Skip to main content
Configure FortiGate fault tolerance
Last update:

Configure FortiGate fault tolerance

This subsection describes how to configure a firewall cluster consisting of a primary device and a secondary device. The units must be physically linked to ensure synchronization (also used to detect failed units), which means the FortiGate units form a High Availability (HA) cluster.

There are two modes of HA:

  • Active-Passive — HA mode in which the primary FortiGate unit is the only FortiGate unit that is actively processing traffic. The FortiGate unit's secondary unit remains in passive mode, monitoring the status of the primary unit. If a problem is detected in the primary FortiGate unit, one of the additional units assumes the primary role. This event is referred to as an HA emergency switchover;
  • Active-Active — HA mode in which all FortiGate units handle traffic. One of the objectives of the primary FortiGate unit in this mode is to balance a portion of the traffic between all the additional units.

HA modes of operation define:

  • which is synchronized across devices;
  • whether all FortiGate units are processing traffic;
  • Whether HA improves availability or throughput.

This feature may be useful to users for whom high availability of their service is important.

To create a VPN tunnel on the firewall requires:

  • availability of a configured external interface through which devices will be connected;
  • internal network;
  • access to the FortiGate web interface.

In either of the two modes of HA operation, the FortiGate unit's secondary unit configuration is synchronized with the primary unit configuration. In addition, if a problem is detected in the primary device, one of the additional devices will take over the role of the primary device to handle the traffic.

Requirements for HA

  1. A cluster can have 2 to 4 FortiGate units with the same parameters:

    • firmware;
    • equipment model and license. If one FortiGate unit has a lower licensing level than other FortiGate units in the cluster, then all FortiGate units in the cluster revert to that lower licensing level;
    • hard disk capacity and partitions;
    • operating mode (transparent or NAT).

  2. There must be at least one heartbeat connection between FortiGate units. Up to eight heartbeat interfaces can be created for redundancy. If one connection fails, the HA will use the next in priority and position.

  3. The same interfaces on each FortiGate unit must be connected to the same switch or LAN segment.

Create a cluster of FortiGate units

To create a cluster of FortiGate units order the required number of firewalls of the same model in a single pool.

If you are already using a FortiGate firewall in Selectel, you can also merge it with the new one. To do this, create a ticket and specify which devices (neXX numbers) you want to merge into a High Availability (HA) cluster.

By default, two connections are created between devices. If you need a different number, specify how many connections to provide them, i.e. how many heartbeat connections to create between devices.

Once the firewalls are ordered and connected, the ticket will provide information to access the firewalls.

After the cluster organization is complete, a notification will come in the reply ticket that the switching between the firewalls has been done. You can then begin customization.

Configure the cluster

  1. Go to SystemHA.
  2. In the window that opens, in the Mode parameter, select Active-Active or Active-Passive mode from the drop-down menu.
  3. By default, the FortiGate is set as Standalone.
  4. Fill in the parameters that appear.
  5. Device priority is 128 or higher. This parameter is responsible for the priority of the device that will participate in the selection of the master device.
  6. Group name is the name of the group, in this case Test_cluster.
  7. Add device binding interfaces to Heartbeat interfaces by pressing + and selecting them on the right side of the pop-up window.
  8. With the exception of unit priority, these settings must be the same for all FortiGates in the cluster.
  9. Press the OK button.

FortiGate is negotiating the creation of an HA cluster. Communication with the FortiGate may be temporarily lost as the HA cluster performs negotiation and the FGCP changes the MAC addresses of the FortiGate interfaces.

Repeat the steps for the other device.

This will result in a cluster of two FortiGate units that will be reflected on the SystemHA tab

Test cluster performance

Check the cluster synchronization status to ensure that the primary and secondary FortiGate unit have the same configuration.

In the main device, use the diagnose sys ha checksum cluster command to display checksums of device configurations:

#diagnose sys ha checksum cluster

If both cluster members have the same checksums, you can be sure that their configurations are synchronized. If the checksums are different, wait a moment and enter the command again.

Repeat until the checksums are identical. Synchronizing some parts of the configuration may take some time.

To view the status of a device in an HA cluster, use the command:

#get system ha status