Configure FortiGate fault tolerance
This subsection describes how to configure a firewall cluster consisting of a primary unit and a secondary unit. The units must be physically connected to ensure synchronization (also used for failover detection), which means the FortiGate units form a High Availability (HA) cluster.
There are two modes of HA:
- Active-Passive — HA mode in which the primary FortiGate unit is the only FortiGate unit that actively processes traffic. The secondary FortiGate unit remains in passive mode, monitoring the status of the primary FortiGate unit. If a problem is detected in the primary FortiGate unit, one of the secondary units assumes the primary role. This event is called an HA failover;
- Active-Active — HA mode, in which all FortiGate units handle traffic. One of the tasks of the primary FortiGate unit in this mode is to balance a portion of the traffic between all the additional units.
HA modes of operation define:
- which is synchronized across devices;
- whether all FortiGate units are processing traffic;
- Whether HA improves availability or throughput.
This feature may be useful to users for whom high availability of their service is important.
To create a VPN tunnel on the firewall requires:
- availability of a configured external interface through which devices will be connected;
- internal network;
- Access to the FortiGate web interface.
In either of the two modes of HA operation, the FortiGate unit's secondary unit configuration is synchronized with the primary unit's configuration. In addition, if a problem is detected on the primary unit, one of the secondary units will assume the role of the primary unit to handle the traffic.
Requirements for HA
-
A cluster can have 2 to 4 FortiGate units with the same parameters:
- firmware;
- hardware model and license. If one FortiGate unit has a lower licensing level than other FortiGate units in the cluster, then all FortiGate units in the cluster revert to that lower licensing level;
- hard disk capacity and partitions;
- operating mode (transparent or NAT).
-
There must be at least one heartbeat connection between FortiGate units. Up to eight heartbeat interfaces can be created for redundancy. If one connection fails, the HA will use the next highest priority and position.
-
The same interfaces on each FortiGate unit must be connected to the same switch or LAN segment.
Create a cluster of FortiGate units
To create a cluster of FortiGate units order the required number of firewalls of the same model in the same pool.
If you are already using a FortiGate firewall in Selectel, you can also merge it with the new one. To do this, create a ticket and specify which devices (neXX numbers) you want to merge into a High Availability (HA) cluster.
By default, two connections are created between devices. If you need a different number, specify how many connections to provide, i.e. how many heartbeat connections to create between devices.
Once the firewalls are ordered and connected, the ticket will provide information to access the firewalls.
When the cluster organization is complete, a notification will come in the reply ticket that the switching between the firewalls has been done. You can then begin configuration.
Configure the cluster
- Go to the section System → HA.
- In the opened window in the parameter Mode select mode Active-Active or Active-Passive in the drop-down menu.
- By default, the FortiGate is set as Standalone.
- Fill in the parameters that appear.
- Device priority — 128 or higher. This parameter is responsible for the priority of the device that will participate in the master device selection.
- Group name — group name, in this case Test_cluster.
- Add device binding interfaces to the Heartbeat interfacesby pressing + and selecting them on the right side of the pop-up window.
- With the exception of unit priority, these settings must be the same for all FortiGates in the cluster.
- Press the button OK.
The FortiGate unit negotiates the HA cluster. Communication with the FortiGate may be temporarily lost as the HA cluster performs negotiation and the FGCP changes the MAC addresses of the FortiGate interfaces.
Repeat the steps for the other device.
This will result in a cluster of two FortiGate units, which will be reflected in the System → HA
Test cluster performance
Check the cluster synchronization status to ensure that the primary and secondary FortiGate unit have the same configuration.
On the host device, use the command diagnose sys ha checksum cluster
you can display the checksums of the device configurations:
#diagnose sys ha checksum cluster
If both cluster members have the same checksums, you can be sure that their configurations are synchronized. If the checksums are different, wait a moment and enter the command again.
Repeat until the checksums are identical. Synchronizing some parts of the configuration may take some time.
To view the status of a device in an HA cluster, use the command:
#get system ha status