High Availability
Connect the M1 and M2 interfaces for HA heartbeat communication
before setting up the HA cluster. This includes licensing for FortiCare, IPS, AntiVirus, Web Filtering, Mobile
Malware, FortiClient, FortiCloud, and additional virtual domains (VDOMs). Both FortiGate-7000s in the cluster
must have the same level of licensing for FortiGuard, FortiCloud, FortiClient, and VDOMs. FortiToken licenses
can be added at any time because they are synchronized to all cluster members.
If required, you should configure split ports on the FIMs on both chassis before configuring HA because the
modules have to reboot after split ports is configured. For example, to split the C1, C2, and C4 interfaces of an
FIM-7910E in slot 1, enter the following command:
config system global
set split-port 1-C1 2-C1 2-C4
end
After configuring split ports, the chassis reboots and the configuration is synchronized.
On each chassis, make sure configurations of the modules are synchronized before starting to configure HA. You
can use the following command to verify that the configurations of all of the modules are synchronized:
diagnose sys confsync chsum | grep all
all: c0 68 d2 67 e1 23 d9 3a 10 50 45 c5 50 f1 e6 8e
all: c0 68 d2 67 e1 23 d9 3a 10 50 45 c5 50 f1 e6 8e
all: c0 68 d2 67 e1 23 d9 3a 10 50 45 c5 50 f1 e6 8e
all: c0 68 d2 67 e1 23 d9 3a 10 50 45 c5 50 f1 e6 8e
all: c0 68 d2 67 e1 23 d9 3a 10 50 45 c5 50 f1 e6 8e
all: c0 68 d2 67 e1 23 d9 3a 10 50 45 c5 50 f1 e6 8e
all: c0 68 d2 67 e1 23 d9 3a 10 50 45 c5 50 f1 e6 8e
all: c0 68 d2 67 e1 23 d9 3a 10 50 45 c5 50 f1 e6 8e
If the modules are synchronized, the checksums displayed should all be the same.
You can also use the following command to list the modules that are synchronized. The example output shows all
four FIM modules have been configured for HA and added to the cluster.
diagnose sys configsync status | grep in_sync
Master, uptime=692224.19, priority=1, slot_1d=1:1, idx=0, flag=0x0, in_sync=1
Slave, uptime=676789.70, priority=2, slot_1d=1:2, idx=1, flag=0x0, in_sync=1
Slave, uptime=692222.01, priority=17, slot_1d=1:4, idx=2, flag=0x64, in_sync=1
Slave, uptime=692271.30, priority=16, slot_1d=1:3, idx=3, flag=0x64, in_sync=1
In this command output in_sync=1 means the module is synchronized with the primary unit and in_sync=0 means
the module is not synchronized.
Connect the M1 and M2 interfaces for HA heartbeat communication
HA heartbeat communication between chassis happens over the 10Gbit M1 and M2 interfaces of the FIM
modules in each chassis. To set up HA heartbeat connections:
l
Connect the M1 interfaces of all FIM modules together using a switch.
l
Connect the M2 interfaces of all FIM modules together using another switch.
All of the M1 interfaces must be connected together with a switch and all of the M2 interfaces must be connected
together with another switch. Connecting M1 interfaces or M2 interfaces directly is not supported as each FIM
needs to communicate with all other FIMs.
FortiGate-7000
Fortinet Technologies Inc.
58