HA Setup with FortiGate Firewalls

Overview
Lab using two Fortigate 40F setups in HA (Active / Passive). Fortigate will trigger a failover when one of the firewalls loses power, or any monitored link goes down.
Pre Reqs
Before beginning, we have to get some of the pre-requisites out of the way. To setup HA, the two FortiGates have to be the same hardware, running the same firmware version, and running the same license SKU. Above the ports need to be connected the same on both firewalls. Double-check that the interfaces are not getting their IP address from DHCP or PPPOE. The documentation is assuming you have your first firewall partly configured. Once the first is configured the way you want it, the config is automatically cloned to the second firewall.
How it works
Fortigate uses the heartbeat connections to maintain cluster communication/synchronization ( using ports TCP/703 and UDP/703 ). In our example, we have one HB connection, but it is better to have two in production. When the cluster is configured, the primary syncs all the configuration data actively over to the secondary unit. When session pickup is configured, the existing TCP sessions are synced to the secondary firewall. When a failover occurs, the network is not impacted as the traffic is passed without reestablishing the sessions. Fortigate can also do Active-Active clustering to provide “load balancing” between the firewalls. If you have a two-node cluster, make sure you size the firewalls correctly to handle all the traffic on one device.
The Architecture
Single ISP
Multiple ISPs
The Setup
Configure Via Portal
On the primary Fortigate > System > HA
Device Priority: 200
Group name: HA-GROUP
Password: needs to match on both firewalls or use the default
Session pickup: Enabled - replicates client session data
Monitor Interfaces: Select interface to monitor for state
Heartbeat Interfaces: enter one or more interfaces
Management Interface reservations: Used to have a dedicated management port for each firewall since you usually can't get to the secondary when clustered
Repeat for the second node
Configure Via CLI
Fortigate 1
config system global
set hostname FG01
end
config system ha
set group-id 100
set group-name HA01
set mode a-p
set password CHANGEME
set hbdev lan4 0
set session-pickup enable
set override enable
set override-wait-time 10
set priority 200
end
Fortigate 2
config system global
set hostname FG02
end
config system ha
set group-id 100
set group-name HA01
set mode a-p
set password CHANGEME
set hbdev lan4 0
set session-pickup enable
set priority 100
end
Automated Notifications
Optional - when in production it is good to have notifications when one of the Fortigate goes down. To accomplish this create an automation stitch to notify when a failover happens.
Remove HA Configuration via CLI
Run on each box using a console cable.
config system ha
set mode standalone
end
Testing Plan
Pull power for Fortigate A
Pull power for Fortigate B
Pull Network cable for WAN1 for Fortigate A
Pull Network cable for WAN1 for Fortigate B
Pull Network cable for LAN1 for Fortigate A
Pull Network cable for LAN1 for Fortigate B
Pull one of the HEARTBEAT cables
Troubleshooting
Get the status of the HA Configuration
get system ha status
Get Diagnose Logs
diagnose sys ha status
Subscribe to my newsletter
Read articles from Ryan F directly inside your inbox. Subscribe to the newsletter, and don't miss out.
Written by
