Fortigate: Configure High Availability

So this may not be necessary for most home users out there but for those that need a quick rundown on how to configure High Availability between Fortigates, I hope this helps:

Prerequisites:

  • All Fortigates need to have the same hardware configuration i.e. hard disk configuration, optional components installed, same model version.
  • All Fortigates need to have the same firmware build e.g. v5.0,build0271 (GA Patch 6)
  • All Fortigates need to be using the same operating mode e.g. NAT or Transparent
  • All Fortigates need be operating in the same VDOM mode
  • If all Fortigates are operating in multiple VDOM mode, have they all got the same VDOM configuration
  • All interfaces need to have a static IP address. If any interface is using DHCP you can’t configure HA
  • Fortigates that have an in built switch will not work. You will need to configure Interface Mode.

Boring stuff done, let’s get to work.

High level steps required to configure HA:

  1. Configure Fortigate units for HA operation individually and power off.
  2. Connect the Fortigates to the network
  3. Connect all interfaces (LAN, Heartbeat, Internet)
  4. Power on both Fortigate units
  5. Test!

Details Instructions

  1. Log onto the first Fortigate unit (FG1) and configure all your interface settings, policies, hostnames, VIPs, firewall addresses, routes etc.

    FG1# conf sys hostname
    FG1# conf sys interface
    FG1$ conf firewall policy
    etc

  2. Configure High Availability via CLI. Here is my standard setup but ensure you read the Fortigate manual for further clarification

    FG1# conf sys ha
    FG1# set mode a-a
    FG1# set group-name SAMHA
    FG1# set password Th!sIs@s3CurePa$$w0rd
    FG1# set hbdev “port2” 50 “port3” 50
    FG1# set session-pickup enable
    FG1# set override disable
    FG1# set priority 50
    FG1# set monitor “port1” “wan1”
    FG1# set pingserver-monitor-interface “port1”
    FG1# set pingserver-failover-threshold 1
    FG1# end

    Notes:
    – Set “hbdev”: this is the interface that you will connect to your second unit and monitors the heartbeat of the unit i.e. port2 on FG1 will be connected to port2 on FG2. The number after is the priority of that interface. It is recommended that you have at least 2 heartbeat interfaces configured.
    – Set “monitor”: this is the interface that the Fortigate will monitor. If there is a fail on this interface, the unit will failover to the second unit.
    – Set “priority”: this sets the priority of the cluster device. Whenever you change the device priority of a cluster unit, when a cluster negotiation occurs, the unit with the highest priority becomes the primary unit.

  3. Power off FG1
  4. Perform steps 1 to 3 on FG2. Power off FG2
  5. Connect all interfaces correctly, ensure switching is correct, and heartbeat Interfaces are connected.
  6. Power on both Fortigates at the same time.
  7. Log on to one of the units and identify which of them is the master Fortigate by entering

    FG1# get sys stat

    You should get output that looks like the below. You can see from the output that this unit is the master unit.

    FG1 # get sys stat
    Version: FortiGate-60D v5.0,build0271,140124 (GA Patch 6)
    Virus-DB: 19.00098(2013-09-01 11:46)
    Extended DB: 1.00000(2012-10-17 15:46)
    IPS-DB: 4.00385(2013-08-28 22:38)
    IPS-ETDB: 0.00000(2001-01-01 00:00)
    Serial-Number: FG60D3911452369
    Botnet DB: 1.00229(2013-09-01 11:39)
    BIOS version: 04000007
    Log hard disk: Available
    Internal Switch mode: interface
    Hostname: FG1
    Operation Mode: NAT
    Current virtual domain: root
    Max number of virtual domains: 10
    Virtual domains status: 1 in NAT mode, 0 in TP mode
    Virtual domain configuration: disable
    FIPS-CC mode: disable
    Current HA mode: a-a, master
    Branch point: 271
    Release Version Information: GA Patch 6
    System time: Mon Mar 15 16:19:18 1996

  8. Test failover using these tests as a bare minimum:
  9. – Power off a Fortigate unit
    – Unplug port1 (production network)
    – Unplug internet connection (wan1)
    – Unplug one of the two heartbeat interfaces

Go forth and ensure you can keep that 99.999999999% uptime 🙂