FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
oconnort
Staff
Staff
Article Id 194488
Description
This article describes what steps are required to add a new FortiGate unit to existing HA cluster and make it become a Subordinate (slave) unit.

To add a new unit to the cluster the following criteria must be met:
- same licenses and validated (power on, and connect the unit to the internet, verify licenses).
- running the same firmware version as the existing unit.
- same hardware configuration (for same model units with different hardware capabilities).
Solution
1)  Before adding a new unit to an existing a HA cluster, check the HA settings on the Primary (Master) unit with the following command:
# show system ha
# config system ha
    set group-name "FGT-HA-Floor1"
    set mode a-p
    set password <password>                <----- SEE NOTE BELOW.
    set hbdev "port9" 0  
    set override disable
    set monitor "port9"
end
Notes :
- The Password value does not appear in configuration output. If you don't remember the original password, you can modify it on the Primary (master) unit before.
- The command "show system ha" will display the HA parameters that have been configured and differing from the default values. In order to see all HA settings, use the command "get system ha"

2) On a factory default slave unit, leave all the network cables disconnected and execute the following on the CLI (Basic HA parameters – match the settings of the master):
# config system ha
    set group-id                           <----- by default '0', but MUST be changed if multiple clusters are in the network.
    set group-name
    set hbdev ha1 50 (port1 100)           <----- heartbeat interface(s) and associated priorities.
    set password                           <----- matching the one on Master unit [MUST be in plain text – do not copy/paste a hashed one].
    set priority                           <----- slave should have a lower priority.
    set mode a-a                           <----- or a-p, according to the needs.
    set override disable                   <---- to make sure this unit doesn’t wipe the config in Master.
end
From the Web Based Manager (GUI), the configuration is accessible from System -> HA, here choose the Mode that was configured on the master of the HA cluster, either Active-Active or Active-Passive and click 'OK':





3) Connect with the console to the replacement/new unit to configure HA with the same settings as the Primary:

# config system ha

According to sample output above settings on slave would be:
# config system ha    
    set group-name "FGT-HA-Floor1"
    set mode a-p
    set password <password>
    set hbdev "port9" 0
    set override disable
    set monitor "port9"
end



4) New unit priority parameter:

The priority parameter is very important as a unit with a higher priority may become Primary unit when inserted in the cluster.
If the newly inserted unit must stay as Subordinate (slave), set its priority to a lower value then the primary master, as per the example below:
config system ha
     set priority 64
end

5) Insert the new device in the cluster
- Shutdown the new unit
- Insert physically the new unit in the network
- Power on the new unit --> it will synchronize the configuration with the Primary unit
- Sync time will depend on the size of the config.


Contributors