HA active-active Cluster Setup

Cluster Setup

To set up an HA active-active cluster:

  1. Go to the System → HA section.
  2. In the new window, select the Active-Active mode from the drop-down menu in the Mode parameter.
  3. Fortigate is set to Standalone by default.
  4. Fill in the parameters.
    1. Device priority — 128 or higher. This parameter is responsible for the priority of the device, which will participate in the selection of the main device.
  5. Group name — the name of the group, in this case Test_cluster.
  6. Add interfaces that connect devices to Heartbeat interfaces by clicking + and selecting them on the right in the pop-up window.
  7. Except for the device priority, these settings must be the same on all FortiGates in the cluster.
  8. Click ОК.

The FortiGate negotiates to establish an HA cluster. Connectivity with the FortiGate may be temporarily lost as the HA cluster negotiates and the FGCP changes the MAC addresses of the FortiGate’s interfaces.

Repeat these steps on the other FortiGate devices.

As a result, a cluster of two FortiGate devices will be established. Devices will be reflected in the System → HA tab:

Checking the Cluster Health

Check the synchronization status of the cluster to ensure that the primary and auxiliary FortiGates have the same configuration.

On the main device, by running diagnose sys ha checksum cluster, you can display the checksums of device configurations:

#diagnose sys ha checksum cluster
 
================== FGVMEVZ0PVYJZL93 ==================
 
is_manage_master()=1, is_root_master()=1
debugzone
global: 9a f3 de d1 a5 9f 5d e1 79 8b b8 0b e2 30 9a 03 
root: 03 06 19 93 30 e4 a5 9b 01 df 95 ba 49 57 17 8e 
all: 51 e8 41 4c d4 0c ca c9 a6 12 d6 eb c1 ab 1b 5a 
 
checksum
global: 9a f3 de d1 a5 9f 5d e1 79 8b b8 0b e2 30 9a 03 
root: 03 06 19 93 30 e4 a5 9b 01 df 95 ba 49 57 17 8e 
all: 51 e8 41 4c d4 0c ca c9 a6 12 d6 eb c1 ab 1b 5a 
 
================== FGVMEV6UTHPHYC67 ==================
 
is_manage_master()=0, is_root_master()=0
debugzone
global: 9a f3 de d1 a5 9f 5d e1 79 8b b8 0b e2 30 9a 03 
root: 03 06 19 93 30 e4 a5 9b 01 df 95 ba 49 57 17 8e 
all: 51 e8 41 4c d4 0c ca c9 a6 12 d6 eb c1 ab 1b 5a 
 
checksum
global: 9a f3 de d1 a5 9f 5d e1 79 8b b8 0b e2 30 9a 03 
root: 03 06 19 93 30 e4 a5 9b 01 df 95 ba 49 57 17 8e 
all: 51 e8 41 4c d4 0c ca c9 a6 12 d6 eb c1 ab 1b 5a 

If both cluster members have the same checksums, you can be sure that their configurations are synchronized. If the checksums are different, wait a bit and run the command again.

Repeat until the checksums are identical. Synchronization may take some time.

To view the status of a device in an HA cluster, run get system ha status:

#get system ha status
HA Health Status: OK
Model: FortiGate-VM64-KVM
Mode: HA A-A
Group: 0
Debug: 0
Cluster Uptime: 0 days 10:56:31
Cluster state change time: 2020-08-24 01:27:54
Master selected using:
    <2020/08/24 01:27:54> FGVMEVZ0PVYJZL93 is selected as the master because it has the largest value of uptime.
ses_pickup: disable
load_balance: disable
load_balance_udp: disable
schedule: Round robin.
upgrade_mode: unset
override: disable
Configuration Status:
    FGVMEVZ0PVYJZL93(updated 1 seconds ago): in-sync
    FGVMEV6UTHPHYC67(updated 0 seconds ago): in-sync
System Usage stats:
    FGVMEVZ0PVYJZL93(updated 1 seconds ago):
        sessions=29, average-cpu-user/nice/system/idle=3%/0%/1%/96%, memory=87%
    FGVMEV6UTHPHYC67(updated 0 seconds ago):
        sessions=0, average-cpu-user/nice/system/idle=0%/0%/0%/100%, memory=87%
HBDEV stats:
    FGVMEVZ0PVYJZL93(updated 1 seconds ago):
        port2: physical/10000full, up, rx-bytes/packets/dropped/errors=73314710/235741/0/0, tx=102487642/254883/0/0
        port3: physical/10000full, up, rx-bytes/packets/dropped/errors=65135804/184588/0/0, tx=69715861/196697/0/0
    FGVMEV6UTHPHYC67(updated 0 seconds ago):
        port2: physical/10000full, up, rx-bytes/packets/dropped/errors=4008587/13059/0/0, tx=2627671/9931/0/0
        port3: physical/10000full, up, rx-bytes/packets/dropped/errors=2789092/8082/0/0, tx=1750807/4991/0/0
Master: FG1             , FGVMEVZ0PVYJZL93, HA cluster index = 0
Slave : FG-2            , FGVMEV6UTHPHYC67, HA cluster index = 1
number of vcluster: 1
vcluster 1: work 169.254.0.1
Master: FGVMEVZ0PVYJZL93, HA operating index = 0
Slave : FGVMEV6UTHPHYC67, HA operating index = 1