Fortinet Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
random_guy
New Contributor II

High availability - no cabling, no failover.

I have a pair of 200e that I'd like to get into an HA pair. My issue is that I will not be able to cable the passive one the same as the primary for a few months because reasons. I want to link them via the HA port so that the primary unit automatically sends the config to the 2nd and in case of complete hardware failure, anyone on the team can just move the cables over and the unit is ready to go. Is this possible? 

 

Is there another solution to have the configs mirrored to each other? 

 

 

1 Solution
ede_pfau
Esteemed Contributor III

correct, do not monitor any ports for the time being. This is an optional feature, although 99% in use. For mere synching, you only need an HA connection and the proper HA settings.

Maybe, just to be cautious, on the master unit "set override enable" in the CLI, which will prevent any failover (except for device failure).

Added benefit for having the 2 units sync: if you upgrade the master (via WebGUI), the slave will be upgraded automatically as well.


Ede

"Kernel panic: Aiee, killing interrupt handler!"

View solution in original post

6 REPLIES 6
Toshi_Esumi
Esteemed Contributor

Down links/interfaces on the slave/passive side wouldn't cause the pair not to form an a-p HA. Your manual fail-over would work.

ede_pfau
Esteemed Contributor III

Yes, you could do that, just to keep the config sync'ed. It would not matter much if not all used ports are cabled.

Some caveats:

1- make sure none of the ports you cannot use yet on the slave is being monitored in the HA setup

2- remember that forming a cluster forces a reboot of both members, thus, downtime.

3- make sure you use the same physical ports on both units - no cross-overs! If you use 2 HA ports (which you should), do not cross them over either.

4- manual failover can be forced either by shutting the master unit down, or by pulling a monitored link (among other methods)


Ede

"Kernel panic: Aiee, killing interrupt handler!"
random_guy
New Contributor II

1) I'm trying to keep it simple for now until it can be cabled properly so I don't want anything plugged into the passive unit other than what's required to mirror the config. I'm not sure which interface I should be monitoring or is it even required in this situation? Just select the heartbeat interface (the HA port) and that's it? 

 

3) So using the HA port on each unit then select another un-used port to link for redundancy?

 

 

ede_pfau
Esteemed Contributor III

1- yes, just connect the HA ports. Best practice says, use redundant HA links, as the worst case of all is when cluster members lose their HA link, and both guess they are master - with identical IP addresses and MACs.

 

1b- HA monitoring is used to monitor the link status of certain ports (like, the LAN port), in addition to the master device status. The cluster will then fail over if either the master if offline, or one of the monitored links is down.

Link status down is quite seldom, so you can enhance this by letting the FGT check a remote target by ping. If enough pings fail, the cluster will fail over.

 

But this is enhanced stuff, and I recommend to read up on HA in the FortiOS Handbook before configuring anything.

 

2- you can use any unused port for a HA link, for example the HA port and port "wan2" or whichever. I specifiy "HA2" as this port's alias, just to remind me. And I use red cables, and warn my customer to never, ever pull these out while the FGTs are running.

 


Ede

"Kernel panic: Aiee, killing interrupt handler!"
random_guy
New Contributor II

1B) I understand the monitoring portion of it and if everything was cabled correctly, I'd want to monitor all the ports in use. But since I don't want the failover to happen, I don't want to monitor anything, right? 

 

I've been scouring the docs but they all assume everything is properly cabled which its not in this case.

ede_pfau
Esteemed Contributor III

correct, do not monitor any ports for the time being. This is an optional feature, although 99% in use. For mere synching, you only need an HA connection and the proper HA settings.

Maybe, just to be cautious, on the master unit "set override enable" in the CLI, which will prevent any failover (except for device failure).

Added benefit for having the 2 units sync: if you upgrade the master (via WebGUI), the slave will be upgraded automatically as well.


Ede

"Kernel panic: Aiee, killing interrupt handler!"

View solution in original post