Fortigate high availability configuration Active – Active mode

In order to configure HA A-A mode we must follow the following criteria according to fortinet.

 All the fortigates in the cluster must be the same model and have the same firmware installed.
Or you can say that Appliances must have the same hardware model and same firmware version
 Cluster members must also have the same hardware configuration such as the same number of
hard disks.
 Make sure the WAN / LAN interfaces are not getting their IP addresses from the DHCP, or PPPoE
otherwise there could be delay while getting IP addresses from DHCP or PPPOE. We must
configure their IP addresses static. However we can do it but there could be an issue.
 Ensure that WAN or LAN interface must be connected via switch.
 Must be use at least two heartbeat interfaces to avoid single point of network failure.

Active-active HA (load balancing and failover protection)-

 An active‑active HA cluster consists of a primary unit that receives all communication sessions
and load balances them among the primary unit and all of the subordinate units. In an active-
active cluster the subordinate units are also considered active since they also process content
processing sessions. In all other ways active-active HA operates the same as active-passive HA.
 With help of A-A mode fortinet can provide load balance between both clusters. Or you can say
that to utilize both clusters we deploy in A-A mode.

I want to add those configuration which I will configuration in this lab. Getting started fortinet HA A-A
mode configuration.

HA configuration road map -

 config system ha
 set group-id 10
 set group-name HA_cluster
 set mode a-a
 set password admin@54321
 set priority 200
 set hbdev port3 0 port4 1
 set session-pickup enable
 set override enable
 set override-wait-time 5
 set monitor port1 port2 port3 port4
 end

Point to be remember –

1. HA configuration must be configured same on every cluster otherwise HA will not be form.
 Fortigate high availability configuration Active – Active mode

2. You don’t have to configure the entire configuration on every cluster except HA and their
hostname.
3. Port must be connected the same for both clusters.

In this topology we will show you how to configure HA A-A mode but before that I would like to tell what
I have configured on other device such as ISP router in order to ISP router can communicate outside
world – Google) for example. At LAN switch I have configured vlans & trunking that’s it.

 Interesting traffic configured - ISP (config)#access-list 10 permit any

 ISP(config)#ip nat inside source list 10 interface G 0/0 overload
ISP(config)#interface range G1/0 -2
ISP(config-if)#ip nat inside
ISP(config)#interface G3/0
ISP(config-if)#ip nat outside
 Fortigate high availability configuration Active – Active mode

Now I am going to describe a little bit about fortinet ha configuration commands–

 config system ha
 set group-id 10
 set group-name HA_cluster
 set mode a-a
 set password admin@54321
 set priority 200
 set hbdev port3 0 port4 1
 set session-pickup enable
 set override enable
 set override-wait-time 5
 set monitor port1 port2 port3 port4
 end

If you want to configure ha configuration then you will have to enter below command.

 config system ha

The following below commands are used for cluster identification-

 Group ID - set group-id 10

 Group name - set group-name
 Password - set password XXXXX

Priority decides which device will become primary or secondary

 Priority - set priority 200

For ha configuration you will have to decide which modes do we need to choose whether - stand alone,
Active-Active or Active-Passive it’s up to you.

 Set mode – stand alone , A-A, A-P

hbdev commands decides which port will use for heartbeat interface.(Set the network interface to be
used for heartbeat packets. You can configure one or two heartbeat ports.) to configure heartbeat
interface use the below command -

 set hbdev port3 0 port4 1 ( as per the my topology)

 Fortigate high availability configuration Active – Active mode

If session pickup is not enabled, the FGCP does not synchronize the primary unit session table to other
cluster units and sessions do not resume after a failover. After a device or link failover all sessions are
briefly interrupted and must be re-established at the application level after the cluster renegotiates. If
you want to enable it you can enable it by using the below command-

 set session-pickup enable

If you want to make sure that the same cluster unit always operates as the primary unit once come back
up then you should enable below command- To enable override.

 set override enable (The HA override CLI command is disabled by default)

Note - Fortigate HA selection process -Priority, age, serial no of the device.

For links monitoring you should use below commands -

 set monitor port1 port2 port3 port4

Point to be remembered –

We have to configure only HA configuration and needs to be changed host name of secondary device
that’s it. Priority should be less than the primary device it depends up to you in my case it is – 150 at
secondary device for primary it is 200.

Now let’s check the fortinet HA active-active mode configuration on the primary device. Once
configuration are done then you see the below output in the CLI & GUI of primary device.
 Fortigate high availability configuration Active – Active mode

GUI view -

As you can see that there are two heartbeat interfaces which is showing heart symbol.

Now I am going to configure ha active-active configuration at secondary device. Once configuration will
be configured at secondary device then you will see that both devices will work as a active –active.

Same HA configuration will be done and you have change priority and hostname that’s it.
 Fortigate high availability configuration Active – Active mode

After configuring ha at secondary device –

Fortigate high availability configuration Active – Active mode
 Fortigate high availability configuration Active – Active mode

You can also verify it using Fortinet Dashboard –

 Fortigate high availability configuration Active – Active mode

Output of both HA clusters when they are in active –active mode.

Primary Device -
Fortigate high availability configuration Active – Active mode
 Fortigate high availability configuration Active – Active mode

Secondary device –
 Fortigate high availability configuration Active – Active mode

Output of HA status from the GUI –

 Fortigate high availability configuration Active – Active mode

You can verify ha status using the following commands –

#get system ha

#get system ha status

Point to be remembered if you want move from the primary device to secondary device then you will
have to run below command –

# execute ha manage Id ( of the cluster) such as 0 , 1

If you want to check Id you can check it using the below command –

# get system ha status

# execute ha manage ---- output

 Fortigate high availability configuration Active – Active mode

Example -

# execute ha manage 0 admin-EXAMPLE < ----- 0 is the ID of secondary unit and

EXAMPLE is the admin username.

# execute ha manage 0 admin-EXAMPLE < ----- 1 is the ID of secondary unit and

EXAMPLE is the admin username.

If you want to go back into primary device then type exit command in cli.

There are so many commands for ha configuration you can use it as per your requirement –

 config system ha
 set arps <integer>
 set arps-interval <integer>
 set datadev <datasource>
 set group-id <integer>
 set group-name <string>
 set hb-interval <integer>
 set hb-lost-threshold <integer>
 set hbdev <datasource>
 set http-persistence-pickup {enable|disable}
 set local-node-id <integer>
 set l4-persistence-pickup {enable|disable}
 set l4-session-pickup {enable|disable}
 set mode {active-active | active-passive | standalone}
 set monitor <datasource>
 set node-list {0 1 2 3 4 5 6 7}
 set override {enable|disable}
 set priority <integer>
 set remote-ip-monitor {enable|disable}
 set remote-ip-failover-hold-time <integer>
 set remote-ip-failover-threshold <integer>
 config remote-ip-monitor-list
 edit <name>
 set health-check-interval <integer>
 set health-check-retry <integer>
 set health-check-timeout <integer>
 set interface <datasource>
 set remote-address <class_ip>
 end
 Fortigate high availability configuration Active – Active mode

Keep attention –

I have configured these things as per my understanding if there are any kind of error please let me
know as soon as possible and all the topics has been described in the layman term. I hope this note
will be also helpful for you all.

I want your support to share, like and comment.

Your one comment, share and like will encourage to me make more notes as you know that I am
posting daily basis notes here , I will highly appreciate your comment, like, share as well.

For more getting notes you can reach out to me via email – [email protected]

Thank you –
Umesh Prajapati