000full, up, rx-bytes/packets/dropped/errors=579601846/2290682/0/0, tx=215982465/761929/0/0, vlan-id=4087
       2-M2: physical/10000full, up, rx-bytes/packets/dropped/errors=577890651/2285569/0/0, tx=215966811/761871/0/0, vlan-id=4087
     FG74E83E16000016(updated 1 seconds ago):
       1-M1: physical/10000full, up, rx-bytes/packets/dropped/errors=598602425/2290687/0/0, tx=196974887/761899/0/0, vlan-id=4086
       2-M1: physical/10000full, up, rx-bytes/packets/dropped/errors=596895956/2285588/0/0, tx=196965052/761864/0/0, vlan-id=4086
       1-M2: physical/10000full, up, rx-bytes/packets/dropped/errors=598602154/2290686/0/0, tx=196974915/761899/0/0, vlan-id=4087
       2-M2: physical/10000full, up, rx-bytes/packets/dropped/errors=596895685/2285587/0/0, tx=196965080/761864/0/0, vlan-id=4087
    ...
  3. Configure the Cisco switch port that connects the M1 interfaces to allow packets with a VLAN ID of 4086:

    interface <name>

    switchport mode trunk

    switchport trunk native vlan 777

    switchport trunk allowed vlan 4086

  4. Configure the Cisco switch port that connects the M2 interfaces to allow packets with a VLAN ID of 4087:

    interface <name>

    switchport mode trunk

    switchport trunk native vlan 777

    switchport trunk allowed vlan 4087

Example double-tagging compatible switch configuration

The following switch configuration is compatible with FortiGate-7040E HA heartbeat double tagging and with the default TPID of 0x8100.

The FortiGate-7040E HA heartbeat configuration is.

config system ha

set ha-port-dtag-mode double-tagging

set hbdev "1-M1" 50 "2-M1" 50 "1-M2" 50 "2-M2" 50

set hbdev-vlan-id 4086

set hbdev-second-vlan-id 4087

end

Example third-party switch configuration:

Switch interfaces 37 to 40 connect to the M1 interfaces of the FIMs in both FortiGate-7040E chassis.

interface Ethernet37

description **** FGT-7000E M1 HA HB ****

speed forced 10000full

switchport access vlan 660

switchport trunk native vlan 4086

switchport mode dot1q-tunnel

!

interface Ethernet38

description **** FGT-7000E M1 HA HB ****

speed forced 10000full

switchport access vlan 660

switchport trunk native vlan 4086

switchport mode dot1q-tunnel

!

interface Ethernet39

description **** FGT-7000E M1 HA HB ****

speed forced 10000full

switchport access vlan 660

switchport trunk native vlan 4086

switchport mode dot1q-tunnel

!

interface Ethernet40

description **** FGT-7000E M1 HA HB ****

speed forced 10000full

switchport access vlan 660

switchport trunk native vlan 4086

switchport mode dot1q-tunnel

!

Switch interfaces 41 to 44 connect to the M2 interfaces of the FIMs in both FortiGate-7040E chassis.

interface Ethernet41

description **** FGT-7000E M2 HA HB ****

mtu 9214

speed forced 10000full

no error-correction encoding

switchport access vlan 770

switchport trunk native vlan 4087

switchport mode dot1q-tunnel

!

interface Ethernet42

description **** FGT-7000E M2 HA HB ****

mtu 9214

speed forced 10000full

no error-correction encoding

switchport access vlan 770

switchport trunk native vlan 4087

switchport mode dot1q-tunnel

!

interface Ethernet43

description **** FGT-7000E M2 HA HB ****

mtu 9214

speed forced 10000full

no error-correction encoding

switchport access vlan 770

switchport trunk native vlan 4087

switchport mode dot1q-tunnel

!

interface Ethernet44

description **** FGT-7000E M2 HA HB ****

mtu 9214

speed forced 10000full

no error-correction encoding

switchport access vlan 770

switchport trunk native vlan 4087

switchport mode dot1q-tunnel

Example FortiGate-7000E HA heartbeat switch configuration

FortiGate-7000E for FortiOS 6.2.9 allows you use proprietary triple-tagging or double-tagging for HA heartbeat packets.

Example triple-tagging compatible switch configuration

The switch that you use for connecting HA heartbeat interfaces does not have to support IEEE 802.1ad (also known as Q-in-Q, double-tagging), but the switch should be able to forward the double-tagged frames. Fortinet recommends avoiding switches that strip out the inner tag. FortiSwitch D and E series can correctly forward double-tagged frames.

note icon This configuration is not required for FortiGate-7030E HA configurations if you have set up direct connections between the HA heartbeat interfaces.

This example shows how to configure a FortiGate-7000E to use different VLAN IDs for the M1 and M2 HA heartbeat interfaces and then how to configure two ports on a Cisco switch to allow HA heartbeat packets.

note icon This example sets the native VLAN ID for both switch ports to 777. You can use any VLAN ID as the native VLAN ID as long as the native VLAN ID is not the same as the allowed VLAN ID.
  1. On both FortiGate-7000Es in the HA configuration, enter the following command to use different VLAN IDs for the M1 and M2 interfaces. The command sets the M1 VLAN ID to 4086 and the M2 VLAN ID to 4087:

    config system ha

    set ha-port-dtag-mode proprietary

    set hbdev "1-M1" 50 "2-M1" 50 "1-M2" 50 "2-M2" 50

    set hbdev-vlan-id 4086

    set hbdev-second-vlan-id 4087

    end

  2. Use the get system ha or get system ha status command to confirm the VLAN IDs.

    get system ha status
    ...
    HBDEV stats:
     FG74E83E16000015(updated 1 seconds ago):
       1-M1: physical/10000full, up, rx-bytes/packets/dropped/errors=579602089/2290683/0/0, tx=215982465/761929/0/0, vlan-id=4086
       2-M1: physical/10000full, up, rx-bytes/packets/dropped/errors=577890866/2285570/0/0, tx=215966839/761871/0/0, vlan-id=4086
       1-M2: physical/10000full, up, rx-bytes/packets/dropped/errors=579601846/2290682/0/0, tx=215982465/761929/0/0, vlan-id=4087
       2-M2: physical/10000full, up, rx-bytes/packets/dropped/errors=577890651/2285569/0/0, tx=215966811/761871/0/0, vlan-id=4087
     FG74E83E16000016(updated 1 seconds ago):
       1-M1: physical/10000full, up, rx-bytes/packets/dropped/errors=598602425/2290687/0/0, tx=196974887/761899/0/0, vlan-id=4086
       2-M1: physical/10000full, up, rx-bytes/packets/dropped/errors=596895956/2285588/0/0, tx=196965052/761864/0/0, vlan-id=4086
       1-M2: physical/10000full, up, rx-bytes/packets/dropped/errors=598602154/2290686/0/0, tx=196974915/761899/0/0, vlan-id=4087
       2-M2: physical/10000full, up, rx-bytes/packets/dropped/errors=596895685/2285587/0/0, tx=196965080/761864/0/0, vlan-id=4087
    ...
  3. Configure the Cisco switch port that connects the M1 interfaces to allow packets with a VLAN ID of 4086:

    interface <name>

    switchport mode trunk

    switchport trunk native vlan 777

    switchport trunk allowed vlan 4086

  4. Configure the Cisco switch port that connects the M2 interfaces to allow packets with a VLAN ID of 4087:

    interface <name>

    switchport mode trunk

    switchport trunk native vlan 777

    switchport trunk allowed vlan 4087

Example double-tagging compatible switch configuration

The following switch configuration is compatible with FortiGate-7040E HA heartbeat double tagging and with the default TPID of 0x8100.

The FortiGate-7040E HA heartbeat configuration is.

config system ha

set ha-port-dtag-mode double-tagging

set hbdev "1-M1" 50 "2-M1" 50 "1-M2" 50 "2-M2" 50

set hbdev-vlan-id 4086

set hbdev-second-vlan-id 4087

end

Example third-party switch configuration:

Switch interfaces 37 to 40 connect to the M1 interfaces of the FIMs in both FortiGate-7040E chassis.

interface Ethernet37

description **** FGT-7000E M1 HA HB ****

speed forced 10000full

switchport access vlan 660

switchport trunk native vlan 4086

switchport mode dot1q-tunnel

!

interface Ethernet38

description **** FGT-7000E M1 HA HB ****

speed forced 10000full

switchport access vlan 660

switchport trunk native vlan 4086

switchport mode dot1q-tunnel

!

interface Ethernet39

description **** FGT-7000E M1 HA HB ****

speed forced 10000full

switchport access vlan 660

switchport trunk native vlan 4086

switchport mode dot1q-tunnel

!

interface Ethernet40

description **** FGT-7000E M1 HA HB ****

speed forced 10000full

switchport access vlan 660

switchport trunk native vlan 4086

switchport mode dot1q-tunnel

!

Switch interfaces 41 to 44 connect to the M2 interfaces of the FIMs in both FortiGate-7040E chassis.

interface Ethernet41

description **** FGT-7000E M2 HA HB ****

mtu 9214

speed forced 10000full

no error-correction encoding

switchport access vlan 770

switchport trunk native vlan 4087

switchport mode dot1q-tunnel

!

interface Ethernet42

description **** FGT-7000E M2 HA HB ****

mtu 9214

speed forced 10000full

no error-correction encoding

switchport access vlan 770

switchport trunk native vlan 4087

switchport mode dot1q-tunnel

!

interface Ethernet43

description **** FGT-7000E M2 HA HB ****

mtu 9214

speed forced 10000full

no error-correction encoding

switchport access vlan 770

switchport trunk native vlan 4087

switchport mode dot1q-tunnel

!

interface Ethernet44

description **** FGT-7000E M2 HA HB ****

mtu 9214

speed forced 10000full

no error-correction encoding

switchport access vlan 770

switchport trunk native vlan 4087

switchport mode dot1q-tunnel