Fortinet Document Library

Version:


Table of Contents

About FortiGate for OCI

Single FortiGate-VM Deployment

Use Case: High Availability for FortiGate on OCI

Deploying FortiGate-VM using Terraform

Security Fabric Connector Integration with OCI

Resources

Upgrade Path Tool
6.0.0
Copy Link

Configuring active-passive HA

This step shows you how to configure A-P HA settings by using CLI commands on the GUI or via SSH.

In the commands below, note the following:

  • Port4 is the hbdev port used for heartbeat connection.
  • For the management interface, you must use port1, as OCI allows only port1 external access.
  • When setting priority on FortiGate B, set the priority to 100 (lower than FortiGate A's priority level). The node with the lower priority level is determined as the secondary node.
  • When setting the unicast heartbeat peer IP address (the last command), this is the IP address on the peer, which in the example is FortiGate B, which has port4 IP address 10.0.10.4. When setting FortiGate B's configuration, specify FortiGate A's port4 IP address, which is 10.0.10.3.

Below is the primary FortiGate configuration:

config system ha

set group-id 30

set group-name "ha-cluster"

set mode a-p

set hbdev "port4" 50

set session-pickup enable

set session-pickup-connectionless enable

set ha-mgmt-status enable

config ha-mgmt-interfaces

edit 1

set interface "port1"

set gateway 10.0.1.1

next

end

set override disable

set priority 200

set unicast-hb enable

set unicast-hb-peerip 10.0.10.4

end

Once configuration is complete, exit the CLI or SSH session.

Below is the secondary FortiGate configuration:

config system ha

set group-id 30

set group-name "ha-cluster"

set mode a-p

set hbdev "port4" 50

set session-pickup enable

set session-pickup-connectionless enable

set ha-mgmt-status enable

config ha-mgmt-interfaces

edit 1

set interface "port1"

set gateway 10.0.0.1

next

end

set override disable

set priority 100

set unicast-hb enable

set unicast-hb-peerip 10.0.10.3

end

Resources

Configuring active-passive HA

This step shows you how to configure A-P HA settings by using CLI commands on the GUI or via SSH.

In the commands below, note the following:

  • Port4 is the hbdev port used for heartbeat connection.
  • For the management interface, you must use port1, as OCI allows only port1 external access.
  • When setting priority on FortiGate B, set the priority to 100 (lower than FortiGate A's priority level). The node with the lower priority level is determined as the secondary node.
  • When setting the unicast heartbeat peer IP address (the last command), this is the IP address on the peer, which in the example is FortiGate B, which has port4 IP address 10.0.10.4. When setting FortiGate B's configuration, specify FortiGate A's port4 IP address, which is 10.0.10.3.

Below is the primary FortiGate configuration:

config system ha

set group-id 30

set group-name "ha-cluster"

set mode a-p

set hbdev "port4" 50

set session-pickup enable

set session-pickup-connectionless enable

set ha-mgmt-status enable

config ha-mgmt-interfaces

edit 1

set interface "port1"

set gateway 10.0.1.1

next

end

set override disable

set priority 200

set unicast-hb enable

set unicast-hb-peerip 10.0.10.4

end

Once configuration is complete, exit the CLI or SSH session.

Below is the secondary FortiGate configuration:

config system ha

set group-id 30

set group-name "ha-cluster"

set mode a-p

set hbdev "port4" 50

set session-pickup enable

set session-pickup-connectionless enable

set ha-mgmt-status enable

config ha-mgmt-interfaces

edit 1

set interface "port1"

set gateway 10.0.0.1

next

end

set override disable

set priority 100

set unicast-hb enable

set unicast-hb-peerip 10.0.10.3

end