Fortigate 200D HA Setup

avilt · ‎05-21-2019

I need to define Fortigate200E HA pair (active/standby)

Except for Mode, priority, groupname/password, heartbeat interfaces, do I need to define anything else on backup firewall?

Do I need to define IP for heart beat interfaces?

ede_pfau · ‎05-22-2019

config sys global

set hostname xxx # will not be replicated

config sys ha

set group-ID <some number != 0> # recommended

set monitor <wan1> <internal> ... # port monitoring; cluster fails over if one of these is link-down

HA interfaces will get IP addresses from FGT (169.254.x.x)

advice:

Before forming the cluster, do not configure port monitoring. Do that after the cluster is up.

IF you already have one FGT fully configured, before attaching the secondary unit set "HA override=enable" on the configured one, so that you can be sure that the primary config is mirrored, not the (nearly empty) config of the secondary. Remove this setting after the cluster has settled.

Ede

"Kernel panic: Aiee, killing interrupt handler!"

avilt · ‎05-22-2019

I have setup HA using GUI. The firewall HA pair looks fine but it doesn't process the traffic. when I turn off the active, standby doesn't take over and it's freezing.

It shows role as Master and Slave.

Synchronization -> Master is Green. Slave x mark in red.

What is wrong? I have followed the following procedure, only WAN1 & WAN2 are used. HA and Port9 for heartbeat.

https://cookbook.fortinet.com/high-availability-with-two-fortigates-video/

Also, one more query. I have configured inside and outside interfaces with IP addresses connected to switches. MGMT is left default, not connected to switch. In this case can I access both firewalls by directly connecting my laptop to MGMT interface?

ede_pfau · ‎05-26-2019

No, the HA pair doesn't look fine, it's non-functional.

Why are the HA ports orange and not green? What does a mouse-over tell you?

Be sure all HA parameters except for "HA priority" are identical (group name, password, group-ID, port settings). Do not use port monitoring for now.

All HA heartbeat ports are connected 1:1 (port 9 to port 9, for example), with straight-through cables.

You need to have a green sync status, or the cluster has failed to form.

You will see a lot of information if you connect a PC to the serial console port.

Enter

"diag debug enable"

"diag debug app haproxy -1"

to get HA diags.

What will prevent cluster formation is

- using DHCP on any interface

- using PPPoE on any interface

- using different firmware versions (incl. patch level) on cluster members

- widely different time settings on both members

Rather than watching a (fast-paced) video, I prefer reading the recipe (or the corresponding chapter in the Admin Guide, to understand how HA clustering works): https://cookbook.fortinet.com/high-availability-two-fortigates/

You can connect to a mgmt port to manage a FGT (as long as it's got a static IP address, or offers DHCP). You need to allow HTTPS or ssh on that port. But, routing will not work on a mgmt port.

Ede

"Kernel panic: Aiee, killing interrupt handler!"

avilt · ‎05-26-2019

As you can see Port 9 and HA are green. I will attach the screen capture.

- using DHCP on any interface. What exactly should be the setting? i Haven't modified these settings.

avilt · ‎05-31-2019

Do I need to assign any IP address on HA ports?

Any complete HA guide such as IP setup on other interface, please share.

ede_pfau · ‎06-01-2019

No you don't need to assign IP addresses to HA ports, the HA protocol does that automatically.

If one of the FGT's interfaces is configured to obtain an IP address dynamically, via PPPoE or DHCP, then it cannot form a HA cluster. Use a router in front in this case.

The complete HA documentation is included in the HA chapter of the Administration Guide, with background and config examples in GUI and CLI. This document is a must-have.

Ede

"Kernel panic: Aiee, killing interrupt handler!"