Fortinet black logo

Handbook

Virtual clustering

6.0.0
Copy Link
Copy Doc ID 4afb0436-a998-11e9-81a4-00505692583a:389270
Download PDF

Virtual clustering

If VDOM (virtual domain) is enabled on a cluster operating transparent mode, HA virtual clustering can be configured in active-passive mode.

This will provide:

  • Failover protection between two instances of a VDOM operating on two different FortiGate in the cluster.
  • Load balancing between the FortiGate devices on a per-VDOM basis.

The roles have been defined such as, in normal operation:

  • FortiGate1 is primary for VDOM1 and secondary for VDOM2
  • FortiGate2 is primary for VDOM2 and secondary for VDOM1

In case of a failure or reboot of a FortiGate, the remaining unit will become primary for VDOM1 and VDOM2.

The VDOMs given in this example are showing physical ports but a VDOM can also include VLAN interfaces.
The L2 connectivity between the FortiGate is showing 4 separate L2 switches, but it could also be one single switch one each side configured with appropriate VLANs.

Configuration example

  • FortiGate1:

FGT1 (global) # show system ha

config system ha

set mode a-p

set hbdev "port5" 0 "port6" 0

set vcluster2 enable

set override disable

set priority 200

config secondary-vcluster

set override enable

set priority 100

set vdom "VDOM2"

end

end

  • FortiGate2:

FGT2 (global) # show system ha

config system ha

set mode a-p

set hbdev "port5" 0 "port6" 0

set vcluster2 enable

set override disable

set priority 200

config secondary-vcluster

set override enable

set priority 100

set vdom "VDOM2"

end

end

Virtual clustering

If VDOM (virtual domain) is enabled on a cluster operating transparent mode, HA virtual clustering can be configured in active-passive mode.

This will provide:

  • Failover protection between two instances of a VDOM operating on two different FortiGate in the cluster.
  • Load balancing between the FortiGate devices on a per-VDOM basis.

The roles have been defined such as, in normal operation:

  • FortiGate1 is primary for VDOM1 and secondary for VDOM2
  • FortiGate2 is primary for VDOM2 and secondary for VDOM1

In case of a failure or reboot of a FortiGate, the remaining unit will become primary for VDOM1 and VDOM2.

The VDOMs given in this example are showing physical ports but a VDOM can also include VLAN interfaces.
The L2 connectivity between the FortiGate is showing 4 separate L2 switches, but it could also be one single switch one each side configured with appropriate VLANs.

Configuration example

  • FortiGate1:

FGT1 (global) # show system ha

config system ha

set mode a-p

set hbdev "port5" 0 "port6" 0

set vcluster2 enable

set override disable

set priority 200

config secondary-vcluster

set override enable

set priority 100

set vdom "VDOM2"

end

end

  • FortiGate2:

FGT2 (global) # show system ha

config system ha

set mode a-p

set hbdev "port5" 0 "port6" 0

set vcluster2 enable

set override disable

set priority 200

config secondary-vcluster

set override enable

set priority 100

set vdom "VDOM2"

end

end