Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
BusinessUser
Contributor

2 Ways Of Creating HA

1) Configure primary FW and factory restart secondary firewall. Configure HA and let them sync.

 

2) Configure primary and secondary FW separately with same configure. Change the HA priority.

 

Which method is better? 

1 Solution
Toshi_Esumi
Esteemed Contributor III

Although the GUI screens are a little old (probably 6.4), the KB I provided above includes the GUI example.

When a-p HA is formed between a primary and secondary(-ries), all config except those I listed need to be identical. For interfaces, only dedicated-to management interface(s) can have different IPs like I showed.

You can of cource configure wan1 and wan2 with different IPs and connect a primary circuit to wan1 on FGT1 and a secondary circuit to wan2 on FGT2, you still have to configure a way to failover, or choose one circuit over another (down) circuit. It's better to use a switch to terminate both circuits and deliver both to both FGTs' wan1 and wan2. Then configure a way to fail-over, like setting different admin distances for two static default routes, or same distance but different priorities (a higher number priority has a lower priority).
It's described in your version of admin guide.

 

Toshi

View solution in original post

9 REPLIES 9
Toshi_Esumi
Esteemed Contributor III

3) save the config of the primary and modify unique part of the secondary, like hostname, dedicated management interfaces, HA config, then upload it to the secondary. Then wait it to sync after connecting heartbeat connection(s).

 

3) would be the fastest.

PS. If you want to learn/see how the full config sync progresses through the console port on the secondary, 1) would be the best option.

 

Toshi

BusinessUser

Please explain the dedicated management interface to me.

What happens if I am using both MGMT1 for management for both FW Pri and FW Sec?

 

So 3th way will be the best for efficiency?

Toshi_Esumi
Esteemed Contributor III

If you're using MGMT1 for management access to individual unit in HA, you need to have a common GW as a part of HA config like below:

config system ha

  config ha-mgmt-interfaces

    edit 1

      set interface "mgmt1"

      set gateway x.x.x.1

    next

  end

end

 

Then mgmt1 interface config at each unit would look like below:

 

config system interface
  edit "mgmt1"
    set ip x.x.x.2 255.255.255.248          <- another HA member would have like x.x.x.3

    set allowaccess ping https ssh fgfm

    set type physical
    set dedicated-to management
    set defaultgw disable
  next
end

I wouldn't do 2) unless the entire config is almost the default config. If it's in production and MGMT1 is already connected, I would do 3). But occasionally when HA sync process is having a problem or two, I would do 1). Of course I always have local or remote console access to both units to see and troubleshoot.

 

Toshi 

Toshi_Esumi
Esteemed Contributor III

Above is assuming the GW is directly connected. There is a KB for this:
https://community.fortinet.com/t5/FortiGate/Technical-Tip-HA-Reserved-Management-Interface/ta-p/1901...

BusinessUser

I think I get it. But I don't want change original design. 

Can it be done using gui and not cli? 

 

Another question. I need to use wan1 in fw pri and wan2 in fw sec after ha synchronisation

 

OR 

 

wan1 in fw pri and wan1 in fw sec

Toshi_Esumi
Esteemed Contributor III

Although the GUI screens are a little old (probably 6.4), the KB I provided above includes the GUI example.

When a-p HA is formed between a primary and secondary(-ries), all config except those I listed need to be identical. For interfaces, only dedicated-to management interface(s) can have different IPs like I showed.

You can of cource configure wan1 and wan2 with different IPs and connect a primary circuit to wan1 on FGT1 and a secondary circuit to wan2 on FGT2, you still have to configure a way to failover, or choose one circuit over another (down) circuit. It's better to use a switch to terminate both circuits and deliver both to both FGTs' wan1 and wan2. Then configure a way to fail-over, like setting different admin distances for two static default routes, or same distance but different priorities (a higher number priority has a lower priority).
It's described in your version of admin guide.

 

Toshi

BusinessUser

What is "your version of admin guide"?

Toshi_Esumi
Esteemed Contributor III

You never told us what version you're running on your FGTs. If it's 7.2.5, below is the admin guide.
https://docs.fortinet.com/document/fortigate/7.2.5/administration-guide/954635/getting-started
You can find other versions' at the same document library.

 

Toshi

BusinessUser
Contributor

My problem is resolved. Thanks. 

Labels
Top Kudoed Authors