Fortinet white logo
Fortinet docs logo DOCUMENT LIBRARY
Fortinet white logo
Fortinet docs logo DOCUMENT LIBRARY
Products Best Practices Hardware Guides Products A-Z
Summary
By Solution
By 4D Pillars
By Cloud
Secure Networking
Unified SASE
Security Operations
Secure SD-WAN
Secure Access Service Edge (SASE)
ZTNA
LAN Edge
Identity and Access Management
Next Generation Firewall
Public Cloud
Private Cloud
FortiCloud
Secure Networking
  • Hybrid Mesh Firewall
  • NOC Management
  • LAN
  • WAN
    • More >>
    Unified SASE
  • Single Vendor SASE
  • Cloud Network Security
  • Secure Endpoint Connectivity
  • Web Application / API Protection
    • More >>
    Security Operations
  • Security Operations Automation
  • Identity
  • Early Detection & Prevention
    • More >>
    Secure Networking
  • Hybrid Mesh Firewall
  • NOC Management
  • LAN
  • WAN
  • Communication & Surveillance
    • Unified SASE
  • Single Vendor SASE
  • Secure Endpoint Connectivity
  • Cloud Network Security
  • Cloud-Native Security
  • Web Application / API Protection
    • Security Operations
  • Security Operations Automation
  • Endpoint
  • Data Protection
  • Identity
  • Email
  • Early Detection & Prevention
  • Expert Services
  • Edge Firewall
  • Orchestration & management
  • SD Branch
  • Application Delivery
  • Single Vendor SASE
  • Secure Endpoint Connectivity
  • Secure Private Access
  • Thin Edge
  • Identity
  • Application Gateway
  • Enterprise Asset Management
  • Endpoint Agent
  • Agentless Security Posture
  • Identity
  • Wireless
  • Switching
  • Identity
  • Privilege Acccess Management
  • Next Generation Firewall
  • Orchestration & management
  • Expert Services
  • All
  • All
  • Account Management
  • SAAS Management
  • SAAS Application Security
  • Managed Services
  • Platform as a service (PAAS)
  • Other SAAS Services
    • 4D Resources
    Solution Hubs
  • 4D Pillars
  • Cloud
  • Popular Solutions

    • Administration Guide

    Home FortiGate / FortiOS 7.2.7 Administration Guide
    7.2.7
    7.6.0
    7.4.5
    7.4.4
    7.4.3
    7.4.2
    7.4.1
    7.4.0
    7.2.10
    7.2.9
    7.2.8
    7.2.7
    7.2.6
    7.2.5
    7.2.4
    7.2.3
    7.2.2
    7.2.1
    7.2.0
    7.0.16
    7.0.15
    7.0.14
    7.0.13
    7.0.12
    7.0.11
    7.0.10
    7.0.9
    7.0.8
    7.0.7
    7.0.6
    7.0.5
    7.0.4
    7.0.3
    7.0.2
    7.0.1
    7.0.0
    6.4.15
    6.4.14
    6.4.13
    6.4.12
    6.4.11
    6.4.10
    6.4.9
    6.4.8
    6.4.7
    6.4.6
    6.4.5
    6.4.4
    6.4.3
    6.4.2
    6.4.1
    6.4.0

    FGCP

    FGCP

    High availability (HA) is usually required in a system where there is high demand for little downtime. There are usually hot-swaps, backup routes, or standby backup units and as soon as the active entity fails, backup entities will start functioning. This results in minimal interruption for the users.

    The FortiGate Clustering Protocol (FGCP) is a proprietary HA solution whereby FortiGates can find other member FortiGates to negotiate and create a cluster. A FortiGate HA cluster consists of at least two FortiGates (members) configured for HA operation. All FortiGates in the cluster must be the same model and have the same firmware installed. Cluster members must also have the same hardware configuration (such as the same number of hard disks). All cluster members share the same configurations except for their host name and priority in the HA settings. The cluster works like a device but always has a hot backup device.

    Critical cluster components

    The following are critical components in an HA cluster:

    • Identical heartbeat connections and interfaces: members will use this to communicate with each other. In general, a two-member cluster is most common. We recommend double back-to-back heartbeat connections (as demonstrated in the topology).
    • Identical connections for internal and external interfaces: we recommend similar connections from each member to the switches for the cluster to function properly (as demonstrated in the topology).
    Note

    The HA heartbeat interface communicates with each unit in the cluster using the same heartbeat interface for each member.

    For example, if port1 and port2 are the heartbeat interfaces for the HA cluster, then in a cluster consisting of two members:

    • port1 of the primary FortiGate should be connected to port1 of the secondary FortiGate.

    • port2 of the primary FortiGate should be connected to port2 of the secondary FortiGate.

    General operation

    The following are best practices for general cluster operation:

    • Ensure that heartbeat communication is present (see HA heartbeat interface).
    • Enable the session synchronization option in daily operation (see FGSP basic peer setup).
    • Monitor traffic flowing in and out of the interfaces.

    Failover

    FGCP provides failover protection in the following scenarios:

    • The active device loses power.
    • A monitored interface loses a connection.

    After failover occurs, the user will not notice any difference, except that the active device has changed. See Failover protection for more information.

    Synchronizing the configuration

    FGCP uses a combination of incremental and periodic synchronization to make sure that the configuration of all cluster units is synchronized to that of the primary unit.

    The following settings are not synchronized between cluster units:

    • The FortiGate host name
    • GUI Dashboard widgets
    • HA override
    • HA device priority
    • The virtual cluster priority
    • The HA priority setting for a ping server (or dead gateway detection) configuration
    • The system interface settings of the HA reserved management interface
    • The HA default route for the reserved management interface, set using the ha-mgmt-interface-gateway option of the config system ha command

    Most subscriptions and licenses are not synchronized, as each FortiGate must be licensed individually. FortiToken Mobile is an exception; they are registered to the primary unit and synchronized to the secondary units.

    The primary unit synchronizes all other configuration settings, including the other HA configuration settings.

    All synchronization activity takes place over the HA heartbeat link using TCP/703 and UDP/703 packets.

    The following topics provide more information about FGCP:

    Previous
    Next

    FGCP

    FGCP

    High availability (HA) is usually required in a system where there is high demand for little downtime. There are usually hot-swaps, backup routes, or standby backup units and as soon as the active entity fails, backup entities will start functioning. This results in minimal interruption for the users.

    The FortiGate Clustering Protocol (FGCP) is a proprietary HA solution whereby FortiGates can find other member FortiGates to negotiate and create a cluster. A FortiGate HA cluster consists of at least two FortiGates (members) configured for HA operation. All FortiGates in the cluster must be the same model and have the same firmware installed. Cluster members must also have the same hardware configuration (such as the same number of hard disks). All cluster members share the same configurations except for their host name and priority in the HA settings. The cluster works like a device but always has a hot backup device.

    Critical cluster components

    The following are critical components in an HA cluster:

    • Identical heartbeat connections and interfaces: members will use this to communicate with each other. In general, a two-member cluster is most common. We recommend double back-to-back heartbeat connections (as demonstrated in the topology).
    • Identical connections for internal and external interfaces: we recommend similar connections from each member to the switches for the cluster to function properly (as demonstrated in the topology).
    Note

    The HA heartbeat interface communicates with each unit in the cluster using the same heartbeat interface for each member.

    For example, if port1 and port2 are the heartbeat interfaces for the HA cluster, then in a cluster consisting of two members:

    • port1 of the primary FortiGate should be connected to port1 of the secondary FortiGate.

    • port2 of the primary FortiGate should be connected to port2 of the secondary FortiGate.

    General operation

    The following are best practices for general cluster operation:

    • Ensure that heartbeat communication is present (see HA heartbeat interface).
    • Enable the session synchronization option in daily operation (see FGSP basic peer setup).
    • Monitor traffic flowing in and out of the interfaces.

    Failover

    FGCP provides failover protection in the following scenarios:

    • The active device loses power.
    • A monitored interface loses a connection.

    After failover occurs, the user will not notice any difference, except that the active device has changed. See Failover protection for more information.

    Synchronizing the configuration

    FGCP uses a combination of incremental and periodic synchronization to make sure that the configuration of all cluster units is synchronized to that of the primary unit.

    The following settings are not synchronized between cluster units:

    • The FortiGate host name
    • GUI Dashboard widgets
    • HA override
    • HA device priority
    • The virtual cluster priority
    • The HA priority setting for a ping server (or dead gateway detection) configuration
    • The system interface settings of the HA reserved management interface
    • The HA default route for the reserved management interface, set using the ha-mgmt-interface-gateway option of the config system ha command

    Most subscriptions and licenses are not synchronized, as each FortiGate must be licensed individually. FortiToken Mobile is an exception; they are registered to the primary unit and synchronized to the secondary units.

    The primary unit synchronizes all other configuration settings, including the other HA configuration settings.

    All synchronization activity takes place over the HA heartbeat link using TCP/703 and UDP/703 packets.

    The following topics provide more information about FGCP:

    Previous
    Next