This article will set up a high availability on two unit of Fortigate device via web GUI. When you are doing HA. You just need to set setting in MASTER machine, and it will sync to the slave one automatically .
Before you begin, you should prepare:
- TWO Fortigate firewalls with the HARDWARE(CPU/RAM) model.
- TWO Fortigate firewalls with SAME version of firmware.
- TWO Fortigate firewalls with SAME model.
- Set all the interface to manually, make sure you are not using DHCP or PPPoE.
Now, we should begin!
Warning: BACKUP!!!! Anything before you change setting
Understand three different HA mode on Fortigate firewall.
Standalone
Single machine working, without any high availability support.
Active-Active HA mode
A machine and B machine working in same time and session. (Load balance)
Active-Passive HA mode
A machine working. B machine backup. When A machine fails to transfer the sessions to B machine (Failover)
The steps of building HA on Fortigate.
- Master Server config
- Slave Server config
- Check HA status and group
Problem and solution
– Check hardware information
– hdisk error while slave sync to master
– Separate interface from the internal port
Master Firewall Config.
First, connect the BLUE CABLE like the following image.
DO NOT CONNECT THE RED ONE.
Now, you should login to MASTER server.
I recommend you to change the hostname before you start, this will improve the ability to identify the different server.
Next, go to HA setting panel and finish the setting below
1. Mode: Select Active-Active or Active-Passive mode.
2. Sequence: Give you MASTER machine a bigger number than the slave one. (200)
3. Group User/Pass: Set a group name and password for the cluster. You will use it again in slave machine
4. Enable Session Sync: Enable this option to sync master to backup machine. (You should open this)
- Monitor: Check the interface you use for internet.
- Heartbeat: Enable unless TWO heartbeat to create a stable HA.
- Sequence: Higher sequence will be use to transfer session while system fail.
After configure are done, we will be setting up slave machine.
Slave Firewall Config.
Same as master, change a unique hostname for you machine.
Next, go to HA setting panel and finish the setting below
1. Mode: Select THE SAME SETTING WITH MASTER
2. Sequence: Give you SLAVE machine a smaller number than the master one. (150)
3. Group User/Pass: THE SAME SETTING WITH MASTER
4. Enable Session Sync: THE SAME SETTING WITH MASTER
- Monitor: THE SAME SETTING WITH MASTER
- Heartbeat: THE SAME SETTING WITH MASTER
- Sequence: THE SAME SETTING WITH MASTER
After configure are done, we need to connect RED CABLE which is heartbeat cable.
Check the status of cluster group make sure master and slave machine are correct.
System will be sync two machine together. It will sync two different data from the mater machine. If you connect it via console port, you can see the following request.
slave is not in sync with master, sequence:0. (type 0x3) slave is not in sync with master, sequence:1. (type 0x3) slave is not in sync with master, sequence:2. (type 0x3) slave is not in sync with master, sequence:3. (type 0x3) slave is not in sync with master, sequence:4. (type 0x3) slave starts to sync with master slave succeeded to sync with master
slave's configuration is not in sync with master's, sequence:0 slave's configuration is not in sync with master's, sequence:1 slave's configuration is not in sync with master's, sequence:2 slave's configuration is not in sync with master's, sequence:3 slave's configuration is not in sync with master's, sequence:4 slave starts to sync with master logout all admin users slave succeeded to sync with master
After this two step, when you see “logout all admin users” and “slave succeeded to sync with master” that means High Availability was set up successfully. HA will be lighted in front panel.
Problem and Solution
Slave console shows “different hard disk status” “the box is down”
This issue occur when two machine had different hard disk setting, probably they are not format.
First, launch CLI in web GUI. Check system hardware.
get hardware status
If log hard disk shows “not available” or “need format”. You should use the command to format log disk.
execute formatlogdisk
Separate internal interface.
Fortigate 60C has five internal port. We can separate those port from internal interface.
First, You should change the any setting to avoid Internal interface
Next, launch CLI in web GUI. and enter following command
config system global set internal-switch-mode interface end
After this, restart this machine via CLI console. Setting will submit after restart.