Hot!Fortigate 200D HA Setup

Author
avilt
Bronze Member
  • Total Posts : 35
  • Scores: 0
  • Reward points: 0
  • Joined: 2014/02/11 03:16:33
  • Status: offline
2019/05/21 12:04:58 (permalink)
0

Fortigate 200D HA Setup

I need to define Fortigate200E HA pair (active/standby)
Except for Mode, priority, groupname/password, heartbeat interfaces, do I need to define anything else on backup firewall?
Do I need to define IP for heart beat interfaces?
#1

6 Replies Related Threads

    ede_pfau
    Expert Member
    • Total Posts : 5962
    • Scores: 468
    • Reward points: 0
    • Joined: 2004/03/09 01:20:18
    • Location: Heidelberg, Germany
    • Status: offline
    Re: Fortigate 200D HA Setup 2019/05/22 01:16:39 (permalink)
    0
    config sys global
    set hostname xxx       # will not be replicated
     
    config sys ha
    set group-ID  <some number != 0>    # recommended
    set monitor <wan1> <internal> ...  # port monitoring; cluster fails over if one of these is link-down
     
    HA interfaces will get IP addresses from FGT (169.254.x.x)
     
    advice:
    Before forming the cluster, do not configure port monitoring. Do that after the cluster is up.
     
    IF you already have one FGT fully configured, before attaching the secondary unit set "HA override=enable" on the configured one, so that you can be sure that the primary config is mirrored, not the (nearly empty) config of the secondary. Remove this setting after the cluster has settled.

    Ede

    " Kernel panic: Aiee, killing interrupt handler!"
    #2
    avilt
    Bronze Member
    • Total Posts : 35
    • Scores: 0
    • Reward points: 0
    • Joined: 2014/02/11 03:16:33
    • Status: offline
    Re: Fortigate 200D HA Setup 2019/05/22 12:10:59 (permalink)
    0
    I have setup HA using GUI. The firewall HA pair looks fine but it doesn't process the traffic. when I turn off the active, standby doesn't take over and it's freezing.
    It shows role as Master and Slave.
    Synchronization -> Master is Green. Slave x mark in red.
    What is wrong? I have followed the following procedure, only WAN1 & WAN2 are used. HA and Port9 for heartbeat.
     
    https://cookbook.fortinet.com/high-availability-with-two-fortigates-video/
     
    Also, one more query. I have configured inside and outside interfaces with IP addresses connected to switches. MGMT is left default, not connected to switch. In this case can I access both firewalls by directly connecting my laptop to MGMT interface?
    post edited by avilt - 2019/05/22 12:34:08

    Attached Image(s)

    #3
    ede_pfau
    Expert Member
    • Total Posts : 5962
    • Scores: 468
    • Reward points: 0
    • Joined: 2004/03/09 01:20:18
    • Location: Heidelberg, Germany
    • Status: offline
    Re: Fortigate 200D HA Setup 2019/05/26 06:04:18 (permalink)
    0
    No, the HA pair doesn't look fine, it's non-functional.
    Why are the HA ports orange and not green? What does a mouse-over tell you?
     
    Be sure all HA parameters except for "HA priority" are identical (group name, password, group-ID, port settings). Do not use port monitoring for now.
    All HA heartbeat ports are connected 1:1 (port 9 to port 9, for example), with straight-through cables.
    You need to have a green sync status, or the cluster has failed to form.
     
    You will see a lot of information if you connect a PC to the serial console port.
    Enter
    "diag debug enable"
    "diag debug app haproxy -1"
    to get HA diags.
     
    What will prevent cluster formation is
    - using DHCP on any interface
    - using PPPoE on any interface
    - using different firmware versions (incl. patch level) on cluster members
    - widely different time settings on both members
     
    Rather than watching a (fast-paced) video, I prefer reading the recipe (or the corresponding chapter in the Admin Guide, to understand how HA clustering works): https://cookbook.fortinet.com/high-availability-two-fortigates/
     
    You can connect to a mgmt port to manage a FGT (as long as it's got a static IP address, or offers DHCP). You need to allow HTTPS or ssh on that port. But, routing will not work on a mgmt port.

    Ede

    " Kernel panic: Aiee, killing interrupt handler!"
    #4
    avilt
    Bronze Member
    • Total Posts : 35
    • Scores: 0
    • Reward points: 0
    • Joined: 2014/02/11 03:16:33
    • Status: offline
    Re: Fortigate 200D HA Setup 2019/05/26 06:12:45 (permalink)
    0
    As you can see Port 9 and HA are green. I will attach the screen capture.
     
    - using DHCP on any interface. What exactly should be the setting? i Haven't modified these settings.
     
     

    Attached Image(s)

    #5
    avilt
    Bronze Member
    • Total Posts : 35
    • Scores: 0
    • Reward points: 0
    • Joined: 2014/02/11 03:16:33
    • Status: offline
    Re: Fortigate 200D HA Setup 2019/05/31 12:54:57 (permalink)
    0
    Do I need to assign any IP address on HA ports?
    Any complete HA guide such as IP setup on other interface, please share.
    #6
    ede_pfau
    Expert Member
    • Total Posts : 5962
    • Scores: 468
    • Reward points: 0
    • Joined: 2004/03/09 01:20:18
    • Location: Heidelberg, Germany
    • Status: offline
    Re: Fortigate 200D HA Setup 2019/06/01 02:02:05 (permalink)
    0
    No you don't need to assign IP addresses to HA ports, the HA protocol does that automatically.
     
    If one of the FGT's interfaces is configured to obtain an IP address dynamically, via PPPoE or DHCP, then it cannot form a HA cluster. Use a router in front in this case.
     
    The complete HA documentation is included in the HA chapter of the Administration Guide, with background and config examples in GUI and CLI. This document is a must-have.

    Ede

    " Kernel panic: Aiee, killing interrupt handler!"
    #7
    Jump to:
    © 2019 APG vNext Commercial Version 5.5