Hi,
I was wondering how disruptive it is to enable vCluster2 on a production Fortigate installation which is already up and running. Does it affect the existing traffic in any way?
Cheers!
Emil
Solved! Go to Solution.
Hello Emil,
I haven't tried this in a production setup, however, logically, it shouldn't impact the traffic if configured properly.
You enable the secondary vcluster and the production vdoms should be configured to have the current master as master and the new vdom for the current slave.
Enabling the vcluster is not disruptive, and I have to disagree that it's not enabled by default
As suggested earlier; get sys ha status | grep vclu will tell you if vcluster#2 is enabled
PCNSE
NSE
StrongSwan
Hello Emil,
Do you have multiple VDOMs in the setup?
If yes, then the vcluster2 is enabled by default.
However, you need to configure the secondary-vcluster to add the vdoms to it.
Yes, this might cause interruptions to the traffic if you are doing it in a production setup.
Hi,
Thanks for the reply. Yes, i have 3 VDOMs, 2 out of which (root, vdomx) are handling production traffic at the moment. The third VDOM (vdomy) is not in use right now.
I want to configure the VDOM partitioning so that root and vdomx stay active in vcluster 1 (where they are now), and vdomy is active in vcluster 2.
My original query was actually more intended to mean "Will configuring the "secondary-vcluster" parameter disrupt traffic in the primary vcluster?".
Cheers!
Emil
Hello Emil,
I haven't tried this in a production setup, however, logically, it shouldn't impact the traffic if configured properly.
You enable the secondary vcluster and the production vdoms should be configured to have the current master as master and the new vdom for the current slave.
Hello,
What is the operation mode of this vCluster?
Attach the output of this command
"show sys ha"
"drag sys ha status"
Best Regards,
Enabling the vcluster is not disruptive, and I have to disagree that it's not enabled by default
As suggested earlier; get sys ha status | grep vclu will tell you if vcluster#2 is enabled
PCNSE
NSE
StrongSwan
Hi,
Just thought I'd report back. I enabled and configured the secondary vcluster (it was NOT enabled as default) and moved the inactive VDOM to it. We did not experience any disruptions to the production traffic.
Regards,
Emil
A few key points if you operate from cli ( I'm a cli guru )
1: the route RIB will be active on the active unit only
2: packet sniffer will only give details on the active physical unit
3: ARP request will be seen on both ACT and non-ACT FGT units but the traffic is handle by the ACTIVE unit that host that vodka on that cluster

PCNSE
NSE
StrongSwan
 
					
				
				
			
		
| User | Count | 
|---|---|
| 2678 | |
| 1412 | |
| 810 | |
| 703 | |
| 455 | 
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2025 Fortinet, Inc. All Rights Reserved.