Fortinet white logo
Fortinet docs logo DOCUMENT LIBRARY 8.0.0
Fortinet white logo
Fortinet docs logo DOCUMENT LIBRARY
Products Best Practices Hardware Guides Products A-Z
Summary
By Solution
By 4D Pillars
By Cloud
All Products
Secure Networking
Unified SASE
Security Operations
Secure SD-WAN
Secure Access Service Edge (SASE)
ZTNA
LAN Edge
Identity and Access Management
Next Generation Firewall
Web Application Firewall
Public Cloud
Private Cloud
FortiCloud
Secure Networking
  • Hybrid Mesh Firewall
  • NOC Management
  • LAN
  • WAN
    • More >>
    Unified SASE
  • Single Vendor SASE
  • Cloud Network Security
  • Secure Endpoint Connectivity
  • Web Application / API Protection
    • More >>
    Security Operations
  • Security Operations Automation
  • Identity
  • Early Detection & Prevention
    • More >>
    Secure Networking
  • Hybrid Mesh Firewall
  • NOC Management
  • LAN
  • WAN
  • Communication & Surveillance
    • Unified SASE
  • Single Vendor SASE
  • Secure Endpoint Connectivity
  • Cloud Network Security
  • Cloud-Native Security
  • Web Application / API Protection
    • Security Operations
  • Security Operations Automation
  • Endpoint
  • Data Protection
  • Identity
  • Email
  • Early Detection & Prevention
  • Expert Services
  • Edge Firewall
  • Orchestration & management
  • SD Branch
  • Application Delivery
  • Single Vendor SASE
  • Secure Endpoint Connectivity
  • Secure Private Access
  • Thin Edge
  • Identity
  • Application Gateway
  • Enterprise Asset Management
  • Endpoint Agent
  • Agentless Security Posture
  • Identity
  • Wireless
  • Switching
  • Identity
  • Privilege Acccess Management
  • Next Generation Firewall
  • Orchestration & management
  • Expert Services
  • Web Application / API Protection
  • All
  • All
  • Account Management
  • SAAS Management
  • SAAS Application Security
  • Managed Services
  • Platform as a service (PAAS)
  • Other SAAS Services
    • 4D Resources
    Solution Hubs
  • 4D Pillars
  • Cloud
  • Popular Solutions
    • All Products

    Administration Guide

    Home FortiGate / FortiOS 8.0.0 Administration Guide
    8.0.0
    8.0.0
    7.6.6
    7.6.5
    7.6.4
    7.6.3
    7.6.2
    7.6.1
    7.6.0
    7.4.12
    7.4.11
    7.4.10
    7.4.9
    7.4.8
    7.4.7
    7.4.6
    7.4.5
    7.4.4
    7.4.3
    7.4.2
    7.4.1
    7.4.0
    7.2.13
    7.2.12
    7.2.11
    7.2.10
    7.2.9
    7.2.8
    7.2.7
    7.2.6
    7.2.5
    7.2.4
    7.2.3
    7.2.2
    7.2.1
    7.2.0
    7.0.19
    7.0.18
    7.0.17
    7.0.16
    7.0.15
    7.0.14
    7.0.13
    7.0.12
    7.0.11
    7.0.10
    7.0.9
    7.0.8
    7.0.7
    7.0.6
    7.0.5
    7.0.4
    7.0.3
    7.0.2
    7.0.1
    7.0.0
    6.4.0

    HA for cloud and virtual environments

    HA for cloud and virtual environments

    In virtual machine (VM) and cloud environments that do not support heartbeat communication with Layer 2 Ethernet frames (see HA heartbeat interface), you can set up a Layer 3 unicast HA heartbeat when configuring HA and VDOM Exceptions to manage necessary configuration differences between the cluster members.

    Unicast HA heartbeat

    This method allows the HA cluster to form by sending heartbeat packets directly to a specified Peer IP address. This requires enabling the feature and adding a peer IP address. The peer IP address is the IP address of the HA heartbeat interface of the other FortiGate VM in the HA cluster.

    Prerequisites and constraints:

    • Unicast HA is only supported between two FortiGate VMs in active-passive (A-P) mode.

    • The heartbeat interfaces must be connected to the same network, and the IP addresses must be added to these interfaces.

    In the following example, unicast HA heartbeat is enabled over the port3 interface.

    To enable unicast HA heartbeat in the GUI:

    1. Go to System > HA.

    2. Enable Unicast Heartbeat and enter the Peer IP, such as 172.30.3.12.

    3. Click OK.

    To enable unicast HA heartbeat in the CLI:
    config system ha
    set hbdev port3 50
    set unicast-hb enable
    set unicast-hb-peerip 172.30.3.12
end

    VDOM exceptions

    VDOM exceptions are settings that can be selected for specific VDOMs or all VDOMs that are not synchronized to other HA members. This can be required when cluster members are not in the same physical location, subnets, or availability zones in a cloud environment.

    Some examples of possible use cases include:

    • You use different source IP addresses for FortiAnalyzer logging from each cluster member. See Override FortiAnalyzer and syslog server settings for more information.

    • You need to keep management interfaces that have specific VIPs or local subnets that cannot transfer from being synchronized.

    • In a unicast HA cluster in the cloud, you use NAT with different IP pools in different subnets, so IP pools must be exempt.

    • In a unicast HA cluster in the cloud, when HA members have different interface IPs, the local gateway (local-gw) used to define the local end of the VPN tunnel may need to be specified individually for IPsec tunnel failover to occur.

    When a VDOM exception is configured, the object will not be synchronized between the primary and secondary devices when the HA forms. Different options can be configured for every object.

    When VDOM mode is disabled, the configured object is excluded for the entire device. To define a scope, VDOM mode must be enabled and the object must be configurable in a VDOM.

    VDOM exceptions are synchronized to other HA cluster members.

    To configure VDOM exceptions:
    config global
    config system vdom-exception
        edit 1
            set object <object name>
            set scope {all* | inclusive | exclusive}
            set vdom <vdom name>
        next
    end
end

    Option

    Description

    object

    The name of the configuration object that can be configured independently for some or all of the VDOMs.

    See Objects for a list of available settings and resources.

    scope

    Determine if the specified object is configured independently for all VDOMs or a subset of VDOMs.

    • all: Configure the object independently on all VDOMs.

    • inclusive: Configure the object independently only on the specified VDOMs.

    • exclusive: Configure the object independently on all of the VDOMs that are not specified.

    vdom

    The names of the VDOMs that are included or excluded.

    Objects

    The following settings and resources can be exempt from synchronization in an HA cluster:

    log.fortianalyzer.setting

    log.fortianalyzer.override-setting

    log.fortianalyzer2.setting

    log.fortianalyzer2.override-setting

    log.fortianalyzer3.setting

    log.fortianalyzer3.override-setting

    log.fortianalyzer-cloud.setting

    log.fortianalyzer-cloud.override-setting

    log.syslogd.setting

    log.syslogd.override-setting

    log.syslogd2.setting

    log.syslogd2.override-setting

    log.syslogd3.setting

    log.syslogd3.override-setting

    log.syslogd4.setting

    log.syslogd4.override-setting

    system.central-management

    system.csf

    system.snmp.sysinfo

    user.radius

    system.interface*

    vpn.ipsec.phase1-interface*

    vpn.ipsec.phase2-interface*

    router.bgp*

    router.route-map*

    router.prefix-list*

    firewall.ippool*

    firewall.ippool6*

    router.static*

    router.static6*

    firewall.vip*

    firewall.vip6*

    system.sdwan*

    system.saml*

    router.policy*

    router.policy6*

    * This setting can only be configured on cloud VMs.

    Previous
    Next

    HA for cloud and virtual environments

    HA for cloud and virtual environments

    In virtual machine (VM) and cloud environments that do not support heartbeat communication with Layer 2 Ethernet frames (see HA heartbeat interface), you can set up a Layer 3 unicast HA heartbeat when configuring HA and VDOM Exceptions to manage necessary configuration differences between the cluster members.

    Unicast HA heartbeat

    This method allows the HA cluster to form by sending heartbeat packets directly to a specified Peer IP address. This requires enabling the feature and adding a peer IP address. The peer IP address is the IP address of the HA heartbeat interface of the other FortiGate VM in the HA cluster.

    Prerequisites and constraints:

    • Unicast HA is only supported between two FortiGate VMs in active-passive (A-P) mode.

    • The heartbeat interfaces must be connected to the same network, and the IP addresses must be added to these interfaces.

    In the following example, unicast HA heartbeat is enabled over the port3 interface.

    To enable unicast HA heartbeat in the GUI:

    1. Go to System > HA.

    2. Enable Unicast Heartbeat and enter the Peer IP, such as 172.30.3.12.

    3. Click OK.

    To enable unicast HA heartbeat in the CLI:
    config system ha
    set hbdev port3 50
    set unicast-hb enable
    set unicast-hb-peerip 172.30.3.12
end

    VDOM exceptions

    VDOM exceptions are settings that can be selected for specific VDOMs or all VDOMs that are not synchronized to other HA members. This can be required when cluster members are not in the same physical location, subnets, or availability zones in a cloud environment.

    Some examples of possible use cases include:

    • You use different source IP addresses for FortiAnalyzer logging from each cluster member. See Override FortiAnalyzer and syslog server settings for more information.

    • You need to keep management interfaces that have specific VIPs or local subnets that cannot transfer from being synchronized.

    • In a unicast HA cluster in the cloud, you use NAT with different IP pools in different subnets, so IP pools must be exempt.

    • In a unicast HA cluster in the cloud, when HA members have different interface IPs, the local gateway (local-gw) used to define the local end of the VPN tunnel may need to be specified individually for IPsec tunnel failover to occur.

    When a VDOM exception is configured, the object will not be synchronized between the primary and secondary devices when the HA forms. Different options can be configured for every object.

    When VDOM mode is disabled, the configured object is excluded for the entire device. To define a scope, VDOM mode must be enabled and the object must be configurable in a VDOM.

    VDOM exceptions are synchronized to other HA cluster members.

    To configure VDOM exceptions:
    config global
    config system vdom-exception
        edit 1
            set object <object name>
            set scope {all* | inclusive | exclusive}
            set vdom <vdom name>
        next
    end
end

    Option

    Description

    object

    The name of the configuration object that can be configured independently for some or all of the VDOMs.

    See Objects for a list of available settings and resources.

    scope

    Determine if the specified object is configured independently for all VDOMs or a subset of VDOMs.

    • all: Configure the object independently on all VDOMs.

    • inclusive: Configure the object independently only on the specified VDOMs.

    • exclusive: Configure the object independently on all of the VDOMs that are not specified.

    vdom

    The names of the VDOMs that are included or excluded.

    Objects

    The following settings and resources can be exempt from synchronization in an HA cluster:

    log.fortianalyzer.setting

    log.fortianalyzer.override-setting

    log.fortianalyzer2.setting

    log.fortianalyzer2.override-setting

    log.fortianalyzer3.setting

    log.fortianalyzer3.override-setting

    log.fortianalyzer-cloud.setting

    log.fortianalyzer-cloud.override-setting

    log.syslogd.setting

    log.syslogd.override-setting

    log.syslogd2.setting

    log.syslogd2.override-setting

    log.syslogd3.setting

    log.syslogd3.override-setting

    log.syslogd4.setting

    log.syslogd4.override-setting

    system.central-management

    system.csf

    system.snmp.sysinfo

    user.radius

    system.interface*

    vpn.ipsec.phase1-interface*

    vpn.ipsec.phase2-interface*

    router.bgp*

    router.route-map*

    router.prefix-list*

    firewall.ippool*

    firewall.ippool6*

    router.static*

    router.static6*

    firewall.vip*

    firewall.vip6*

    system.sdwan*

    system.saml*

    router.policy*

    router.policy6*

    * This setting can only be configured on cloud VMs.

    Previous
    Next