Description
This article describes what steps are required to add a new FortiGate unit to existing HA cluster and make it become a Subordinate (slave) unit.
To add a new unit to the cluster the following criteria must be met:
- same licenses and validated (power on, and connect the unit to the internet, verify licenses).
- running the same firmware version as the existing unit.
- same hardware configuration (for same model units with different hardware capabilities).
Solution
1) Before adding a new unit to an existing a HA cluster, check the HA settings on the Primary (Master) unit with the following command:
- The Password value does not appear in configuration output. If you don't remember the original password, you can modify it on the Primary (master) unit before.
- The command "show system ha" will display the HA parameters that have been configured and differing from the default values. In order to see all HA settings, use the command "get system ha"
2) On a factory default slave unit, leave all the network cables disconnected and execute the following on the CLI (Basic HA parameters – match the settings of the master):
This article describes what steps are required to add a new FortiGate unit to existing HA cluster and make it become a Subordinate (slave) unit.
To add a new unit to the cluster the following criteria must be met:
- same licenses and validated (power on, and connect the unit to the internet, verify licenses).
- running the same firmware version as the existing unit.
- same hardware configuration (for same model units with different hardware capabilities).
Solution
1) Before adding a new unit to an existing a HA cluster, check the HA settings on the Primary (Master) unit with the following command:
# show system haNotes :
# config system ha
set group-name "FGT-HA-Floor1"
set mode a-p
set password <password> <----- SEE NOTE BELOW.
set hbdev "port9" 0
set override disable
set monitor "port9"
end
- The Password value does not appear in configuration output. If you don't remember the original password, you can modify it on the Primary (master) unit before.
- The command "show system ha" will display the HA parameters that have been configured and differing from the default values. In order to see all HA settings, use the command "get system ha"
2) On a factory default slave unit, leave all the network cables disconnected and execute the following on the CLI (Basic HA parameters – match the settings of the master):
# config system haFrom the Web Based Manager (GUI), the configuration is accessible from System -> HA, here choose the Mode that was configured on the master of the HA cluster, either Active-Active or Active-Passive and click 'OK':
set group-id <----- by default '0', but MUST be changed if multiple clusters are in the network.
set group-name
set hbdev ha1 50 (port1 100) <----- heartbeat interface(s) and associated priorities.
set password <----- matching the one on Master unit [MUST be in plain text – do not copy/paste a hashed one].
set priority <----- slave should have a lower priority.
set mode a-a <----- or a-p, according to the needs.
set override disable <---- to make sure this unit doesn’t wipe the config in Master.
end
3) Connect with the console to the replacement/new unit to configure HA with the same settings as the Primary:
# config system ha
According to sample output above settings on slave would be:
4) New unit priority parameter:
The priority parameter is very important as a unit with a higher priority may become Primary unit when inserted in the cluster.
If the newly inserted unit must stay as Subordinate (slave), set its priority to a lower value then the primary master, as per the example below:
config system ha
set priority 64
end
5) Insert the new device in the cluster
- Shutdown the new unit
- Insert physically the new unit in the network
- Power on the new unit --> it will synchronize the configuration with the Primary unit
- Sync time will depend on the size of the config.
# config system ha
According to sample output above settings on slave would be:
# config system ha
set group-name "FGT-HA-Floor1"
set mode a-p
set password <password>
set hbdev "port9" 0
set override disable
set monitor "port9"
end
4) New unit priority parameter:
The priority parameter is very important as a unit with a higher priority may become Primary unit when inserted in the cluster.
If the newly inserted unit must stay as Subordinate (slave), set its priority to a lower value then the primary master, as per the example below:
config system ha
set priority 64
end
5) Insert the new device in the cluster
- Shutdown the new unit
- Insert physically the new unit in the network
- Power on the new unit --> it will synchronize the configuration with the Primary unit
- Sync time will depend on the size of the config.
