Fortinet white logo
Fortinet white logo

FortiGate-7000E Administration Guide

Introduction to FortiGate-7000E FGCP HA

Introduction to FortiGate-7000E FGCP HA

FortiGate-7000E supports active-passive FortiGate Clustering Protocol (FGCP) HA between two (and only two) identical FortiGate-7000Es. You can configure FortiGate-7000E HA in much the same way as any FortiGate HA setup, except that only active-passive HA is supported.

Note

In Multi VDOM mode, virtual clustering is supported. Virtual clustering is not supported in Split-Task VDOM mode. Split-Task VDOM mode supports standard FGCP HA.

You must use the 10Gbit M1 and M2 interfaces for HA heartbeat communication. See Connect the M1 and M2 interfaces for HA heartbeat communication. Heartbeat packets are VLAN-tagged and you can configure the VLANs used. You must configure the switch interfaces used to connect the M1 and M2 interfaces in trunk mode and the switches must allow the VLAN-tagged packets.

To successfully form an FGCP HA cluster, both FortiGate-7000Es must be operating in the same VDOM mode (Multi or Split-Task). You can change the VDOM mode after the cluster has formed, but this will disrupt traffic.

As part of the FortiGate-7000E HA configuration, you assign each of the FortiGate-7000Es in the HA cluster a chassis ID of 1 or 2. The chassis IDs just allow you to identify individual FortiGate-7000Es and do not influence primary unit selection.

Note

If both FortiGate-7000Es in a cluster are configured with the same chassis ID, both chassis begin operating in HA mode without forming a cluster. A message similar to the following is displayed on the CLI console of both devices:

HA cannot be formed because this box's chassis-id 1 is the same from the HA peer 'F76E9D3E17000001' chassis-id 1.

As well, a log message similar to the following is created:

Jan 29 16:29:46 10.160.45.70 date=2020-01-29 time=16:29:51 devname="CH-02" devid="F76E9D3E17000001" slot=1 logid="0108037904" type="event" subtype="ha" level="error" vd="mgmt-vdom" eventtime=1580344192162305962 tz="-0800" logdesc="Device set as HA primary" msg="HA group detected chassis-id conflict" ha_group=7 sn="F76E9DT018900001 chassis-id=1"

You can resolve this issue by logging into one of the FortiGates and changing its Chassis ID to 2. When this happens, the two chassis will form a cluster.

Example FortiGate-7040 HA configuration

In a FortiGate-7000E FGCP HA configuration, the primary FortiGate-7000E processes all traffic. The secondary FortiGate-7000E operates in hot standby mode. The FGCP synchronizes the configuration, active sessions, routing information, and so on to the secondary FortiGate-7000E. If the primary FortiGate-7000E fails, traffic automatically fails over to the secondary.

Introduction to FortiGate-7000E FGCP HA

Introduction to FortiGate-7000E FGCP HA

FortiGate-7000E supports active-passive FortiGate Clustering Protocol (FGCP) HA between two (and only two) identical FortiGate-7000Es. You can configure FortiGate-7000E HA in much the same way as any FortiGate HA setup, except that only active-passive HA is supported.

Note

In Multi VDOM mode, virtual clustering is supported. Virtual clustering is not supported in Split-Task VDOM mode. Split-Task VDOM mode supports standard FGCP HA.

You must use the 10Gbit M1 and M2 interfaces for HA heartbeat communication. See Connect the M1 and M2 interfaces for HA heartbeat communication. Heartbeat packets are VLAN-tagged and you can configure the VLANs used. You must configure the switch interfaces used to connect the M1 and M2 interfaces in trunk mode and the switches must allow the VLAN-tagged packets.

To successfully form an FGCP HA cluster, both FortiGate-7000Es must be operating in the same VDOM mode (Multi or Split-Task). You can change the VDOM mode after the cluster has formed, but this will disrupt traffic.

As part of the FortiGate-7000E HA configuration, you assign each of the FortiGate-7000Es in the HA cluster a chassis ID of 1 or 2. The chassis IDs just allow you to identify individual FortiGate-7000Es and do not influence primary unit selection.

Note

If both FortiGate-7000Es in a cluster are configured with the same chassis ID, both chassis begin operating in HA mode without forming a cluster. A message similar to the following is displayed on the CLI console of both devices:

HA cannot be formed because this box's chassis-id 1 is the same from the HA peer 'F76E9D3E17000001' chassis-id 1.

As well, a log message similar to the following is created:

Jan 29 16:29:46 10.160.45.70 date=2020-01-29 time=16:29:51 devname="CH-02" devid="F76E9D3E17000001" slot=1 logid="0108037904" type="event" subtype="ha" level="error" vd="mgmt-vdom" eventtime=1580344192162305962 tz="-0800" logdesc="Device set as HA primary" msg="HA group detected chassis-id conflict" ha_group=7 sn="F76E9DT018900001 chassis-id=1"

You can resolve this issue by logging into one of the FortiGates and changing its Chassis ID to 2. When this happens, the two chassis will form a cluster.

Example FortiGate-7040 HA configuration

In a FortiGate-7000E FGCP HA configuration, the primary FortiGate-7000E processes all traffic. The secondary FortiGate-7000E operates in hot standby mode. The FGCP synchronizes the configuration, active sessions, routing information, and so on to the secondary FortiGate-7000E. If the primary FortiGate-7000E fails, traffic automatically fails over to the secondary.