Help
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
AUT_Maverick
New Contributor III

Created on ‎01-17-2024 04:34 AM

Converting standalone to cluster

What is the process of converting production standalone firewall to cluster? during the process will there be any interruptions to prod traffic and will this need downtime?
HUVA
HUVA
Labels:
777
0 Kudos
10 REPLIES 10
AEK
SuperUser
SuperUser

Created on ‎01-17-2024 05:15 AM

Start by taking a fresh backup of the production FGT.

Then, on the node which is already under production, do this:

  • Go to System > HA
  • Enable Active-Passive HA
  • Select 2 HA interfaces, e.g.: ha1 & ha2
  • Set a high priority value, e.g: 140
  • Set group id, password and validate

On the new node to be added:

  • Do the same as above but with a lower priority, e.g.: 130
  • Validate

Plug HA ports to eachother, i.e.:

  • FG1/ha1 to FG2/ha1
  • FG1/ha2 to FG2/ha2

No impact, no downtime.

AEK
AEK
668
0 Kudos
AEK
SuperUser
SuperUser
In response to AEK

Created on ‎01-17-2024 05:19 AM

Both nodes must be same model and at the same firmware level.

AEK
AEK
665
0 Kudos
AUT_Maverick
New Contributor III
In response to AEK

Created on ‎01-17-2024 05:25 AM

Start by taking a fresh backup of the production FGT.

Then, on the node which is already under production, do this:

  • Go to System > HA
  • Enable Active-Passive HA
  • Select 2 HA interfaces, e.g.: ha1 & ha2
  • Set a high priority value, e.g: 140
  • Set group id, password and validate

I already did this steps but after that the production Fortigate crashed and i had to restore it with an backup file. 

HUVA
HUVA
659
0 Kudos
AEK
SuperUser
SuperUser

Created on ‎01-17-2024 05:27 AM

What do you mean by crashed? 

Can you share all the steps you did in detail?

AEK
AEK
655
0 Kudos
AUT_Maverick
New Contributor III

Created on ‎01-17-2024 05:31 AM

I configured a VLAN Interface on the HA Link. Because the other Fortigate is not in the same rack and building. 

Then i walked through these steps which you wrote but with only one HA Link:

  • Go to System > HA
  • Enable Active-Passive HA
  • Select 2 HA interfaces, e.g.: ha1 & ha2
  • Set a high priority value, e.g: 140
  • Set group id, password and validate

After i clicked on Ok the firewall crashed. 

HUVA
HUVA
653
0 Kudos
AEK
SuperUser
SuperUser
In response to AUT_Maverick

Created on ‎01-17-2024 05:36 AM

Try ha interface with physical interface, not VLAN interface.

Also what you mean by crashed? Do you mean config wiped? Or do you mean just lost access?

AEK
AEK
649
0 Kudos
AUT_Maverick
New Contributor III
In response to AEK

Created on ‎01-17-2024 05:41 AM

But how can i make the HA connection to the other Fortigate because they are separated physically?

 

The Internet connection in the company was lost. And i had to restore the firewall with an backup which i had made before the Cluster configuration. 

HUVA
HUVA
645
0 Kudos
AEK
SuperUser
SuperUser
In response to AUT_Maverick

Created on ‎01-17-2024 05:52 AM

I mean don't configure a FGT VLAN interface as ha interface, but a FGT physical interface. But for sure you can connect the HA interface to a switch-port which is on a specific dedicated VLAN.

 

Regarding the crash cause:

  • Was the passive node connected when the issue happened?
  • Do you have another FortiGate cluster in your network? 
AEK
AEK
637
0 Kudos
hbac
Staff
Staff
In response to AUT_Maverick

Created on ‎01-17-2024 06:09 AM

Hi @AUT_Maverick,

 

Is the HA interface connected to a switch? Is there other clusters or hosts in the same VLAN? 

 

Regards, 

624
0 Kudos
Labels
Top Kudoed Authors
View all
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2024 Fortinet, Inc. All Rights Reserved.