Skip to main content

Set up FortiGate high availability

Last update:

This instruction describes how to configure a firewall cluster consisting of a primary device and an additional one. The devices must be physically linked to ensure synchronization (this is also used to detect failed devices), meaning the FortiGate devices form a High Availability (HA) cluster.

There are two HA modes:

  • Active-Passive is an HA mode where the primary FortiGate is the only FortiGate device actively processing traffic. The secondary FortiGate device remains in passive mode, monitoring the primary device's status. If an issue is detected in the primary FortiGate, one of the additional devices takes on the primary role. This event is called an HA failover;
  • Active-Active is an HA mode where all FortiGate devices process traffic. One of the primary FortiGate's tasks in this mode is to balance a portion of traffic between all additional devices.

HA operation modes determine:

  • what is synchronized between devices;
  • whether all FortiGate devices process traffic;
  • whether HA increases availability or throughput.

This feature can be useful for users who need high service availability.

To create a VPN tunnel on a firewall, you need:

  • a configured external interface through which devices will connect;
  • an internal network;
  • access to the FortiGate web interface.

In either of the two HA operation modes, the configuration of secondary FortiGate devices is synchronized with the primary device configuration. Additionally, if an issue is detected in the primary device, one of the additional devices will assume the primary role to process traffic.

Requirements for HA

  1. A cluster can contain from 2 to 4 FortiGate devices with identical parameters:

    • firmware;
    • hardware model and license. If one of the FortiGate devices has a lower license level than other FortiGate devices in the cluster, then all FortiGate devices in the cluster will revert to this lower license level;
    • hard drive capacity and partitions;
    • operation mode (transparent or NAT).

  2. There must be at least one heartbeat connection between FortiGate devices. For redundancy, you can create up to eight heartbeat interfaces. If one connection fails, HA will use the next one according to its priority and position.

  3. Identical interfaces on each FortiGate device must be connected to the same switch or local network segment.

Create a FortiGate device cluster

To create a FortiGate device cluster, order the required number of firewalls of the same model in one pool.

If you already use a FortiGate firewall in Selectel, you can also combine it with a new one. To do this, create a ticket and specify which devices (neXX numbers) need to be combined into a High Availability (HA) cluster.

By default, two connections are created between devices. If you need a different quantity, specify the number of links to provide, that is, how many heartbeat connections to create between the devices.

After ordering the firewalls and their connections, information for accessing the firewalls will be provided in the ticket.

Once the cluster setup is complete, you will receive a notification in the response ticket that the switching between firewalls has been configured. You can then begin the setup.

Configure the cluster

The settings in this instruction are valid for FortiOS 6.x and 7.x versions. If you are using a different version of FortiOS, you can find the documentation for it in the FortiGate control panel in the upper right corner or on the official FortiGate website.

  1. Go to the SystemHA.
  2. In the window that opens, in the Mode parameter, select Active-Active or Active-Passive from the drop-down menu.
  3. By default, the FortiGate is set as Standalone.
  4. Fill in the parameters that appear.
  5. Device priority — 128 or higher. This parameter sets the device priority, which is used in selecting the primary device.
  6. Group name — the group name, in this case Test_cluster.
  7. Add the connecting device interfaces to Heartbeat interfaces by clicking + and selecting them on the right in the pop-up window.
  8. With the exception of device priority, these settings must be identical for all FortiGate devices in the cluster.
  9. Click the OK button.

FortiGate negotiates the creation of an HA cluster. Connection to FortiGate may be temporarily lost because the HA cluster performs synchronization and FGCP modifies the MAC addresses of the FortiGate interfaces.

Repeat the steps for the other device.

As a result, a cluster of two FortiGate devices will be formed, which will be displayed in the SystemHA tab

Test cluster health

Check the cluster synchronization status to ensure that the primary and secondary FortiGate devices have identical configurations.

In the primary device, use the diagnose sys ha checksum cluster command to display the device configuration checksums:

#diagnose sys ha checksum cluster

If both cluster members have identical checksums, you can be sure their configurations are synchronized. If the checksums differ, wait a while and enter the command again.

Repeat until the checksums are identical. Synchronizing certain parts of the configuration may take some time.

To view the device status in the HA cluster, use the command:

#get system ha status