HA Setup with FortiGate Firewalls

Ryan FRyan F
3 min read

Overview

Lab using two Fortigate 40F setups in HA (Active / Passive). Fortigate will trigger a failover when one of the firewalls loses power, or any monitored link goes down.

Pre Reqs

Before beginning, we have to get some of the pre-requisites out of the way. To setup HA, the two FortiGates have to be the same hardware, running the same firmware version, and running the same license SKU. Above the ports need to be connected the same on both firewalls. Double-check that the interfaces are not getting their IP address from DHCP or PPPOE. The documentation is assuming you have your first firewall partly configured. Once the first is configured the way you want it, the config is automatically cloned to the second firewall.

How it works

Fortigate uses the heartbeat connections to maintain cluster communication/synchronization ( using ports TCP/703 and UDP/703 ). In our example, we have one HB connection, but it is better to have two in production. When the cluster is configured, the primary syncs all the configuration data actively over to the secondary unit. When session pickup is configured, the existing TCP sessions are synced to the secondary firewall. When a failover occurs, the network is not impacted as the traffic is passed without reestablishing the sessions. Fortigate can also do Active-Active clustering to provide “load balancing” between the firewalls. If you have a two-node cluster, make sure you size the firewalls correctly to handle all the traffic on one device.

The Architecture

Single ISP

📍
In this example the SW01 is a single point of failure. It is better to have two heartbeat/connections. This example shows one.

Multiple ISPs

The Setup

Configure Via Portal

  1. On the primary Fortigate > System > HA

    • Device Priority: 200

    • Group name: HA-GROUP

    • Password: needs to match on both firewalls or use the default

    • Session pickup: Enabled - replicates client session data

    • Monitor Interfaces: Select interface to monitor for state

    • Heartbeat Interfaces: enter one or more interfaces

    • Management Interface reservations: Used to have a dedicated management port for each firewall since you usually can't get to the secondary when clustered

  2. Repeat for the second node

Configure Via CLI

Fortigate 1

config system global
  set hostname FG01
end

config system ha
  set group-id 100
  set group-name HA01
  set mode a-p
  set password CHANGEME
  set hbdev lan4 0
  set session-pickup enable
  set override enable
  set override-wait-time 10
  set priority 200
end

Fortigate 2

config system global
  set hostname FG02
end

config system ha
  set group-id 100
  set group-name HA01
  set mode a-p
  set password CHANGEME
  set hbdev lan4 0
  set session-pickup enable
  set priority 100
end

Automated Notifications

Optional - when in production it is good to have notifications when one of the Fortigate goes down. To accomplish this create an automation stitch to notify when a failover happens.

Remove HA Configuration via CLI

Run on each box using a console cable.

config system ha
  set mode standalone
end

Testing Plan

  • Pull power for Fortigate A

  • Pull power for Fortigate B

  • Pull Network cable for WAN1 for Fortigate A

  • Pull Network cable for WAN1 for Fortigate B

  • Pull Network cable for LAN1 for Fortigate A

  • Pull Network cable for LAN1 for Fortigate B

  • Pull one of the HEARTBEAT cables

Troubleshooting

Get the status of the HA Configuration

get system ha status

Get Diagnose Logs

diagnose sys ha status
0
Subscribe to my newsletter

Read articles from Ryan F directly inside your inbox. Subscribe to the newsletter, and don't miss out.

FortigateFirewalls

Written by

Ryan F
Ryan F