Technical Tip: How to add a new FortiGate unit to an existing HA cluster
Description
Â
This article describes what steps are required to add a new FortiGate unit to an existing HA cluster and make it become a Subordinate (secondary) unit.
To add a new unit to the cluster, the following criteria must be met:
The same licenses were validated (power on, connect the unit to the internet, verify licenses).
Running the same firmware version as the existing unit.
The same hardware configuration (for the same model units with different hardware capabilities).
Â
Scope
Â
FortiGate.
Solution
Â
Before adding a new unit to an existing HA cluster, check the HA settings on the Primary unit with the following command:
Â
show system ha
config system ha
   set group-name "FGT-HA-Floor1"
   set mode a-p
   set password <password>               <----- See note below.
   set hbdev "port9" 0 Â
   set override disable
   set monitor "port9"
end
Â
Notes:
The Password value does not appear in the configuration output. If the original password has been forgotten, modify it on the Primary unit before.
The command 'show system ha' will display the HA parameters that have been configured and differ from the default values. To see all HA settings, use the command 'get system ha'.
Â
On a factory default secondary unit, leave all the network cables disconnected and execute the following on the CLI (Basic HA parameters – match the settings of the Primary):
config system ha
   set group-id                        <----- By default '0', but MUST be changed if multiple clusters are in the network.
   set group-name
   set hbdev ha1 50 (port1 100)         <----- heartbeat interface(s) and associated priorities.
   set password                         <----- Matching the one on Primary unit (must be in plain text, do not copy/paste a hashed one).
   set priority                        <----- Secondary should have a lower priority.
   set mode a-a                         <----- Or a-p, according to the needs.
   set override disable                 <---- To make sure this unit does not wipe the config in Primary.
  set monitor "port9"           <---- To match monitored interface configuration on the Primary.
endÂ
From the Web-Based Manager (GUI), the configuration is accessible from System -> HA, here choose the Mode that was configured on the primary of the HA cluster, either Active-Active or Active-Passive, and select 'OK':
Â
Connect the console to the replacement/new unit to configure HA with the same settings as the Primary:
config system ha
According to the example output above, the settings on the secondary would be as follows:
config system ha   Â
   set group-name "FGT-HA-Floor1"
   set mode a-p
   set password <password>
   set hbdev "port9" 0
   set override disable
   set monitor "port9"
endNew unit priority parameter:
The priority parameter is very important as a unit with a higher priority may become the Primary unit when inserted in the cluster.
If the newly inserted unit must stay as Subordinate (secondary), set its priority to a lower value than the primary, as per the example below:
config system ha
    set priority 64
endÂ
Note:
The priority concept only applies when override is enabled on both units. If override is disabled, otherwise the system relies on the reset uptime instead. For more information, see this article:Â Technical Tip: Changing HA role in cluster.
Insert the new device in the cluster:
Shut down the new unit.
Physically insert the new unit in the network.
Power on the new unit: it will synchronize the configuration with the Primary unit.
The sync time will depend on the size of the config.
It is also important to make sure that only the Heartbeat interface(s) are connected on the new device until the cluster is in sync, to avoid any failover due to the monitored interfaces.
For more details regarding the election process, refer to HA primary unit selection criteria
Â
Related articles:
Technical Tip: How to access secondary unit of HA cluster via CLI
Technical Tip: How to add or replace a unit in High Availability (HA) cluster