Fortinet Document Library

Version:


Table of Contents

FortiGate-VM on Xen

Resources

Upgrade Path Tool
  • Select version:
  • 6.0
6.0.0
Download PDF
Copy Link

High availability

FortiGate-VM High Availability (HA) supports having two VMs in an HA cluster on either the same physical platform or different platforms. The primary consideration is that all of the interfaces involved, be able to communicate efficiently over TCP/IP connection sessions.

Heartbeat

There are two options for setting up the HA heartbeat: unicast and broadcast. Broadcast is the default HA heartbeat configuration. However, the broadcast configuration may not be ideal for FortGate VM because it may require special settings on the host. In most cases, the unicast configuration would be preferred.

The differences between the unicast heartbeat setup the broadcast heartbeat setup are:

  • The unicast method does not change the FortiGate-VM interface MAC addresses to virtual MAC addresses.
  • Unicast HA only supports two FortiGate VMs.
  • Unicast HA heartbeat interfaces must be connected to the same network and you must add IP addresses to these interfaces.

Unicast

The unicast settings are configured in the CLI of the FortiGate-VM. The syntax is as follows:

config system ha

set unicast-hb {enable/disable}

set unicast-hb-peerip {IP address of the peer's heartbeat interface}

end

Setting

Description

unicast-hb Enable or disable (the default) unicast HA heartbeat.
unicast-hb-peerip The IP address of the HA heartbeat interface of the other FortiGate VM in the HA cluster.

Broadcast

Broadcast HA heartbeat packets are non-TCP packets that use Ethertype values 0x8890, 0x8891, and 0x8890. These packets use automatically assigned link-local IPv4 addresses in the 169.254.0.x range for HA heartbeat interface IP addresses.

For FortiGate-VMs to support a broadcast HA heartbeat configuration, you must configure the virtual switches that connect heartbeat interfaces to operate in promiscuous mode and support MAC address spoofing.

In addition, you must configure the VM platform to allow MAC address spoofing for the FortiGate-VM data interfaces. This is required because in broadcast mode, the FGCP applies virtual MAC addresses to FortiGate data interfaces, and these virtual MAC addresses mean that matching interfaces of the FortiGate-VM instances in the cluster will have the same virtual MAC addresses.

XenServer promiscuous mode for broadcast HA

This section descirbes how to support promiscus mode for the heartbeat interfaces of a FortiGate-VM running on XenServer to support broadcast HA heartbeat.

On XenServer, FortiGate-VM HA interfaces are directly attached to a Virtual Network Interface (VIF). The VIF is connected to a virtual switch (xenbr) that segments network traffic between a Physical network Interface (PIF) and one or more VIFs. Enabling promiscus mode, as described below, allows all traffic crossing the PIF to become transparent across the xenbr and visible to the VIF that the FortiGate-VM HA interface is connected to.

Enable promiscuous mode for the PIF

From the XenServer host CLI:

  1. Find and record the UUID of the PIF that the HA heartbeat interface is connected to by entering the following command:
    xe pif-list network-name-label=<network>
    Where <network> is the common name for the network as it appears in XenCenter (for example, Network 0).
  2. Enter the following command to enable promiscuous mode for the PIF:
    xe pif-param-set uuid=<uuid> other-config:promiscuous="true"
    Where <uuid> is the UUID for the PIF.
  3. Enter the following command to verify that the promiscuous option has been set:
    xe pif-param-list uuid=<uuid>
    A line similar to the following should appear in the command output to indicate that promiscuous mode is enabled:
    other-config (MRW): promiscuous: true

Enable promiscuous mode for the VIF

From the XenServer host CLI:

  1. Find and record the UUID of the VIF that the HA heartbeat interface is connected to by entering the following command:
    xe vif-list vm-name-label=<vm-name>
    Where <vm-name> is the common name of the FortiGate-VM as it appears in XenCenter.
  2. Enter the following command to enable promiscuous mode for the VIF
    xe vif-param-set uuid=<uuid> other-config:promiscuous="true"
    Where <uuid> is the UUID for the PIF.
  3. Enter the following command to verify that the promiscuous option has been set:
    xe vif-param-list uuid=<uuid_of_vif>
    A line similar to the following should appear in the command output to indicate that promiscuous mode is enabled:
    other-config (MRW): promiscuous: true
  4. Enter the following command to verify that the promiscuous option has been set:
    xe vif-param-list uuid=<uuid_of_vif>
    A line similar to the following should appear in the command output to indicate that promiscuous mode is enabled:
    other-config (MRW): promiscuous: true
  5. Enter the following commands to activate promiscuous mode for the VIF:
    xe vif-unplug uuid=<uuid_of_vif>
    xe vif-plug uuid=<uuid_of_vif>

    These commands disconnect and reconnect the VIF to the VM. When the VIF re-connects, promiscuous mode will be active.The unplug command takes the FortiGate-VM HA interface offline, and brings down the interface to the VM until you enter the vif-plug command.
    You can use tcpdump utility to compare traffic on the PIF and VIF to ensure that the VIF is behaving promiscuously.

Resources

High availability

FortiGate-VM High Availability (HA) supports having two VMs in an HA cluster on either the same physical platform or different platforms. The primary consideration is that all of the interfaces involved, be able to communicate efficiently over TCP/IP connection sessions.

Heartbeat

There are two options for setting up the HA heartbeat: unicast and broadcast. Broadcast is the default HA heartbeat configuration. However, the broadcast configuration may not be ideal for FortGate VM because it may require special settings on the host. In most cases, the unicast configuration would be preferred.

The differences between the unicast heartbeat setup the broadcast heartbeat setup are:

  • The unicast method does not change the FortiGate-VM interface MAC addresses to virtual MAC addresses.
  • Unicast HA only supports two FortiGate VMs.
  • Unicast HA heartbeat interfaces must be connected to the same network and you must add IP addresses to these interfaces.

Unicast

The unicast settings are configured in the CLI of the FortiGate-VM. The syntax is as follows:

config system ha

set unicast-hb {enable/disable}

set unicast-hb-peerip {IP address of the peer's heartbeat interface}

end

Setting

Description

unicast-hb Enable or disable (the default) unicast HA heartbeat.
unicast-hb-peerip The IP address of the HA heartbeat interface of the other FortiGate VM in the HA cluster.

Broadcast

Broadcast HA heartbeat packets are non-TCP packets that use Ethertype values 0x8890, 0x8891, and 0x8890. These packets use automatically assigned link-local IPv4 addresses in the 169.254.0.x range for HA heartbeat interface IP addresses.

For FortiGate-VMs to support a broadcast HA heartbeat configuration, you must configure the virtual switches that connect heartbeat interfaces to operate in promiscuous mode and support MAC address spoofing.

In addition, you must configure the VM platform to allow MAC address spoofing for the FortiGate-VM data interfaces. This is required because in broadcast mode, the FGCP applies virtual MAC addresses to FortiGate data interfaces, and these virtual MAC addresses mean that matching interfaces of the FortiGate-VM instances in the cluster will have the same virtual MAC addresses.

XenServer promiscuous mode for broadcast HA

This section descirbes how to support promiscus mode for the heartbeat interfaces of a FortiGate-VM running on XenServer to support broadcast HA heartbeat.

On XenServer, FortiGate-VM HA interfaces are directly attached to a Virtual Network Interface (VIF). The VIF is connected to a virtual switch (xenbr) that segments network traffic between a Physical network Interface (PIF) and one or more VIFs. Enabling promiscus mode, as described below, allows all traffic crossing the PIF to become transparent across the xenbr and visible to the VIF that the FortiGate-VM HA interface is connected to.

Enable promiscuous mode for the PIF

From the XenServer host CLI:

  1. Find and record the UUID of the PIF that the HA heartbeat interface is connected to by entering the following command:
    xe pif-list network-name-label=<network>
    Where <network> is the common name for the network as it appears in XenCenter (for example, Network 0).
  2. Enter the following command to enable promiscuous mode for the PIF:
    xe pif-param-set uuid=<uuid> other-config:promiscuous="true"
    Where <uuid> is the UUID for the PIF.
  3. Enter the following command to verify that the promiscuous option has been set:
    xe pif-param-list uuid=<uuid>
    A line similar to the following should appear in the command output to indicate that promiscuous mode is enabled:
    other-config (MRW): promiscuous: true

Enable promiscuous mode for the VIF

From the XenServer host CLI:

  1. Find and record the UUID of the VIF that the HA heartbeat interface is connected to by entering the following command:
    xe vif-list vm-name-label=<vm-name>
    Where <vm-name> is the common name of the FortiGate-VM as it appears in XenCenter.
  2. Enter the following command to enable promiscuous mode for the VIF
    xe vif-param-set uuid=<uuid> other-config:promiscuous="true"
    Where <uuid> is the UUID for the PIF.
  3. Enter the following command to verify that the promiscuous option has been set:
    xe vif-param-list uuid=<uuid_of_vif>
    A line similar to the following should appear in the command output to indicate that promiscuous mode is enabled:
    other-config (MRW): promiscuous: true
  4. Enter the following command to verify that the promiscuous option has been set:
    xe vif-param-list uuid=<uuid_of_vif>
    A line similar to the following should appear in the command output to indicate that promiscuous mode is enabled:
    other-config (MRW): promiscuous: true
  5. Enter the following commands to activate promiscuous mode for the VIF:
    xe vif-unplug uuid=<uuid_of_vif>
    xe vif-plug uuid=<uuid_of_vif>

    These commands disconnect and reconnect the VIF to the VM. When the VIF re-connects, promiscuous mode will be active.The unplug command takes the FortiGate-VM HA interface offline, and brings down the interface to the VM until you enter the vif-plug command.
    You can use tcpdump utility to compare traffic on the PIF and VIF to ensure that the VIF is behaving promiscuously.