Work environment
- FortiGate-VM
- version 7.0.5
What is HA (High Availability)?
HA is a redundant configuration using two FortiGates.
There are Active-Passive and Active-Active configurations.
- Active-Passive
- One becomes Master and handles traffic. The other will be in the Slave state, and will switch to the Master state when the Master device goes down.
- major configuration
- Active-Active
- Both devices are in Active state and process traffic.
Conditions for configuring HA
- Same model number
- Same firmware version
- Same license
FortiGate HA Features
- Settings are synchronized between the devices that make up HA, except for some items. for example:
- hostname
- HA related settings
- Management interface settings
- A management interface is an interface used for management access. A separate IP address can be set for the management interface. You can set a specified interface from among the physical interfaces as the management interface.
- A virtual MAC address is used as the MAC address corresponding to the service port IP address.
Selection Criteria for Master Machines
- In the interface set as the monitor interface, the member with the higher number of interfaces that are up becomes Master. In the event of a tie, check the next criteria.
- The member with the longer HA uptime (normal operating time) becomes Master. If the difference is within 5 minutes, check the following criteria.
- However, if the HA setting is
set override enable, the HA uptime check is ignored and a master is elected based on the following priorities:
- However, if the HA setting is
- The member with the higher priority becomes Master. If they are the same, check the next criteria.
- The member with the higher serial number becomes Master.
HA configuration procedure
Work environment
- Here is an example of setting Active-Passive mode.
FortiGate#1 settings
◆Hostname setting
◆Interface IP address setting
◆HA setting
HA settings are configured on the System > HA.
- Device priority
- The machine with the higher priority will be selected as the active machine.
- Cluster Settings
- Group name
- Set any name. Use the same name on all cluster members.
- Password
- Set any password. Use the same password on all cluster members.
- Session pickup
- Sets whether to enable synchronization of session information between cluster members.
- Monitor interfaces
- Active machine switches when the monitor interface goes down.
- Heartbeat interfaces
- Interface for sending and receiving HA-related packets
- Group name
- Management Interface Reservation
- Enable to configure the management interface.
After setting HA, the screen will be displayed as shown in the image below.
HA settings are configured with config system ha in the CLI.
config system ha
set group-name "HA-Group"
set mode a-p
set password ENC PmwlwMrzGeBk1J2AeLNCRjhCC/MxKT4jDODR9KQvZvzj6R5Fzh16EjANpUzmlY34lrWk7QXtUMbNArgZp54A/D28yDU1ecJ/l/TVaEYS1duCXKwzUZjghoiWe1Y5FCMJ25a1AR3bHDJf1xMlnulsD7DcSkqUieaeW3BhPyxppU6n1+qZwE6ZgTupvtEEen5lFYQmEw==
set hbdev "port9" 100 "port10" 200
set session-pickup enable
set ha-mgmt-status enable
config ha-mgmt-interfaces
edit 1
set interface "port8"
set gateway 192.168.75.253
next
end
set override disable
set priority 200
set monitor "port1" "port2" "port3"
endoverride can only be set in the CLI. The default for override is disable.
If override is enable, the higher priority member will automatically switch to Master when the higher priority member recovers.
◆Management interface settings
Set the management interface IP address and Administrative Access. This management interface configuration is done after HA configuration.
FortiGate#2 settings
◆Hostname setting
◆Interface IP address setting
After HA configuration, the interface settings are synchronized with FortiGate#1, so there is no need to configure them on FortiGate#2.
◆HA setting
FortiGate#1 has Priority set to 200. For FortiGate#2 set it to 100 which is smaller.
◆Management interface settings
Set the management interface IP address and Administrative Access. This management interface configuration is done after HA configuration.
Connect Heartbeat interfaces together
After completing the HA configuration for each FortiGate, connect the Heartbeat interfaces together. Then the settings will start syncing and the cluster will be formed.
After connecting the Heartbeat interfaces, the console of FortiGate#2 shows logs similar to the following.
HA status check
You can check the HA status with the get system ha command.
FortiGate01 # get system ha status
HA Health Status: OK
Model: FortiGate-VM64
Mode: HA A-P
Group: 0
Debug: 0
Cluster Uptime: 0 days 1:2:12
Cluster state change time: 2022-09-17 22:20:25
Primary selected using:
<2022/09/17 22:20:25> FGVMEV5APNY5IC15 is selected as the primary because its uptime is larger than peer member FGVMEV0VSUGHWQA5.
<2022/09/17 21:40:58> FGVMEV5APNY5IC15 is selected as the primary because it's the only member in the cluster.
ses_pickup: enable, ses_pickup_delay=disable
override: disable
Configuration Status:
FGVMEV5APNY5IC15(updated 1 seconds ago): in-sync
FGVMEV0VSUGHWQA5(updated 3 seconds ago): in-sync
System Usage stats:
FGVMEV5APNY5IC15(updated 1 seconds ago):
sessions=3, average-cpu-user/nice/system/idle=2%/0%/1%/97%, memory=42%
FGVMEV0VSUGHWQA5(updated 3 seconds ago):
sessions=3, average-cpu-user/nice/system/idle=0%/0%/0%/100%, memory=42%
HBDEV stats:
FGVMEV5APNY5IC15(updated 1 seconds ago):
port9: physical/10000full, up, rx-bytes/packets/dropped/errors=3020303/6860/0/0, tx=8344329/18669/0/0
port10: physical/10000full, up, rx-bytes/packets/dropped/errors=3503090/9311/0/0, tx=9520825/21133/0/0
FGVMEV0VSUGHWQA5(updated 3 seconds ago):
port9: physical/10000full, up, rx-bytes/packets/dropped/errors=8339985/18675/0/0, tx=3013425/6821/0/0
port10: physical/10000full, up, rx-bytes/packets/dropped/errors=9516537/21139/0/0, tx=3495318/9271/0/0
MONDEV stats:
FGVMEV5APNY5IC15(updated 1 seconds ago):
port1: physical/10000full, up, rx-bytes/packets/dropped/errors=16422637/45849/0/0, tx=12372041/17271/0/0
port2: physical/10000full, up, rx-bytes/packets/dropped/errors=206254/485/0/0, tx=1206/20/0/0
port3: physical/10000full, up, rx-bytes/packets/dropped/errors=198655/1156/0/0, tx=5346/66/0/0
FGVMEV0VSUGHWQA5(updated 3 seconds ago):
port1: physical/10000full, up, rx-bytes/packets/dropped/errors=11258129/34482/0/0, tx=6262011/9050/0/0
port2: physical/10000full, up, rx-bytes/packets/dropped/errors=72326/198/0/0, tx=180/2/0/0
port3: physical/10000full, up, rx-bytes/packets/dropped/errors=104983/744/0/0, tx=3330/37/0/0
Primary : FortiGate01 , FGVMEV5APNY5IC15, HA cluster index = 0
Secondary : FortiGate02 , FGVMEV0VSUGHWQA5, HA cluster index = 1
number of vcluster: 1
vcluster 1: work 169.254.0.1
Primary: FGVMEV5APNY5IC15, HA operating index = 0
Secondary: FGVMEV0VSUGHWQA5, HA operating index = 1Reset HA Uptime
The diagnose sys ha reset-uptime command allows you to reset the HA uptime for the appliance on which you run this command.
This can be used when manually switching the master unit when set override disable is set.
Comments
both devices should need the same configuration or else if i configure any one device the configuration will synchronize with another device is it possible or not?
So, how did you set the IP addresses for Port 8? That seems to be missing in these instructions. Looks like .253 is the HA (or VIP) with .252 being assigned to FortiGate1 and .251 to FortiGate2, but this are no steps showing how this is accomplished. Is this done via the Network/Interfaces/Port8? Gleaning this from the comment:
“Set the management interface IP address and Administrative Access. This management interface configuration is done after HA configuration.”
After configuring the settings in System > HA, you can set the IP address of the interface you set as the management interface before wiring the HA ports of the two appliances. The example in the article configures port8 as the management interface, so you can set the IP address of the management interface by setting the IP address of port8 in the usual way.