This is a step-by-step tutorial for configuring a high availability cluster (active-standby) with two FortiGate firewalls. Since almost all firewall vendors have different principles for their HA cluster, I am also showing a common network scenario for Fortinet.
I am using two FortiWiFi 90D firewalls with software version v5.2.5,build701. The official Fortinet documentation for “High Availability with two FortiGates” can be found here.
Basically, all interfaces must be connected with layer-2 switches among both firewalls. (In my lab, these are the wan1 and internal1 ports.) Furthermore, two directly connected interfaces should be used for the HA heartbeats. If the firewall has no dedicated HA interfaces, any unused interfaces can be used instead. (In my lab, I am using ports internal13 and internal14 for the heartbeats on my FortiWiFi-90D firewalls.)
The crucial point is the out-of-band management for accessing both firewalls independent of their HA state. Fortinet has the feature of the “Management Port for Cluster Member“, which must be set during the initial HA process. This interface must be unused to that point and can be configured later with an IP address within the same IP subnet as an already used interface. (In my lab, I am using the internal12 ports for the management ports.)
Note: Before cabling the HA cluster, you should configure both units and then power off (!) the secondary one. Then connect the HA heartbeat interfaces and power on the secondary unit again. This ensures that the primary unit will stay the primary (since it has the longer uptime) and syncs its configuration to the secondary one.
Following are the screenshots for this HA cluster guide. Note the descriptions under each screenshot:
The following two pictures show the physical units after the HA configuration. On the first picture, the HA cluster was not cabled, while on the second, it was. Note the green HA LED:
Via the CLI, the diagnose ha sys status or the get system ha status commands can be used to investigate the cluster:
fd-wv-fw04b $ diagnose sys ha status
traffic.local = s:0 p:18860 b:1708434
traffic.total = s:0 p:19031 b:1726842
activity.fdb = c:0 q:0
Model=90, Mode=2 Group=0 Debug=0
nvcluster=1, ses_pickup=1, delay=0
HA group member information: is_manage_master=0.
FWF90D3Z13005629, 1. Slave:128 fd-wv-fw04b
FWF90D3Z13006159, 0. Master:128 fd-wv-fw04
vcluster 1, state=standby, master_ip=169.254.0.1, master_id=0:
FWF90D3Z13005629, 1. Slave:128 fd-wv-fw04b(prio=1, rev=0)
FWF90D3Z13006159, 0. Master:128 fd-wv-fw04(prio=0, rev=255)
A quite cool feature is the possibility to manage any other firewall within the cluster from any device with: (You must first find out the device-index via “?”)
execute ha manage ?
execute ha manage <device-index>
If you want to test a failover you must manually decrease the priority of the current master (remember: higher priority wins):
execute ha set-priority <serial-number> <new-priority>