So this may not be necessary for most home users out there but for those that need a quick rundown on how to configure High Availability between Fortigates, I hope this helps:
- All Fortigates need to have the same hardware configuration i.e. hard disk configuration, optional components installed, same model version.
- All Fortigates need to have the same firmware build e.g. v5.0,build0271 (GA Patch 6)
- All Fortigates need to be using the same operating mode e.g. NAT or Transparent
- All Fortigates need be operating in the same VDOM mode
- If all Fortigates are operating in multiple VDOM mode, have they all got the same VDOM configuration
- All interfaces need to have a static IP address. If any interface is using DHCP you can’t configure HA
- Fortigates that have an in built switch will not work. You will need to configure Interface Mode.
Boring stuff done, let’s get to work.
High level steps required to configure HA:
- Configure Fortigate units for HA operation individually and power off.
- Connect the Fortigates to the network
- Connect all interfaces (LAN, Heartbeat, Internet)
- Power on both Fortigate units
- Log onto the first Fortigate unit (FG1) and configure all your interface settings, policies, hostnames, VIPs, firewall addresses, routes etc.
FG1# conf sys hostname
FG1# conf sys interface
FG1$ conf firewall policy
- Configure High Availability via CLI. Here is my standard setup but ensure you read the Fortigate manual for further clarification
FG1# conf sys ha
FG1# set mode a-a
FG1# set group-name SAMHA
FG1# set password Th!sIs@s3CurePa$$w0rd
FG1# set hbdev “port2” 50 “port3” 50
FG1# set session-pickup enable
FG1# set override disable
FG1# set priority 50
FG1# set monitor “port1” “wan1”
FG1# set pingserver-monitor-interface “port1”
FG1# set pingserver-failover-threshold 1
– Set “hbdev”: this is the interface that you will connect to your second unit and monitors the heartbeat of the unit i.e. port2 on FG1 will be connected to port2 on FG2. The number after is the priority of that interface. It is recommended that you have at least 2 heartbeat interfaces configured.
– Set “monitor”: this is the interface that the Fortigate will monitor. If there is a fail on this interface, the unit will failover to the second unit.
– Set “priority”: this sets the priority of the cluster device. Whenever you change the device priority of a cluster unit, when a cluster negotiation occurs, the unit with the highest priority becomes the primary unit.
- Power off FG1
- Perform steps 1 to 3 on FG2. Power off FG2
- Connect all interfaces correctly, ensure switching is correct, and heartbeat Interfaces are connected.
- Power on both Fortigates at the same time.
- Log on to one of the units and identify which of them is the master Fortigate by entering
FG1# get sys stat
You should get output that looks like the below. You can see from the output that this unit is the master unit.
FG1 # get sys stat
Version: FortiGate-60D v5.0,build0271,140124 (GA Patch 6)
Virus-DB: 19.00098(2013-09-01 11:46)
Extended DB: 1.00000(2012-10-17 15:46)
IPS-DB: 4.00385(2013-08-28 22:38)
IPS-ETDB: 0.00000(2001-01-01 00:00)
Botnet DB: 1.00229(2013-09-01 11:39)
BIOS version: 04000007
Log hard disk: Available
Internal Switch mode: interface
Operation Mode: NAT
Current virtual domain: root
Max number of virtual domains: 10
Virtual domains status: 1 in NAT mode, 0 in TP mode
Virtual domain configuration: disable
FIPS-CC mode: disable
Current HA mode: a-a, master
Branch point: 271
Release Version Information: GA Patch 6
System time: Mon Mar 15 16:19:18 1996
- Test failover using these tests as a bare minimum:
- – Power off a Fortigate unit
– Unplug port1 (production network)
– Unplug internet connection (wan1)
– Unplug one of the two heartbeat interfaces
Go forth and ensure you can keep that 99.999999999% uptime 🙂