Skip to main content
avilt
avilt
New Member
May 21, 2019
Question

Fortigate 200D HA Setup

  • May 21, 2019
  • 1 reply
  • 9903 views

I need to define Fortigate200E HA pair (active/standby)

Except for Mode, priority, groupname/password, heartbeat interfaces, do I need to define anything else on backup firewall?

Do I need to define IP for heart beat interfaces?

    1 reply

    ede_pfau
    SuperUser
    ede_pfau
    SuperUser
    May 22, 2019

    config sys global

    set hostname xxx       # will not be replicated

     

    config sys ha

    set group-ID  <some number != 0>    # recommended

    set monitor <wan1> <internal> ...  # port monitoring; cluster fails over if one of these is link-down

     

    HA interfaces will get IP addresses from FGT (169.254.x.x)

     

    advice:

    Before forming the cluster, do not configure port monitoring. Do that after the cluster is up.

     

    IF you already have one FGT fully configured, before attaching the secondary unit set "HA override=enable" on the configured one, so that you can be sure that the primary config is mirrored, not the (nearly empty) config of the secondary. Remove this setting after the cluster has settled.

    avilt
    aviltAuthor
    New Member
    May 22, 2019

    I have setup HA using GUI. The firewall HA pair looks fine but it doesn't process the traffic. when I turn off the active, standby doesn't take over and it's freezing.

    It shows role as Master and Slave.

    Synchronization -> Master is Green. Slave x mark in red.

    What is wrong? I have followed the following procedure, only WAN1 & WAN2 are used. HA and Port9 for heartbeat.

     

    https://cookbook.fortinet.com/high-availability-with-two-fortigates-video/

     

    Also, one more query. I have configured inside and outside interfaces with IP addresses connected to switches. MGMT is left default, not connected to switch. In this case can I access both firewalls by directly connecting my laptop to MGMT interface?

    ede_pfau
    SuperUser
    ede_pfau
    SuperUser
    May 26, 2019

    No, the HA pair doesn't look fine, it's non-functional.

    Why are the HA ports orange and not green? What does a mouse-over tell you?

     

    Be sure all HA parameters except for "HA priority" are identical (group name, password, group-ID, port settings). Do not use port monitoring for now.

    All HA heartbeat ports are connected 1:1 (port 9 to port 9, for example), with straight-through cables.

    You need to have a green sync status, or the cluster has failed to form.

     

    You will see a lot of information if you connect a PC to the serial console port.

    Enter

    "diag debug enable"

    "diag debug app haproxy -1"

    to get HA diags.

     

    What will prevent cluster formation is

    - using DHCP on any interface

    - using PPPoE on any interface

    - using different firmware versions (incl. patch level) on cluster members

    - widely different time settings on both members

     

    Rather than watching a (fast-paced) video, I prefer reading the recipe (or the corresponding chapter in the Admin Guide, to understand how HA clustering works): https://cookbook.fortinet.com/high-availability-two-fortigates/

     

    You can connect to a mgmt port to manage a FGT (as long as it's got a static IP address, or offers DHCP). You need to allow HTTPS or ssh on that port. But, routing will not work on a mgmt port.

    Terms & ConditionsAccessibility statement