Converting standalone to cluster

AUT_Maverick · ‎01-17-2024

What is the process of converting production standalone firewall to cluster? during the process will there be any interruptions to prod traffic and will this need downtime?

HUVA

AEK · ‎01-17-2024

Start by taking a fresh backup of the production FGT.

Then, on the node which is already under production, do this:

Go to System > HA
Enable Active-Passive HA
Select 2 HA interfaces, e.g.: ha1 & ha2
Set a high priority value, e.g: 140
Set group id, password and validate

On the new node to be added:

Do the same as above but with a lower priority, e.g.: 130
Validate

Plug HA ports to eachother, i.e.:

FG1/ha1 to FG2/ha1
FG1/ha2 to FG2/ha2

No impact, no downtime.

AEK

AEK · ‎01-17-2024

Both nodes must be same model and at the same firmware level.

AEK

AUT_Maverick · ‎01-17-2024

Start by taking a fresh backup of the production FGT.

Then, on the node which is already under production, do this:

Go to System > HA
Enable Active-Passive HA
Select 2 HA interfaces, e.g.: ha1 & ha2
Set a high priority value, e.g: 140
Set group id, password and validate

I already did this steps but after that the production Fortigate crashed and i had to restore it with an backup file.

HUVA

AEK · ‎01-17-2024

What do you mean by crashed?

Can you share all the steps you did in detail?

AEK

AUT_Maverick · ‎01-17-2024

I configured a VLAN Interface on the HA Link. Because the other Fortigate is not in the same rack and building.

Then i walked through these steps which you wrote but with only one HA Link:

Go to System > HA
Enable Active-Passive HA
Select 2 HA interfaces, e.g.: ha1 & ha2
Set a high priority value, e.g: 140
Set group id, password and validate

After i clicked on Ok the firewall crashed.

HUVA

AEK · ‎01-17-2024

Try ha interface with physical interface, not VLAN interface.

Also what you mean by crashed? Do you mean config wiped? Or do you mean just lost access?

AEK

AUT_Maverick · ‎01-17-2024

But how can i make the HA connection to the other Fortigate because they are separated physically?

The Internet connection in the company was lost. And i had to restore the firewall with an backup which i had made before the Cluster configuration.

HUVA

AEK · ‎01-17-2024

I mean don't configure a FGT VLAN interface as ha interface, but a FGT physical interface. But for sure you can connect the HA interface to a switch-port which is on a specific dedicated VLAN.

Regarding the crash cause:

Was the passive node connected when the issue happened?
Do you have another FortiGate cluster in your network?

AEK

hbac · ‎01-17-2024

Hi @AUT_Maverick,

Is the HA interface connected to a switch? Is there other clusters or hosts in the same VLAN?

Regards,

Converting standalone to cluster

Nominate a Forum Post for Knowledge Article Creation

You are leaving our website