Description
This article describes how to add or replace a unit in a High Availability cluster with a minimum of downtime.
Scope
FortiGate HA.
Solution
To add a new unit to an existing FortiGate cluster, or to replace a broken unit, some criteria must be met by the unit to be added:
- The same model and hardware revision (in models that have different hardware revisions, like 100D).
- The same licensing.
- The same firmware version.
Firmware and licensing may need to be set up on the new unit before adding it to the cluster. The unit should be upgraded to the required firmware version and then connected to the Internet to activate any licenses registered on the FortiGate. If replacing a broken unit in a cluster, it is recommended to disconnect the RMA unit from the cluster before its entitlement is transferred to the new RMA unit. After this, the new unit can be configured to be added to a cluster.
There are two main options:
- Minimal configuration on the new replacement unit.
Note: the unit needs to be added as a secondary unit to the cluster to avoid potential configuration loss on the unit(s) already in the cluster.
On a unit already in the cluster, retrieve the following settings from CLI:
config system ha
show
On the new, factory default unit, leave all the network cables disconnected and mirror the settings fetched above:
config system ha
set group-id <group id>
set group-name <cluster name>
set hbdev <heartbeat interfaces and priority>
set password <set plain-text cluster password>
set priority <set a LOWER priority (LOWER priority means lower number) here to ensure the unit remains secondary>
set mode <a-a or a-p, mirror from above>
set override disable <recommended to ensure the new unit cannot take over as primary initially>
end
Note: If the cluster password is unknown, a new one needs to be set on all cluster units (the new one to be added and any existing ones)
Once the above is entered, power off the device, connect all cables, and power it on.
The sync time will depend on the size of the config.
This option does not take into consideration any more complex HA settings like ha-management interfaces - these may need to be added manually later.
- Use a backup from the existing cluster to pre-configure the new unit.
Note: This option can be useful if there are any concerns about a possible failover (as the new unit will already have all policies and routing in place) or to copy over more complex HA settings.
- Take a backup of an existing FortiGate in the cluster.
Note: ensure that there is a local super_admin account present in the configuration. If there is no local super_admin account present, create one before taking the backup.
- Make sure to disconnect the data cables first and then the HA heartbeat cables in the existing cluster.
- Establish both a GUI and console connection to the new secondary unit (if it is not still present from updating the firmware and activating the licenses).
- Restore the backup taken from the cluster unit. This will cause the GUI connection to be lost, but the console connection will be maintained.
- Wait until the FortiGate has booted up, then log in with a local admin account in the console (see step 1).
- Set the following on the new unit in the console:
config system global
set hostname <secondary_unit>
end
config system ha
set priority <lower than priority on primary unit>
end
If there is a dedicated management interface, run the following configuration (otherwise, skip doing so):
config system interface
edit <mgmt-interface>
set ip <dedicated secondary_unit ip> <subnet mask>
end
Note: if the management interface of the new unit should be in a different subnet, a gateway will also need to be set for the ha-mgmt-interface in ‘config system ha’.
This ensures:
The hostname indicates the secondary unit.
Out-of-band management is maintained if in place.
The unit joins the cluster as a secondary.
Connect the new unit to the cluster. Remove any old, 'to be replaced' unit beforehand if still present. Connect the HA and mgmt cables, wait 1-2 minutes, then connect the other data cables.
In the primary unit, check the HA status until the secondary unit shows up.
In the primary unit CLI, check the HA status on both units:
get sys ha status <- Get the HA status on the primary unit.
exe ha manage ?
exe ha manage <ID of secondary unit> <- Provide admin credentials.
get sys ha status <- Get the HA status on the secondary unit.
Note: if the cluster operates in vdom-mode, the settings above all require a preceding 'config global'.
Related articles:
