|
Restore members in the HA cluster.
Regular FortiGate.
To add a new unit to an existing FortiGate cluster or to replace a broken unit, some criteria must be met by the unit to be added:
- They must have the same model and hardware revision (in models that have different hardware revisions, such as 100D).
- They must have the same licensing.
- They must have the same firmware version.
Firmware and licensing may need to be set up on the new unit before adding it to the cluster. The unit should be upgraded to the required firmware version and then be connected to the Internet to activate any licenses registered on the FortiGate. After this, the unit can be configured to be added to a cluster.
To proceed:
- Make sure no cables are connected to the new unit.
- Restore the configuration as detailed in this document to the new unit.
- Make sure the override is disabled and the priority value is lower than the other device to ensure the unit remains secondary.
config system global
set hostname <HOSTNAME of New Device>
end
config system ha
set priority <----- Set a LOWER priority here to ensure the unit remains secondary.
set override disable <----- Recommended to ensure the new unit cannot take over as primary initially.
end
- Connect the HA cables.
- Check the HA status on the primary device.
get sys ha status
execute ha manage <id sec unit> admin <credentials>
get sys ha status <----- This will check the newly connected device.
The outputs of both commands should appear similar to the following:
Configuration Status:
FGVMXXXXXXXXXX44(updated 3 seconds ago): in-sync
FGVMXXXXXXXXXX46(updated 4 seconds ago): in-sync
System Usage stats:
FGVMXXXXXXXXXX44(updated 3 seconds ago):
sessions=42, average-cpu-user/nice/system/idle=0%/0%/0%/100%, memory=64%
FGVMXXXXXXXXXX46(updated 4 seconds ago):
sessions=5, average-cpu-user/nice/system/idle=0%/0%/0%/100%, memory=54%
HBDEV stats:
FGVMXXXXXXXXXX44(updated 3 seconds ago):
port8: physical/10000full, up, rx-bytes/packets/dropped/errors=2233369747/7606667/0/0, tx=3377368072/8036284/0/0
FGVMXXXXXXXXXX46(updated 4 seconds ago):
port8: physical/10000full, up, rx-bytes/packets/dropped/errors=3377712830/8038866/0/0, tx=2233022661/7604078/0/0
If everything appears to be okay, connect the data cable to the new unit.
6000 series chassis.
For additional information, refer to the 6000 Series HA guide.
To proceed:
- Make sure no cables are connected to the new unit.
- Restore the configuration as detailed in this document to the new unit.
- Make sure both units have the same number of active HDDs and that they have the same RAID configuration.
- Make sure the configurations of the FPCs are synchronized before starting to configure HA.
- Make sure the override is disabled and the priority value is lower than the other device to ensure the unit remains secondary.
config system ha
set priority <----- Set a LOWER priority here to ensure the unit remains secondary.
set override disable <----- Recommended to ensure the new unit cannot take over as primary initially.
end
Make sure the chassis-id value is different on both chassis.
show full-configuration system ha | grep chassis-id
set chassis-id 1
show full-configuration system ha | grep chassis-id
set chassis-id 2
- The Hostname must be different between Chassis-A and Chassis-B.
- Connect the HA cables (HA1 and HA2 interfaces).
- Check the HA status on the primary device.
get sys ha status
execute ha manage <id sec unit> admin <credentials>
get sys ha status <----- This will check the newly connected device.
The outputs of both commands should appear similar to the following:
Configuration Status:
F6KF51T020-----8(updated 4 seconds ago): in-sync
F6KF51T020-----8 chksum dump: e8 f6 74 c7 fe 72 85 55 d0 6d 76 92 87 aa ef 6c
F6KF51T020-----8(updated 4 seconds ago): in-sync
F6KF51T020-----8 chksum dump: e8 f6 74 c7 fe 72 85 55 d0 6d 76 92 87 aa ef 6c
System Usage stats:
F6KF51T020-----8 (updated 4 seconds ago):
sessions=0, average-cpu-user/nice/system/idle=1%/4%/0%/94%, memory=14%
F6KF51T020-----8 (updated 4 seconds ago):
sessions=548, average-cpu-user/nice/system/idle=0%/4%/0%/94%, memory=14%
HBDEV stats:
F6KF51T020-----8 (updated 4 seconds ago):
ha1: physical/10000full, up, rx-bytes/packets/dropped/errors=70315504/184072/0/0, tx=68279953/184043/0/0, vlan-id=999
ha2: physical/10000full, up, rx-bytes/packets/dropped/errors=70315122/184071/0/0, tx=68279953/184043/0/0, vlan-id=999
F6KF51T020-----8 (updated 4 seconds ago):
ha1: physical/10000full, up, rx-bytes/packets/dropped/errors=1057926014/2781487/0/0, tx=1036746504/2781999/0/0, vlan-id=999
ha2: physical/10000full, up, rx-bytes/packets/dropped/errors=1057925657/2781486/0/0, tx=1036742544/2781989/0/0, vlan-id=999
Secondary : FortiGate-6000F , F6KF51T020-----8, HA cluster index = 0
Primary : FortiGate-6000F-02, F6KF51T020-----8, HA cluster index = 1
Make sure both chassis have the same RAID level.
- Use the execute disk list command to confirm the log disk
- Use the execute disk raid status command to confirm the RAID configuration of each device.
- Check the disk: execute disk list.
To confirm that the hard drive is up and running (to perform on both devices).
- Check the raid status: execute disk raid status. To confirm that both devices have the same RAID level and are working.
- If everything appears to be okay, connect the data cable to the new unit.
7000-series chassis.
To proceed:
- Make sure no cables are connected to the new unit.
- Restore the configuration on the new unit with the steps detailed in this document.
- Make sure the override is disabled and the priority value is lower than the other device to ensure the unit remains secondary.
config system ha
set priority --> Set a LOWER priority here to ensure the unit remains secondary.
set override disable --> This is recommended to ensure the new unit cannot take over as primary initially.
end
Make sure the chassis-id value is different on both chassis.
show full-configuration system ha | grep chassis-id
set chassis-id 1
show full-configuration system ha | grep chassis-id
set chassis-id 2
- The hostname must be different between Chassis-A and Chassis-B.
- Connect the HA ports on FIM1 -> 1-M1 and 1-M2.
- Connect the HA ports on FIM2 -> 2-M1 and 2-M2.
- Check the HA status on the primary device.
get sys ha status
execute ha manage <id sec unit> admin <credentials>
get sys ha status (This will check the newly connected device.)
The outputs of both commands should appear similar to the following:
System Usage stats:
FG74E83E17000024(updated 1 seconds ago):
sessions=72, average-cpu-user/nice/system/idle=3%/0%/0%/96%, memory=5%
FG74E83E17000024(updated 4 seconds ago):
sessions=0, average-cpu-user/nice/system/idle=2%/0%/0%/97%, memory=5%
HBDEV stats:
FG74E83E17000024(updated 1 seconds ago):
1-M1: physical/10000full, up, rx-bytes/packets/dropped/errors=10234256/28317/0/0, tx=9584221/24836/0/0, vlan-id=1091
1-M2: physical/10000full, up, rx-bytes/packets/dropped/errors=10234477/28318/0/0, tx=9584221/24836/0/0, vlan-id=1092
2-M1: physical/10000full, up, rx-bytes/packets/dropped/errors=9893735/26730/0/0, tx=9555168/24757/0/0, vlan-id=1091
2-M2: physical/10000full, up, rx-bytes/packets/dropped/errors=9893735/26730/0/0, tx=9555074/24756/0/0, vlan-id=1092
FG74E83E17000028(updated 4 seconds ago):
1-M1: physical/10000full, up, rx-bytes/packets/dropped/errors=1049980/2914/0/0, tx=350892/972/0/0, vlan-id=1091
1-M2: physical/10000full, up, rx-bytes/packets/dropped/errors=1049236/2912/0/0, tx=350892/972/0/0, vlan-id=1092
2-M1: physical/10000full, up, rx-bytes/packets/dropped/errors=1061196/2918/0/0, tx=321384/891/0/0, vlan-id=1091
2-M2: physical/10000full, up, rx-bytes/packets/dropped/errors=1060452/2916/0/0, tx=321478/892/0/0, vlan-id=1092
Primary : CH02 , FG74E83E17000024, HA cluster index = 1
Secondary : CH01 , FG74E83E17000028, HA cluster index = 0
If everything appears to be okay, connect the data cable to the new unit.
|
