Here's a link in configuring FortiGate High Availability (HA) in Active-Passive setup.
You can view the FortiGate HA mode under System > HA > Mode: Standalone (default).
You can also view HA mode by issuing either the get system status or get system ha commands.
FG-FW01_PRI # get system status
Version: FortiGate-40F v7.2.4,build1396,230131 (GA.F)
Firmware Signature: certified
Virus-DB: 1.00000(2018-04-09 18:07)
Extended DB: 1.00000(2018-04-09 18:07)
AV AI/ML Model: 0.00000(2001-01-01 00:00)
IPS-DB: 6.00741(2015-12-01 02:30)
IPS-ETDB: 0.00000(2001-01-01 00:00)
APP-DB: 6.00741(2015-12-01 02:30)
INDUSTRIAL-DB: 6.00741(2015-12-01 02:30)
IPS Malicious URL Database: 1.00001(2015-01-01 01:01)
IoT-Detect: 0.00000(2022-08-17 17:31)
Serial-Number: FGT40FTK2101234
BIOS version: 05000021
System Part-Number: P24680-04
Log hard disk: Not available
Hostname: FG-FW01_PRI
Private Encryption: Disable
Operation Mode: NAT
Current virtual domain: root
Max number of virtual domains: 10
Virtual domains status: 1 in NAT mode, 0 in TP mode
Virtual domain configuration: disable
FIPS-CC mode: disable
Current HA mode: standalone
Branch point: 1396
Release Version Information: GA
System time: Sat Mar 18 18:09:09 2023
Last reboot reason: power cycle
FG-FW01_PRI # get system ha status
HA Health Status: OK
Model: FortiGate-40F
Mode: Standalone
Group Name:
Group ID: 0
Debug: 0
Cluster Uptime: 0 days 0:0:0
Cluster state change time: N/A
ses_pickup: disable
override: disable
System Usage stats:
HBDEV stats:
number of vcluster: 0
In this post, I'll configure a pair of FortiGate firewalls in Active-Passive High Availability (HA) setup. Only one FortiGate device will actively process network traffic while the other device will just synchronize its config and remain standby in case of a failure. The Active-Passive mode also simplifies the network setup and troubleshooting since it has a deterministic traffic flow.
To configure FortiGate HA Active-Passive mode, go to System > HA > Mode: Active > type Device priority: 200 (default is 128, higher priority is preferred) > type Group name: FG-FW01_CLUSTER (must be the same with Secondary FortiGate) > type a password (must be the same with Secondary FortiGate) > enable/toggle Session pickup (Secondary FortiGate will resume TCP, UDP, IPSec VPN and NAT session during failover) > select Monitor interfaces (LAN and WAN interfaces) > Heartbeat interfaces: a (used to send hello packets, sync config, sessions) > click OK.
Under Monitor Interfaces > click add (+) > select the interfaces to monitor. In this case the MGMT and data interfaces were selected. If one of the monitored interface failed, it will failover to the FortiGate with the most interfaces that are up/operational in the cluster.
Under Heartbeat interfaces > click add (+) > select the heartbeat "a" interface. I directly connected an RJ45 cable between the two FortiGate device. Click OK.
The same procedure is done in the Secondary FortiGate but the difference is using a Device priority of 100 (lower).
You can view HA status under System > HA. Just wait for 3-5 minutes for HA to synchronize. Sometimes you'll need to reboot the Secondary FortiGate for synchronization to work.
You can configure an out-of-band management IP address for the Primary and Secondary FortiGate. I configured this in CLI but this can be configured under System > HA > enable/toggle Management Interface Reservation > type the Gateway IP address.
FG-FW01_PRI # config system ha
FG-FW01_PRI (ha) # set ha-mgmt-status enable
FG-FW01_PRI (ha) # config ha-mgmt-interfaces
FG-FW01_PRI (ha-mgmt-interfaces) # edit 1
new entry '1' added
FG-FW01_PRI (1) # set interface lan1
FG-FW01_PRI (1) # set gateway 172.20.2.1
FG-FW01_PRI (1) # end
FG-FW01_PRI (ha) # end
FG-FW01_PRI #
To view HA status/sync, you can issue either the diagnose sys ha status or get system ha status command.
FG-FW01_PRI # diagnose sys ha status
HA information
Statistics
traffic.local = s:0 p:1446468 b:471747487
traffic.total = s:0 p:1446412 b:471602671
activity.ha_id_changes = 4
activity.fdb = c:0 q:0
Model=40, Mode=2 Group=0 Debug=0
nvcluster=1, ses_pickup=1, delay=0
[Debug_Zone HA information]
HA group member information: is_manage_primary=0.
FGT40FTK21091234: Secondary, serialno_prio=1, usr_priority=200, hostname=FG-FW01_PRI
FGT40FTK21095678: Primary, serialno_prio=0, usr_priority=100, hostname=FG-FW01_SEC
[Kernel HA information]
vcluster 1, state=standby, primary_ip=169.254.0.1, primary_id=0
FGT40FTK21091234: Secondary, ha_prio/o_ha_prio=1/1
FGT40FTK21095678: Primary, ha_prio/o_ha_prio=0/0
FG-FW01_PRI # get system ha status
HA Health Status: OK
Model: FortiGate-40F
Mode: HA A-P
Group Name: FG-FW01_CLUSTER
Group ID: 0
Debug: 0
Cluster Uptime: 0 days 3:59:9
Cluster state change time: 2023-03-18 22:49:45
Primary selected using:
<2023/03/18 22:49:45> vcluster-1: FGT40FTK21091234 is selected as the primary because its override priority is larger than peer member FGT40FTK21095678.
<2023/03/18 22:44:31> vcluster-1: FGT40FTK21095678 is selected as the primary because the value 0 of link-failure + pingsvr-failure is less than peer member FGT40FTK21091234.
<2023/03/18 19:26:41> vcluster-1: FGT40FTK21091234 is selected as the primary because its uptime is larger than peer member FGT40FTK21095678.
<2023/03/18 18:52:16> vcluster-1: FGT40FTK21091234 is selected as the primary because it's the only member in the cluster.
ses_pickup: enable, ses_pickup_delay=disable
override: enable
Configuration Status:
FGT40FTK21091234(updated 4 seconds ago): in-sync
FGT40FTK21095678(updated 5 seconds ago): in-sync
System Usage stats:
FGT40FTK21091234(updated 4 seconds ago):
sessions=14, average-cpu-user/nice/system/idle=0%/0%/0%/99%, memory=35%
FGT40FTK21095678(updated 5 seconds ago):
sessions=5, average-cpu-user/nice/system/idle=0%/0%/0%/100%, memory=35%
HBDEV stats:
FGT40FTK21091234(updated 4 seconds ago):
a: physical/1000auto, up, rx-bytes/packets/dropped/errors=38092643/156998/0/0, tx=38105486/90275/0/0
FGT40FTK21095678(updated 5 seconds ago):
a: physical/1000auto, up, rx-bytes/packets/dropped/errors=38100087/90259/0/0, tx=38086526/156993/0/0
MONDEV stats:
FGT40FTK2109A1234updated 4 seconds ago):
lan2: physical/100auto, up, rx-bytes/packets/dropped/errors=141415408/2060360/0/0, tx=10289012/81659/0/0
lan3: physical/100auto, up, rx-bytes/packets/dropped/errors=24131614/227799/0/0, tx=10295220/81756/0/0
PortChannel1: aggregate/00, up, rx-bytes/packets/dropped/errors=165547022/2288159/0/0, tx=20584232/163415/0/0
wan: physical/1000auto, up, rx-bytes/packets/dropped/errors=266313568/1145360/0/0, tx=152763749/498545/0/0
FGT40FTK21095678(updated 5 seconds ago):
lan2: physical/100auto, up, rx-bytes/packets/dropped/errors=24139694/227900/0/0, tx=10292156/81684/0/0
lan3: physical/100auto, up, rx-bytes/packets/dropped/errors=141448602/2060862/0/0, tx=10293884/81711/0/0
PortChannel1: aggregate/00, up, rx-bytes/packets/dropped/errors=165588296/2288762/0/0, tx=20586040/163395/0/0
wan: physical/1000auto, up, rx-bytes/packets/dropped/errors=259124868/1122118/0/0, tx=138256452/473772/0/0
Primary : FG-FW01_PRI, FGT40FTK21091234, HA cluster index = 1
Secondary : FG-FW01_SEC, FGT40FTK21095678, HA cluster index = 0
number of vcluster: 1
vcluster 1: work 169.254.0.2
Primary: FGT40FTK21091234, HA operating index = 0
Secondary: FGT40FTK21095678, HA operating index = 1
I simulated a device failover by rebooting the Primary FortiGate. The Secondary FortiGate became Primary/Active.
FG-FW01_PRI # execute reboot
This operation will reboot the system !
Do you want to continue? (y/n)y
System is rebooting...
The system is going down NOW !!
FG-FW01_SEC # get system ha status
HA Health Status:
ERROR: FGT40FTK21091234 is lost @ 2023/03/21 10:45:49
WARNING: FGT40FTK21095678 has hbdev down;
Model: FortiGate-40F
Mode: HA A-P
Group Name: FG-FW01_CLUSTER
Group ID: 0
Debug: 0
Cluster Uptime: 2 days 15:54:5
Cluster state change time: 2023-03-21 10:45:49
Primary selected using:
<2023/03/21 10:45:49> vcluster-1: FGT40FTK21095678 is selected as the primary because it's the only member in the cluster.
<2023/03/21 10:45:43> vcluster-1: FGT40FTK21095678 is selected as the primary because SET_AS_SECONDARY flag is set on peer member FGT40FTK21091234.
<2023/03/19 22:16:52> vcluster-1: FGT40FTK21091234 is selected as the primary because its override priority is larger than peer member FGT40FTK21095678.
<2023/03/19 22:16:42> vcluster-1: FGT40FTK21095678 is selected as the primary because its override priority is larger than peer member FGT40FTK21091234.
ses_pickup: enable, ses_pickup_delay=disable
override: disable
System Usage stats:
FGT40FTK21095678(updated 5 seconds ago):
sessions=10, average-cpu-user/nice/system/idle=0%/0%/1%/98%, memory=35%
HBDEV stats:
FGT40FTK21095678(updated 5 seconds ago):
a: physical/00, down, rx-bytes/packets/dropped/errors=594402106/1413899/0/0, tx=515709123/1429523/0/0
MONDEV stats:
FGT40FTK21095678(updated 5 seconds ago):
lan2: physical/100auto, up, rx-bytes/packets/dropped/errors=28648858/270239/0/0, tx=12107326/96090/0/0
lan3: physical/100auto, up, rx-bytes/packets/dropped/errors=166350426/2423682/0/0, tx=12359514/98319/0/0
PortChannel1: aggregate/00, up, rx-bytes/packets/dropped/errors=194999284/2693921/0/0, tx=24466840/194409/0/0
wan: physical/1000auto, up, rx-bytes/packets/dropped/errors=269957042/1268488/0/0, tx=138662112/476451/0/0
Primary : FG-FW01_SEC, FGT40FTK21095678, HA cluster index = 0
number of vcluster: 1
vcluster 1: work 169.254.0.1
Primary: FGT40FTK21095678, HA operating index = 0
The Primary FortiGate became Active again since it has a higher priority (200).
FG-FW01_PRI # get system ha status
HA Health Status: OK
Model: FortiGate-40F
Mode: HA A-P
Group Name: FG-FW01_CLUSTER
Group ID: 0
Debug: 0
Cluster Uptime: 2 days 15:56:10
Cluster state change time: 2023-03-21 10:47:26
Primary selected using:
<2023/03/21 10:47:26> vcluster-1: FGT40FTK21091234 is selected as the primary because its override priority is larger than peer member FGT40FTK21095678.
<2023/03/21 10:47:17> vcluster-1: FGT40FTK21095678 is selected as the primary because its override priority is larger than peer member FGT40FTK21091234.
ses_pickup: enable, ses_pickup_delay=disable
override: enable
Configuration Status:
FGT40FTK21091234(updated 3 seconds ago): in-sync
FGT40FTK21095678(updated 5 seconds ago): in-sync
System Usage stats:
FGT40FTK21091234(updated 3 seconds ago):
sessions=38, average-cpu-user/nice/system/idle=0%/0%/0%/99%, memory=33%
FGT40FTK21095678(updated 5 seconds ago):
sessions=10, average-cpu-user/nice/system/idle=0%/0%/0%/100%, memory=35%
HBDEV stats:
FGT40FTK21091234(updated 3 seconds ago):
a: physical/1000auto, up, rx-bytes/packets/dropped/errors=192898/562/0/0, tx=172622/456/0/0
FGT40FTK21095678(updated 5 seconds ago):
a: physical/1000auto, up, rx-bytes/packets/dropped/errors=594572404/1414349/0/0, tx=515960605/1430235/0/0
MONDEV stats:
FGT40FTK21091234(updated 3 seconds ago):
lan2: physical/100auto, up, rx-bytes/packets/dropped/errors=11240/117/0/0, tx=2152/17/0/0
lan3: physical/100auto, up, rx-bytes/packets/dropped/errors=5352/25/0/0, tx=2408/21/0/0
PortChannel1: aggregate/00, up, rx-bytes/packets/dropped/errors=16592/142/0/0, tx=4560/38/0/0
wan: physical/1000auto, up, rx-bytes/packets/dropped/errors=85043/195/0/0, tx=46824/147/0/0
FGT40FTK21095678(updated 5 seconds ago):
lan2: physical/100auto, up, rx-bytes/packets/dropped/errors=29198292/274899/0/0, tx=12109482/96107/0/0
lan3: physical/100auto, up, rx-bytes/packets/dropped/errors=166364690/2423890/0/0, tx=12890330/102976/0/0
PortChannel1: aggregate/00, up, rx-bytes/packets/dropped/errors=195562982/2698789/0/0, tx=24999812/199083/0/0
wan: physical/1000auto, up, rx-bytes/packets/dropped/errors=270528521/1273320/0/0, tx=139232137/481219/0/0
Primary : FG-FW01_PRI, FGT40FTK21091234S, HA cluster index = 1
Secondary : FG-FW01_SEC, FGT40FTK21095678, HA cluster index = 0
number of vcluster: 1
vcluster 1: work 169.254.0.2
Primary: FGT40FTK21091234, HA operating index = 0
Secondary: FGT40FTK21095678, HA operating index = 1
To manage or troubleshoot the Secondary FortiGate from Primary without exiting or opening a new CLI session, just issue execute ha manage 0 <admin/root account> command. This is similar to the Cisco ASA failover exec mate <show> command.
FG-FW01_PRI # execute ha manage 0 admin
Warning: Permanently added '169.254.0.1' (ED25519) to the list of known hosts.
admin@169.254.0.1's password:
FG-FW01_SEC #
