Description
This article describes the basic HA setup.
Scope
FortiGate.
Solution
The conditions for configuring HA are as follows:
- Devices must be of the same model.
- Devices must have the same Firmware version.
- The same licenses must be applied to all devices on the cluster.
For example, whenthe above conditions are not accomplished, HA status appears as below:
Note: If the licenses are not the same on both FortiGates, the lowest license level between the two will apply. For example, if one FortiGate has Advanced Malware Protection and the other one does not, then the HA cluster will not have Advanced Malware Protection.
Settings are synchronized between the devices part of the HA cluster, except for a few items, like hostname, HA-related settings like a priority, and management interface settings.
The below steps are only for the basic setup of HA.
- Configure the Master device with all the correct configurations (if having a backup configuration to restore with the same firmware that is running on the unit, it is possible to restore that on the device).
If not having a backup file, skip this step.
2. Set up the HA configuration on the Master as follows using the CLI :
config global <- 'This is only required if multi VDOMs is enabled'.
config system ha
set mode {a-a / a-p}
set group-name <name>
set group-id <ID> <- Group name and group ID are recommended to be changed in case other HA setups are found on the same network.
set password <password>
set hbdev <"interface name"> <integer> <- The above line is where is indicated the heartbeat interfaces.
set priority <priority>
end
set hbdev <"interface name"> <integer> <- The above line is where is indicated the heartbeat interfaces.
set priority <priority>
end
3. Make sure that the Slave has no configurations applied. It is possible to achieve that by executing the command 'exec factoryreset'.
4. Set up the HA configuration on the Slave. Make sure that the priority is lower than the Master unit. The other HA parameters should match.
config global <- This is only required if multi VDOMs are enabled.
config system ha
set mode {a-a / a-p}
set group-name <name>
config system ha
set mode {a-a / a-p}
set group-name <name>
set group-id <ID> <- Group name and group ID is recommended to be changed in case other HA setups are found on the same network.
set password <password>
set hbdev <"interface name"> <integer> <- The above line is where it is necessary to indicate the heartbeat interfaces.
set priority <priority>
end
set hbdev <"interface name"> <integer> <- The above line is where it is necessary to indicate the heartbeat interfaces.
set priority <priority>
end
-
Once this is done, shut down the Slave to connect the heartbeat cable(s) in the interface(s) indicated in the HA configuration and all the other cables including internal network cable(s) and external network cable(s).
-
Power on the Slave and give it a few minutes before it synchronizes as it can take some time to synchronize depending on the configuration.
Important note: Starting from FortiOS 7.6.1 the HA password for the new cluster build is mandatory. If the cluster is upgraded from 7.0.x, 7.2.x or 7.4.x without HA password, the system will skip the password check. However, any subsequent modification to the 'system.ha' setting will enforce the password check and will require the HA password to be configured on all cluster members.
Related documents:
HA active-passive cluster setup
Technical Tip: Rebuilding an HA cluster
