Description
This article describes what steps are required to add a new FortiGate unit to existing HA cluster and make it become a Subordinate (secondary) unit.
To add a new unit to the cluster the following criteria must be met:
- The same licenses and validated (power on, and connect the unit to the internet, verify licenses).
- Running the same firmware version as the existing unit.
- The same hardware configuration (for same model units with different hardware capabilities).
Scope
FortiGate.
Solution
- Before adding a new unit to an existing HA cluster, check the HA settings on the Primary unit with the following command:
show system ha
config system ha
set group-name "FGT-HA-Floor1"
set mode a-p
set password <password> <----- See note below.
set hbdev "port9" 0
set override disable
set monitor "port9"
end
Notes:
- The Password value does not appear in the configuration output. If the original password has been forgotten, modify it on the Primary unit before.
- The command 'show system ha' will display the HA parameters that have been configured and differ from the default values. To see all HA settings, use the command 'get system ha'.
- On a factory default secondary unit, leave all the network cables disconnected and execute the following on the CLI (Basic HA parameters – match the settings of the Primary):
config system ha
set group-id <----- by default '0', but MUST be changed if multiple clusters are in the network.
set group-name
set hbdev ha1 50 (port1 100) <----- heartbeat interface(s) and associated priorities.
set password <----- matching the one on Primary unit (must be in plain text, do not copy/paste a hashed one).
set priority <----- secondary should have a lower priority.
set mode a-a <----- or a-p, according to the needs.
set override disable <---- to make sure this unit doesn’t wipe the config in Primary.
set monitor "port9" <---- to match monitored interface configuration Primary.
end
From the Web Based Manager (GUI), the configuration is accessible from System -> HA, here choose the Mode that was configured on the primary of the HA cluster, either Active-Active or Active-Passive, and select 'OK':
- Connect the console to the replacement/new unit to configure HA with the same settings as the Primary:
config system ha
According to the example output above, the settings on the secondary would be as follows:
config system ha
set group-name "FGT-HA-Floor1"
set mode a-p
set password <password>
set hbdev "port9" 0
set override disable
set monitor "port9"
end
set group-name "FGT-HA-Floor1"
set mode a-p
set password <password>
set hbdev "port9" 0
set override disable
set monitor "port9"
end
- New unit priority parameter:
If the newly inserted unit must stay as Subordinate (secondary), set its priority to a lower value than the primary, as per the example below:
config system ha
set priority 64
end
set priority 64
end
Insert the new device in the cluster:
- Shut down the new unit.
- Physically insert the new unit in the network.
- Power on the new unit: it will synchronize the configuration with the Primary unit.
- The sync time will depend on the size of the config.
