I need to define Fortigate200E HA pair (active/standby)
Except for Mode, priority, groupname/password, heartbeat interfaces, do I need to define anything else on backup firewall?
Do I need to define IP for heart beat interfaces?
config sys global
set hostname xxx # will not be replicated
config sys ha
set group-ID <some number != 0> # recommended
set monitor <wan1> <internal> ... # port monitoring; cluster fails over if one of these is link-down
HA interfaces will get IP addresses from FGT (169.254.x.x)
advice:
Before forming the cluster, do not configure port monitoring. Do that after the cluster is up.
IF you already have one FGT fully configured, before attaching the secondary unit set "HA override=enable" on the configured one, so that you can be sure that the primary config is mirrored, not the (nearly empty) config of the secondary. Remove this setting after the cluster has settled.
I have setup HA using GUI. The firewall HA pair looks fine but it doesn't process the traffic. when I turn off the active, standby doesn't take over and it's freezing.
It shows role as Master and Slave.
Synchronization -> Master is Green. Slave x mark in red.
What is wrong? I have followed the following procedure, only WAN1 & WAN2 are used. HA and Port9 for heartbeat.
https://cookbook.fortinet.com/high-availability-with-two-fortigates-video/
Also, one more query. I have configured inside and outside interfaces with IP addresses connected to switches. MGMT is left default, not connected to switch. In this case can I access both firewalls by directly connecting my laptop to MGMT interface?
No, the HA pair doesn't look fine, it's non-functional.
Why are the HA ports orange and not green? What does a mouse-over tell you?
Be sure all HA parameters except for "HA priority" are identical (group name, password, group-ID, port settings). Do not use port monitoring for now.
All HA heartbeat ports are connected 1:1 (port 9 to port 9, for example), with straight-through cables.
You need to have a green sync status, or the cluster has failed to form.
You will see a lot of information if you connect a PC to the serial console port.
Enter
"diag debug enable"
"diag debug app haproxy -1"
to get HA diags.
What will prevent cluster formation is
- using DHCP on any interface
- using PPPoE on any interface
- using different firmware versions (incl. patch level) on cluster members
- widely different time settings on both members
Rather than watching a (fast-paced) video, I prefer reading the recipe (or the corresponding chapter in the Admin Guide, to understand how HA clustering works): https://cookbook.fortinet.com/high-availability-two-fortigates/
You can connect to a mgmt port to manage a FGT (as long as it's got a static IP address, or offers DHCP). You need to allow HTTPS or ssh on that port. But, routing will not work on a mgmt port.
Do I need to assign any IP address on HA ports?
Any complete HA guide such as IP setup on other interface, please share.
No you don't need to assign IP addresses to HA ports, the HA protocol does that automatically.
If one of the FGT's interfaces is configured to obtain an IP address dynamically, via PPPoE or DHCP, then it cannot form a HA cluster. Use a router in front in this case.
The complete HA documentation is included in the HA chapter of the Administration Guide, with background and config examples in GUI and CLI. This document is a must-have.
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1735 | |
1107 | |
752 | |
447 | |
240 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.