Select your version of FortiOS to see all available recipes: The Fortinet Cookbook contains step-by- step examples of how to integrate. The basic FortiGate network collection is intended to help you.

Author: Zulkijind Tygojin
Country: Vietnam
Language: English (Spanish)
Genre: Love
Published (Last): 18 January 2012
Pages: 361
PDF File Size: 8.98 Mb
ePub File Size: 11.17 Mb
ISBN: 850-7-93795-742-3
Downloads: 72089
Price: Free* [*Free Regsitration Required]
Uploader: Gukree

In this recipe, a backup FortiGate unit is installed and connected to a previously installed FortiGate to form a high availability HA cluster that improves network reliability. This recipe is in the Fortinet Security Fabric collection. Cortigate can also use it as a standalone recipe.

When you have completed this recipe, the original FortiGate will continue to operate as the primary unit and the new FortiGate will operate as the backup FortiGate.

Find this recipe for other FortiOS versions 5. Register and cortigate licenses to the new FortiGate unit before adding it to the HA cluster. FortiToken licenses can be added at any time because they are synchronized to all cluster members.

You can also install any third-party certificates on the primary FortiGate before forming the cluster. Once the cluster is formed, third-party certificates are synchronized to the backup FortiGate. Set the Device fookbook to a higher value than the default in the example, to make sure this FortiGate will always be the primary FortiGate.

Also, set a Group name and Password. Make sure that two Heartbeat interfaces in the example, port3 and port4 are selected and the Heartbeat Interface Priority for each is set to Since the backup FortiGate is not available, when you cookbok the HA configuration, the primary FortiGate will form a cluster of one FortiGate but will keep operating normally.

Connect the backup FortiGate to the primary FortiGate and the network, as shown in the network diagram at the top of the coikbook.

Making these network connections will disrupt traffic so you should do this when the network is not processing much traffic. If possible, forfigate direct Ethernet connections between the heartbeat interfaces of the two FortiGate units.


Switches must be used between the cluster and the Internet, and between the cluster and the internal networks, as shown in the network diagram. You can use any good quality switches to make these connections.

You can also use one switch for all of these connections, as long as you configure the switch to separate traffic from the different networks. Also, set the same Group name and Password as the primary FortiGate. Make sure that the same two Heartbeat ckokbook port3 and port4 are selected and the Fotigate Interface Priority for each is set to When you save the HA configuration of the backup FortiGate, if the heartbeat interfaces are connected, the FortiGates will find each other and form an HA cluster.

Network traffic may be disrupted for a few seconds while the cluster is negotiating. It also shows the host name of the primary FortiGate Masterwhich you can hover over to fortigafe that the cluster is synchronized and operating normally. You fottigate click on the widget to change the HA configuration or view a list of recently recorded cluster events, such as members joining or leaving the cluster. Traffic is now passing through the primary FortiGate.

However, if the primary FortiGate becomes unavailable, traffic should fail over and the backup FortiGate will process traffic.

High availability with two FortiGates

A failover also causes the primary and backup FortiGate to reverse roles, even when both FortiGates are available again. Upgrading the firmware on the primary FortiGate automatically upgrades the firmware on the backup FortiGate. Both FortiGates are updated with minimal traffic disruption.

Skip to coookbook Share this post: Bill Dickie Technical Writer at Fortinet. After completing a science degree at the University of Waterloo, Bill began his professional life teaching college chemistry in Corner Brook, Newfoundland and fell into technical writing after moving to Ottawa in the mid ’80s.

Tech writing stints at all sorts of companies finally led to joining Fortinet to write the first FortiGate Administration Guide.

The FortiGate Cookbook – Secure Sense

Also, you cannot use a switch port as an HA heartbeat interface. If necessary, convert the switch port to individual interfaces.


Applying the FortiOS Carrier license sets the configuration to factory defaults, requiring you to repeat steps performed before applying fortjgate license.

This example uses two FortiGateDs and the default heartbeat interfaces are used port3 and port4. You can use any interfaces for HA heartbeat interfaces. A best practice is to use interfaces that do not process traffic, but this is not a requirement.


If you are setting up HA between two FortiGates in a VM environment for example, VMware or Hyper-V you need to enable promiscuous mode and allow mac address changes for heartbeat communication to work. Since the HA heartbeat interfaces must be on the same broadcast domain, for HA between remote data centers called distributed clustering you must support layer 2 extensions between the remote data center s, using technology such as MPLS or VXLAN. Vookbook site uses cookies.

Some are essential to the operation of the site; others help us improve the user experience. By continuing to use the site, you consent to the use of these cookies. If the cluster is part of a Security Fabric, the FortiView Physical and Logical Topology views show information about the cluster status.

After a moment, power off the primary FortiGate.

FortiOS – Fortinet Cookbook

You will see a momentary pause in the ping results, until traffic fails over to the backup FortiGate, allowing the ping traffic to continue. Optional Upgrading the firmware for the HA cluster.

Back up the configuration and update the firmware from FortiGuard or by uploading a firmware image file. The firmware installs onto both the primary and backup FortiGates.

After the upgrade is complete, verify that the System Information widget shows the new firmware version.

Author: admin