DO NOT REPRINT

© FORTINET
Lab 7: High Availability (HA)

In this lab, you will set up a FortiGate Clustering Protocol (FGCP) high availability (HA) cluster of FortiGate
devices. You will explore active-active HA mode and observe FortiGate HA behavior. You will also perform an HA
failover and use diagnostic commands to observe the election of a new primary in the cluster.

Finally, you will configure management port(s) on each FortiGate to reach each FortiGate individually for
management purposes.

Objectives
l Set up an HA cluster using FortiGate devices.
l Observe HA synchronization and interpret diagnostic output.
l Perform an HA failover.
l Manage individual cluster members by configuring a reserved management interface.

Time to Complete
Estimated: 45 minutes

Lab HA Topology

After you upload the required configurations to each FortiGate, the logical topology will change to the following:

Prerequisites
Before beginning this lab, you must restore a configuration file to each FortiGate.

FortiGate Infrastructure 6.0 Lab Guide 109

Fortinet Technologies Inc.
DO Lab
NOT REPRINT
HA Topology Lab 7: High Availability (HA)

© FORTINET
Use the procedure that follows to restore the correct configuration to each FortiGate.
Failure to restore the correct configuration to each FortiGate will prevent you from
doing the lab exercise.

To restore the Local-FortiGate configuration

1. On the Local-Windows VM, open a browser and log in to the Local-FortiGate GUI at 10.0.1.254 with the user
name admin and password password.
2. In the upper-right corner of the screen, click admin, and then click Configuration > Restore.

3. Click Local PC, and then click Upload.

4. Click Desktop > Resources > FortiGate-Infrastructure > HA > local-ha.conf, and then click Open.
5. Click OK.
6. Click OK to reboot.

To restore the Remote-FortiGate configuration

1. On the Local-Windows VM, open a browser and log in to the Remote-FortiGate GUI at 10.200.3.1 with the
user name admin and password password.
2. In the upper-right corner of the screen, click admin, and then click Configuration > Restore.

110 FortiGate Infrastructure 6.0 Lab Guide

Fortinet Technologies Inc.
DO Lab
NOT 7: High REPRINT
Availability (HA) Lab HA Topology

© FORTINET
3. Click Local PC, and then click Upload.
4. Click Desktop > Resources > FortiGate-Infrastructure > HA > remote-ha.conf, and then click Open.
5. Click OK.
6. Click OK to reboot.

FortiGate Infrastructure 6.0 Lab Guide 111

Fortinet Technologies Inc.
DO NOT REPRINT
© FORTINET
Exercise 1: Configuring High Availability (HA)

FortiGate High Availability (HA) uses the FortiGate Clustering Protocol (FGCP), which uses a heartbeat link for
HA-related communications to discover other FortiGate devices in same HA group, elect a primary device,
synchronize configuration, and detect failed devices in an HA cluster.

In this exercise, you will configure HA settings on both FortiGate devices. You will observe the HA synchronize
status, and verify the configuration is in sync on both FortiGate devices using the diagnose commands.

Configure HA Settings on Local-FortiGate

Now, you will configure HA-related settings using the Local-FortiGate GUI.

To configure HA settings on Local-FortiGate

1. On the Local-Windows VM, open a browser and log in to the Local-FortiGate GUI at 10.0.1.254 with the user
name admin and password password.
2. Click System > HA, and then configure the following HA settings:

Field Value

Mode Active-Active

Device priority 200

Group name Training

Password Fortinet

Tip: Click Change, and then type the password.

Session pickup <enable>

Monitor Interfaces Click X to remove port4.

Heartbeat interfaces port2

The configuration should like the following example:

112 FortiGate Infrastructure 6.0 Lab Guide

Fortinet Technologies Inc.
DO Exercise
NOT1: Configuring
REPRINT High Availability (HA) Configure HA Settings on Remote-FortiGate

© FORTINET

3. Click OK.

Configure HA Settings on Remote-FortiGate

Now, you will configure HA-related settings on Remote-FortiGate using the console.

To configure HA settings on Remote-FortiGate

1. In the VM List, from the box of the Remote-FortiGate, click View VM to open the FortiGate console.
2. Log in as admin and password password.
3. Enter the following commands to configure the HA settings:  

config system ha
set group-name Training
set mode a-a
set password Fortinet
set hbdev port2 0
set session-pickup enable
set override disable
set priority 100
end

Observe and Verify the HA Synchronization Status

Now that you have configured HA on both FortiGate devices, you will verify that HA has been established and the
configurations are fully synchronized.

FortiGate Infrastructure 6.0 Lab Guide 113

Fortinet Technologies Inc.
DO Verify
NOT REPRINT
FortiGate Roles in a HA Cluster Exercise 1: Configuring High Availability (HA)

© FORTINET
The checksums for all cluster members must match, in order for the FortiGate devices to be in a synchronized
state.

To observe and verify the HA synchronization status

1. Continuing on the Remote-FortiGate console, you should see the error messages that FortiGate sends to the
console.
This sometimes shows useful status change information.

2. Wait four to five minutes for the FortiGate devices to synchronize.

After the FortiGate devices are synchronized, the FortiGate console will log out all admin users.
slave succeeded to sync external files with master
slave starts to sync with master
logout all admin users

3. When prompted, log back in to the Remote-FortiGate console as admin and password password..
4. To check the HA synchronize status, run the following command: .

diagnose sys ha checksum show

5. In the VM List, from the box of the Local-FortiGate, click View VM to open the FortiGate console.
6. Log in as admin and password password.
7. To check the HA synchronize status, run the following command:

diagnose sys ha checksum show

8. Compare the output from both FortiGate devices.

If both FortiGate devices are synchronized, then the checksums will match.

9. Alternatively, you can run the following command on the console of any FortiGate in the cluster, to view the
checksums of all cluster members:

diagnose sys ha checksum cluster

Verify FortiGate Roles in a HA Cluster

After the checksums of both FortiGate devices match, you will verify the cluster member roles to confirm the
primary and secondary devices.

To verify FortiGate roles in an HA cluster

1. From the VM List, View VM, on both the Local-FortiGate console and the Remote-FortiGate console, run the
following command to verify that the HA cluster has been established:

get system status

2. View the Current HA mode line on both consoles.

Notice that the Local-FortiGate is a-a master, and the Remote-FortiGate device is a-a backup.

114 FortiGate Infrastructure 6.0 Lab Guide

Fortinet Technologies Inc.
DO Exercise
NOT1: Configuring
REPRINT High Availability (HA) View Session Statistics

© FORTINET
In this configuration, the FortiGate device that is named Local-FortiGate is the master
in the HA cluster because override is disabled and monitored ports are not configured.
Next, the cluster checks for priority—Local-FortiGate, which has a priority of 200, has
greater priority than Remote-FortiGate, which has a priority of 100.

View Session Statistics

Now, you will view session statistics.

To view session statistics

1. Return to the Local-Windows VM, and open few web browser tabs and connect to a few websites. For example:
l https://docs.fortinet.com
l www.yahoo.com
l www.bbc.com
2. Return to the Local-FortiGate console and the Remote-FortiGate console, and run the following command on
each:
get system session status

The primary FortiGate will have more sessions than the secondary FortiGate. This is
because all management traffic is with the primary; all non-TCP traffic is also handled
by the primary. By default, only TCP sessions that require a security profiles inspection
are load balanced between the primary and secondary FortiGate devices.

FortiGate Infrastructure 6.0 Lab Guide 115

Fortinet Technologies Inc.
DO NOT REPRINT
© FORTINET
Exercise 2: High Availability Failover

You have set up an HA cluster. Now, you will trigger an HA failover and observe the renegotiation among devices
to elect a new primary device and redistribute the sessions.

Trigger Failover by Rebooting the Primary FortiGate

You will reboot the primary FortiGate in the cluster to trigger failover.

Take the Expert Challenge!

1. On the Local-FortiGate GUI (10.0.1.254 | admin/password), complete the following:
l Play a long video on http://www.dailymotion.com.
l Run a continuous ping to IP address 4.2.2.2.
2. On the Local-FortiGate console (admin/password), reboot Local-FortiGate.
If you require assistance, or to verify your work, use the step-by-step instructions that follow.

After you have performed these steps, seeVerify the HA Failover and FortiGate Roles on page 117.

To trigger failover by rebooting the primary FortiGate

1. On the Local-Windows VM, open a web browser and go to the following URL:

http://www.dailymotion.com

If Java is not enabled, enable it.

2. Play a long video (over five minutes).

3. While the video is playing, open a command prompt, and then run a continuous ping to a public IP address.

ping 4.2.2.2 -t

4. To trigger a failover, on the Local-FortiGate console, run the following command to reboot the Local-FortiGate.

execute reboot

5. Press y to confirm that you want to reboot the FortiGate.

116 FortiGate Infrastructure 6.0 Lab Guide

Fortinet Technologies Inc.
DO Exercise
NOT2: High
REPRINT
Availability Failover Verify the HA Failover and FortiGate Roles

© FORTINET
Verify the HA Failover and FortiGate Roles

Now, you will verify the HA failover, and check the roles of FortiGate in an HA cluster.

To verify the HA failover and FortiGate roles

1. Return to the Local-Windows VM and check the command prompt and video that you started earlier.
Because of the failover, the Remote-FortiGate device is now the primary processor of traffic. Your ping and
video should still be running.

2. To verify that Remote-FortiGate is acting as the primary device in the HA cluster, on the Remote-FortiGate
console, run the following command:

get system status

Stop and think!

When Local-FortiGate finishes rebooting and rejoins the cluster, does it rejoin as the secondary, or resume
its initial role of primary?

3. To see the status of all cluster members, run the following command on any FortiGate in the cluster:

diagnose sys ha status

You should see that Local-FortiGate rejoins the cluster as a secondary. It has lost its role of primary:

In this configuration, the FortiGate device named Local-FortiGate becomes the

secondary in the HA cluster because override is disabled and monitored ports are not
configured. Next, the cluster checks for uptime. Because Local-FortiGate was
rebooted, it has less uptime than Remote-FortiGate.

FortiGate Infrastructure 6.0 Lab Guide 117

Fortinet Technologies Inc.
DO Trigger
NOT REPRINT
an HA Failover by Resetting the HA Uptime Exercise 2: High Availability Failover

© FORTINET
Trigger an HA Failover by Resetting the HA Uptime

Now, you will trigger a failover by resetting the HA uptime on the current primary FortiGate—which should be
Remote-FortiGate—and verifying FortiGate's role in the HA cluster.

To trigger an HA failover by resetting the HA uptime on FortiGate

1. On the Remote-FortiGate console, run the following command:

diagnose sys ha reset-uptime

By resetting the HA uptime, you are forcing the cluster to use the next parameter to
determine which FortiGate has more priority for becoming the primary. As per the
configuration, Local-FortiGate has a priority of 200, and Remote-FortiGate has a
priority of 100. Local-FortiGate will become the primary device in the cluster.

2. Remote-FortiGate now has the backup role in the cluster. On the Remote-FortiGate console, run the following
command to verify it:

get system status

Observe HA Failover Using Diagnostic Commands

The HA synchronization process is responsible for FGCP packets that communicate cluster status and build the
cluster. You will use real-time diagnostic commands to observe this process.

To observe HA failover using diagnostic commands

1. On the Local-FortiGate console,log in as admin and password password.
2. Run the following commands.

diagnose debug enable

diagnose debug application hasync 0
diagnose debug application hasync 255

The diagnose debug application hasync 0 command is used to stop the

debug. You will use this entered command later.

3. On the Remote-FortiGate console, run the following command to reboot the Remote-FortiGate:

execute reboot

4. Press y to confirm that you want to reboot FortiGate.

5. On the Local-FortiGate console, view the output while the secondary device reboots and starts communicating
with the cluster.

118 FortiGate Infrastructure 6.0 Lab Guide

Fortinet Technologies Inc.
DO Exercise
NOT2: High
REPRINT
Availability Failover Observe HA Failover Using Diagnostic Commands

© FORTINET

The output will show that the current primary FortiGate is sending heartbeat packets and trying to
synchronize its configuration with the secondary FortiGate’s configuration.

6. To stop the debug output on Local-FortiGate, press the Up Arrow key twice, select the second-last command (in
this case, diagnose debug application hasync 0), and then press the Enter key.
7. Return to Local-Windows VM and close the command prompt to stop the continuous ping.
8. Close the browser.

FortiGate Infrastructure 6.0 Lab Guide 119

Fortinet Technologies Inc.
DO NOT REPRINT
© FORTINET
Exercise 3: Configuring the HA Management Interface

In this exercise, you will configure a spare interface in the cluster to be a nonsynchronizing management
interface. This will allow both FortiGate devices to be reachable only for SNMP and management purposes.

If a management interface is not configured, you will have access to the GUI of only the primary FortiGate in the
cluster. However, you can connect to the secondary FortiGate only through the primary FortiGate's CLI or through
the console connection.

You can also configure an in-band HA management interface, which is an alternative to the reserved HA
management interface feature and does not require reserving an interface that is only for management access.

Access the Secondary FortiGate through the Primary FortiGate CLI

You will connect to the secondary FortiGate through the CLI of the primary FortiGate.

To access the secondary FortiGate through the primary FortiGate CLI

1. On the Local-Windows VM, open PuTTY and connect over SSH to the LOCAL-FORTIGATE saved session.
2. At the login prompt, enter the user name admin and password password.
3. Type the following command to access the secondary FortiGate CLI through the primary FortiGate’s HA link:
execute ha manage <id>

Use ? to list the id values.

4. When prompted, log in as admin and password password to Remote-FortiGate.

5. Run the following command to get the status of the secondary FortiGate:

120 FortiGate Infrastructure 6.0 Lab Guide

Fortinet Technologies Inc.
DO Exercise
NOT3: REPRINT
Configuring the HA Management Interface Set Up a Management Interface

© FORTINET
get system status

6. View the Current HA mode line.

You will notice that the Remote-FortiGate device is a-a backup.

7. To return to the CLI of Local-FortiGate, run the following command to return to the primary:
exit

8. Run the following command to refresh license information:

execute update-now

Set Up a Management Interface

You will use an unused interface on the FortiGate devices in an HA cluster to configure a management interface.
This allows you to configure a different IP address for this interface for each FortiGate in the HA cluster.

To set up a management interface

1. On the Local-Windows VM, open a browser and log in to the Local-FortiGate GUI (usually the primary) at
10.0.1.254 with the user name admin and password password.
2. Click System > HA.
3. Right-click Local-FortiGate, and then click Edit.

4. Enable Management Interface Reservation, and in the Interface field, select port7.
5. Click OK.

port7 connects to the same LAN segment as port3.

Configure and Access the Primary FortiGate Using the Management Interface

You will configure and verify access to the primary FortiGate using the management interface.

FortiGate Infrastructure 6.0 Lab Guide 121

Fortinet Technologies Inc.
DO Configure
NOTand
Management
Access the Secondary FortiGate Using the
REPRINT
Interface
Exercise 3: Configuring the HA Management
Interface

© FORTINET
To configure and verify access to the primary FortiGate using the management interface
1. From the VM List, on the Local-FortiGate console, log in as admin and password password.
2. Run the following commands to configure port7:

config system interface

edit port7
set ip 10.0.1.253/24
set allowaccess http snmp ping ssh
end

Even though this address overlaps with port3, and would not usually be allowed
(FortiGate does not allow overlapping subnets), it is allowed here because the
interface now has a special purpose, and is excluded from the routing table.

3. Return to the Local-Windows VM, open a browser and log in to the Local-FortiGate GUI at 10.0.1.253 (note
the IP address) as admin and password password.
This will verify connectivity to port7.

Configure and Access the Secondary FortiGate Using the Management

Interface

You will configure and verify access to the secondary FortiGate using the management interface.

Take the Expert Challenge!

1. On the Remote-FortiGate console (admin/password), complete the following:
l Verify that the non synchronizing interface settings have been synced to the secondary.
show system ha

l Verify that port7 has no configuration, and then configure the port7 IP/Netmask as
10.0.1.252/24 with the same allowaccess configured for Local-FortiGate port7.
2. On the Local-Windows VM, log in to the Remote-FortiGate GUI (admin/password) using the port7 IP
address to verify connectivity.
If you require assistance, or to verify your work, use the step-by-step instructions that follow.

After the configuration is ready, see Disconnect FortiGate From the Cluster on page 123.

To configure and verify access to the secondary FortiGate using the management interface
1. From the VM List, on the Remote-FortiGate console, log in as admin and password password.
2. Verify that the non synchronizing interface settings have been synced to the secondary:
show system ha

122 FortiGate Infrastructure 6.0 Lab Guide

Fortinet Technologies Inc.
DO Exercise
NOT3: REPRINT
Configuring the HA Management Interface Disconnect FortiGate From the Cluster

© FORTINET
Look for ha-mgmt-status and ha-mgmt-interface. These should be set.

3. Run the following command to verify that port7 has no configuration:

show system interface

4. Configure port7:

config system interface

edit port7
set ip 10.0.1.252/24
set allowaccess http ping ssh snmp
end

5. Return to the Local-Windows VM.

6. Open a browser and log in to the Remote-FortiGate GUI at 10.0.1.252 (note the IP address) as admin and
password password.
This will verify connectivity to port7.

Each device in the cluster now has its own management IP address for monitoring purposes.

Disconnect FortiGate From the Cluster

You will disconnect Remote-FortiGate from the cluster. FortiGate will prompt you to configure an IP address on
any port on FortiGate so that you can access it after disconnecting.

To disconnect FortiGate from the cluster

1. Continuing on the Local-Windows VM, open a browser and log in to the Local-FortiGate GUI at 10.0.1.254
with the user name admin and password password.
2. Click System > HA.
3. Right-click Remote-FortiGate, and then click Remove device from HA cluster.

4. When prompted, configure the following settings:

FortiGate Infrastructure 6.0 Lab Guide 123

Fortinet Technologies Inc.
DO Restore
NOTtheREPRINT
Remote-FortiGate Configuration Exercise 3: Configuring the HA Management Interface

© FORTINET
Field Value

Interface port3

IP/Netmask 10.0.1.251/24

5. Click OK.
This removes FortiGate from the HA cluster.

Restore the Remote-FortiGate Configuration

Now, you will restore the Remote-FortiGate configuration so that you can use the Remote-FortiGate in the next
labs.

Failure to perform these steps will prevent you from doing the next exercise.

Take the Expert Challenge!

l Log in to the Remote-FortiGate GUI using the IP address configured in the previous procedure. If Remote-
FortiGate is waiting for a response from the license authentication server, run the command below to force
an immediate license authentication retry.
execute update-now
l Restore the Remote-FortiGate configuration using the remote-initial.conf file located in Desktop
> Resources > FortiGate-Infrastructure > HA folder.
If you require assistance, or to verify your work, use the step-by-step instructions that follow.

To restore the Remote-FortiGate configuration

1. On the Remote-FortiGate console, run the following command to validate license and support information for
Remote-FortiGate:
execute update-now

In this environment, the FortiManager is acting as a local FortiGuard server. It

validates the FortiGate licenses and replies to FortiGuard Web Filtering rating
requests from FortiGate VMs. As Remote-FortiGate is removed from the HA cluster, it
may take few minutes to validate its license. The execute update-now
command is used to force an immediate license authentication retry.

124 FortiGate Infrastructure 6.0 Lab Guide

Fortinet Technologies Inc.
DO Exercise
NOT3: REPRINT
Configuring the HA Management Interface Restore the Remote-FortiGate Configuration

© FORTINET
2. On the Local-Windows VM, open a browser and log in to the Remote-FortiGate GUI at 10.0.1.251 with the
user name admin and password password.
3. In the upper-right corner of the screen, click admin, and then click Configuration > Restore.

4. Click Local PC, and then click Upload.

5. Click Desktop > Resources > FortiGate-Infrastructure > HA > remote-initial.conf, and then click
Open.
6. Click OK.
7. Click OK to reboot.

Failure to perform these steps will prevent you from doing the next exercises.

FortiGate Infrastructure 6.0 Lab Guide 125

Fortinet Technologies Inc.