We will be replacing our existing checkpoint firewall with 2 Fortigate 100fs in HA pair. We have 2 WAN links and 4 Internal ports ( including the management port).
What is the sequence to configure these so that I can have FGTA as Primary and FGTB as secondary. Can we bring both fortigates up and online then configure the HA? Would really like to know the do's/don'ts and the steps in order to do this properly.
Nominating a forum post submits a request to create a new Knowledge Article based on the forum post topic. Please ensure your nomination includes a solution within the reply.
We may start as below.
1. Power on FGTA
2. Make the necessary HA configuration ( make sure to give a higher priority).
3. Connect the traffic/revenue links and HB links between FGTA and FGTB (Still powered off)
4. Power on FGTB
5. Make the HA configuration on FGTB and check if the HA is in sync (make sure the priority is lower than FGTA )
6. Once they are in sync connect the traffic/revenue ports on FGTB
Once all the links are up and nodes are in sync, move traffic to new node. Make sure to perform all these in a maintenance window to handle any unexpected issue that may arise.
Hi,
1. Create HA cluster (for your case Active-Passive) on FGTA
2. Create HA cluster on FGTB with the same settings
You have to enter the same password on both FGTs - save it in a passwordmanager or somethin else... maybe you need it for the future!
3. Link the FGTs together (via the HA port)
4. After the Cluster is synchronised successfully, you can configure ip addresses, policies, vpns, etc.
I even configured addresses, policies and other settings before I made the cluster and it worked as well. But I suggest you the other way...
FGTA should have a higher prio than B which means FGTA has for example 100 while B just has 50.
You can also force a failover:
execute ha failover set 1
The status will only change again if you force it with the command or if a monitored port actually fails.
Edit:
A helpful post https://community.fortinet.com/t5/FortiGate/Technical-Tip-How-to-force-HA-failover/ta-p/196696
We don't use priority or override for HA but easily brings up a specific unit as a primary when forming HA with another unit based on the flow chartbelow:
https://docs.fortinet.com/document/fortigate-7000/6.2.3/fortigate-7000-handbook/174111/primary-forti...
If priorities are the same, the next factor to decide the primary unit is "age" or uptime. As long as the intended primary unit is up more than 5 min longer than other units, it would become the primary. If less than 5 min difference, the unit has the highest S/N would become the primary.
We don't like the piority/override because when the cause of a failover (often monitoring interface downs) disappears/is fixed, it always fails back often at an unexpected/inconvenient time especially the problem was on the circuit vendor side.
Toshi
Good aspect - I also corrected my post...
But I guess he wants that FGTA is usually the primary one... and I prefer the priority statement.
Additionally I didn't recognize the failovers while working because it smoothly worked.
Hi,
To make FGTA always primary:-
- set override enable
-then, ensure the priority of FGTA higher than FGTB.
- You may refer to link here on HA selection process.
Created on 12-15-2023 08:15 AM Edited on 12-15-2023 08:31 AM
Your question was answered by @SassiVeeran .
I'm not against setting the priority/override if the failover/failback works fine during your business hours.
Our case is probably not too common. Because we run BGP and OSPF for internet side and customer side with many VDOMs, including hundreds of IPsec tunnels for all those customers.
Some neighboring states are not always kept depending on the timing when a switchover happens (especially when the previous swap over was caused by an unknown reboot of the primary unit, then they swap them back before "session syncing" completes) and some customers might notice and ask us RFO every time. While both units are exactly the same and we don't have any particular reason we have to designate one of them always as the primary, we definitely want/need to eliminate a possibility for outage outside of maintenance window as much as we can. If we have to swap back for whatever the reason we schedule a maintenance window and manually swap them at night. But it's a very rare occasion.
Toshi
Hi,
To know the exact procedure, you may refer to doc link here on how to setup HA. You can bring both fortigate online, and then can configure HA.
https://docs.fortinet.com/document/fortigate/6.0.0/handbook/123439/primary-unit-selection-with-overr... ---> to ensure FGTA as primary always and HA selection process.
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1732 | |
1105 | |
752 | |
447 | |
240 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.