Before you begin configuring HA
Before you begin:
- The FortiGate 7000Es must be running the same FortiOS firmware version
- Interfaces should be configured with static IP addresses (not DHCP or PPPoE).
- Register and apply licenses to each FortiGate 7000E before setting up the HA cluster. This includes licensing for FortiCare, IPS, AntiVirus, Web Filtering, Mobile Malware, FortiClient, FortiCloud, and additional virtual domains (VDOMs).
- Both FortiGate 7000Es in the cluster must have the same level of licensing for FortiGuard, FortiCloud, FortiClient, and VDOMs.
- FortiToken licenses can be added at any time because they are synchronized to all cluster members.
Configure split interfaces before configuring HA
You should configure split interfaces on both FortiGate 7000Es before forming an FGCP HA cluster. If you decide to change the split interface configuration after forming a cluster, you need to remove the secondary FortiGate 7000E from the cluster and change the split interface configuration on both FortiGate 7000Es separately. After the FortiGate 7000Es restart, you can re-form the cluster. This process will cause traffic interruptions.
For example, to split the C1, C2, and C4 interfaces of an FIM-7910E in slot 1, enter the following command:
config system global
set split-port 1-C1 2-C1 2-C4
end
After configuring split ports, the FortiGate 7000E reboots and synchronizes the configuration.
On each FortiGate 7000E, make sure configurations of the FIMs and FPMs are synchronized before starting to configure HA. You can use the following command to verify the synchronization status of all modules:
diagnose sys confsync showchsum | grep all
all: c0 68 d2 67 e1 23 d9 3a 10 50 45 c5 50 f1 e6 8e
all: c0 68 d2 67 e1 23 d9 3a 10 50 45 c5 50 f1 e6 8e
all: c0 68 d2 67 e1 23 d9 3a 10 50 45 c5 50 f1 e6 8e
all: c0 68 d2 67 e1 23 d9 3a 10 50 45 c5 50 f1 e6 8e
all: c0 68 d2 67 e1 23 d9 3a 10 50 45 c5 50 f1 e6 8e
all: c0 68 d2 67 e1 23 d9 3a 10 50 45 c5 50 f1 e6 8e
all: c0 68 d2 67 e1 23 d9 3a 10 50 45 c5 50 f1 e6 8e
all: c0 68 d2 67 e1 23 d9 3a 10 50 45 c5 50 f1 e6 8e
If the FIMs and FPMs are synchronized, the checksums displayed should all be the same.
You can also use the following command to list the FIMs and FPMs that are synchronized. The example output shows all four modules in a FortiGate-7040E have been configured for HA and added to the cluster.
diagnose sys confsync status | grep in_sync FIM10E3E16000062, Secondary, uptime=58852.50, priority=2, slot_id=2:2, idx=3, flag=0x10, in_sync=1 FIM04E3E16000010, Secondary, uptime=58726.83, priority=3, slot_id=1:1, idx=0, flag=0x10, in_sync=1 FIM04E3E16000014, Primary, uptime=58895.30, priority=1, slot_id=2:1, idx=1, flag=0x10, in_sync=1 FIM10E3E16000040, Secondary, uptime=58857.80, priority=4, slot_id=1:2, idx=2, flag=0x10, in_sync=1 FPM20E3E16900234, Secondary, uptime=58895.00, priority=16, slot_id=2:3, idx=4, flag=0x64, in_sync=1 FPM20E3E16900269, Secondary, uptime=58333.37, priority=120, slot_id=2:4, idx=5, flag=0x64, in_sync=1 FPM20E3E17900113, Secondary, uptime=58858.90, priority=116, slot_id=1:3, idx=6, flag=0x64, in_sync=1 FPM20E3E17900217, Secondary, uptime=58858.93, priority=117, slot_id=1:4, idx=7, flag=0x64, in_sync=1 ...
In this command output, in_sync=1
means the module is synchronized with the primary FIM and in_sync=0
means the module is not synchronized.