Fortinet black logo

Cookbook

Configuring the backup FortiGate

Copy Link
Copy Doc ID 4d801240-7ccc-11e9-81a4-00505692583a:97767
Download PDF

Configuring the backup FortiGate

  1. Ensure the backup FortiGate is running the same version firmware as the primary FortiGate.
  2. If this is a new FortiGate that has never been used, you can skip this step.

    Reset the backup FortiGate to factory default settings using the following CLI command:

    execute factoryreset

  3. Register and apply licenses to the primary FortiGate before configuring it for HA operation. This includes licensing for FortiCare Support, IPS, AntiVirus, Web Filtering, Mobile Malware, FortiClient, FortiCloud, and additional virtual domains (VDOMs).

    All FortiGates in the cluster must have the same level of licensing for FortiGuard, FortiCloud, FortiClient, and VDOMs. You can add FortiToken licenses at any time because they're synchronized with all cluster members.

    Note

    If the FortiGates in the cluster will run FortiOS Carrier, apply the FortiOS Carrier license before you apply other licenses and before you configure the cluster. When you apply the FortiOS Carrier license, the FortiGate resets its configuration to factory defaults, requiring you to repeat steps performed before applying the license.

  4. On the backup FortiGate, go to System > Settings and change the Host name to identify this as the backup FortiGate.

    You can also enter this CLI command:

    config system global

    set hostname External-Backup

    end

  5. Duplicate the primary FortiGate HA settings, except set the Device priority to a lower value (for example, 50) and do not enable override.

    config system ha

    set mode a-p

    set group-id 25

    set group-name External-HA-Cluster

    set password <password>

    set priority 50

    set hbdev port3 200 port4 100

    end

    When you enable HA, each FortiGate negotiates to establish an HA cluster. You might temporarily lose connectivity during FGCP negotiation and the MAC addresses of the FortiGate interfaces change to HA virtual MAC addresses.

    Note

    If these steps don't start HA mode, make sure that none of the FortiGate's interfaces use DHCP or PPPoE addressing.

    If the group ID is the same, the backup FortiGate interfaces get the same virtual MAC addresses as the primary FortiGate. You can check Network > Interfaces on the GUI or use the get hardware nic command to verify.

Configuring the backup FortiGate

  1. Ensure the backup FortiGate is running the same version firmware as the primary FortiGate.
  2. If this is a new FortiGate that has never been used, you can skip this step.

    Reset the backup FortiGate to factory default settings using the following CLI command:

    execute factoryreset

  3. Register and apply licenses to the primary FortiGate before configuring it for HA operation. This includes licensing for FortiCare Support, IPS, AntiVirus, Web Filtering, Mobile Malware, FortiClient, FortiCloud, and additional virtual domains (VDOMs).

    All FortiGates in the cluster must have the same level of licensing for FortiGuard, FortiCloud, FortiClient, and VDOMs. You can add FortiToken licenses at any time because they're synchronized with all cluster members.

    Note

    If the FortiGates in the cluster will run FortiOS Carrier, apply the FortiOS Carrier license before you apply other licenses and before you configure the cluster. When you apply the FortiOS Carrier license, the FortiGate resets its configuration to factory defaults, requiring you to repeat steps performed before applying the license.

  4. On the backup FortiGate, go to System > Settings and change the Host name to identify this as the backup FortiGate.

    You can also enter this CLI command:

    config system global

    set hostname External-Backup

    end

  5. Duplicate the primary FortiGate HA settings, except set the Device priority to a lower value (for example, 50) and do not enable override.

    config system ha

    set mode a-p

    set group-id 25

    set group-name External-HA-Cluster

    set password <password>

    set priority 50

    set hbdev port3 200 port4 100

    end

    When you enable HA, each FortiGate negotiates to establish an HA cluster. You might temporarily lose connectivity during FGCP negotiation and the MAC addresses of the FortiGate interfaces change to HA virtual MAC addresses.

    Note

    If these steps don't start HA mode, make sure that none of the FortiGate's interfaces use DHCP or PPPoE addressing.

    If the group ID is the same, the backup FortiGate interfaces get the same virtual MAC addresses as the primary FortiGate. You can check Network > Interfaces on the GUI or use the get hardware nic command to verify.