I have a pair of 200e that I'd like to get into an HA pair. My issue is that I will not be able to cable the passive one the same as the primary for a few months because reasons. I want to link them via the HA port so that the primary unit automatically sends the config to the 2nd and in case of complete hardware failure, anyone on the team can just move the cables over and the unit is ready to go. Is this possible?
Is there another solution to have the configs mirrored to each other?
1) I'm trying to keep it simple for now until it can be cabled properly so I don't want anything plugged into the passive unit other than what's required to mirror the config. I'm not sure which interface I should be monitoring or is it even required in this situation? Just select the heartbeat interface (the HA port) and that's it?
3) So using the HA port on each unit then select another un-used port to link for redundancy?
1- yes, just connect the HA ports. Best practice says, use redundant HA links, as the worst case of all is when cluster members lose their HA link, and both guess they are master - with identical IP addresses and MACs.
1b- HA monitoring is used to monitor the link status of certain ports (like, the LAN port), in addition to the master device status. The cluster will then fail over if either the master if offline, or one of the monitored links is down.
Link status down is quite seldom, so you can enhance this by letting the FGT check a remote target by ping. If enough pings fail, the cluster will fail over.
But this is enhanced stuff, and I recommend to read up on HA in the FortiOS Handbook before configuring anything.
2- you can use any unused port for a HA link, for example the HA port and port "wan2" or whichever. I specifiy "HA2" as this port's alias, just to remind me. And I use red cables, and warn my customer to never, ever pull these out while the FGTs are running.
1B) I understand the monitoring portion of it and if everything was cabled correctly, I'd want to monitor all the ports in use. But since I don't want the failover to happen, I don't want to monitor anything, right?
I've been scouring the docs but they all assume everything is properly cabled which its not in this case.
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.