Configuring HA using manual failover mode
Use the following procedures to configure the FortiManager units for HA operation from the FortiManager unit GUI. It assumes you are starting with three FortiManager units with factory default configurations. The primary unit and the first backup unit are connected to the same network. The second backup unit is connected to a remote network and communicates with the primary unit over the Internet. Sample configuration settings are also shown.
To configure the primary unit for HA operation:
- Connect to the primary unit GUI.
- Go to System Settings > HA.
- Configure HA settings.
Example HA primary configuration:
Failover Mode
Manual
Operation Mode
Primary
Peer IP
172.20.120.23
Peer SN
<serial_number>
Peer IP
192.268.34.23
Peer SN
<serial_number>
Cluster ID
15
Group Password
password
File Quota
4096
Heartbeat Interval
5 (Keep the default setting.)
Failover Threshold
3 (Keep the default setting.)
- Click Apply.
To configure the backup unit on the same network for HA operation:
- Connect to the backup unit GUI.
- Go to System Settings > HA.
- Configure HA settings.
Example local backup configuration:
Failover Mode
Manual
Operation Mode
Secondary
Priority
5 (Keep the default setting.)
Peer IP
172.20.120.45
Peer SN
<serial_number>
Cluster ID
15
Group Password
password
File Quota
4096
Heartbeat Interval
5 (Keep the default setting.)
Failover Threshold
3 (Keep the default setting.)
- Click Apply.
To configure a remote backup unit for HA operation:
- Connect to the backup unit GUI.
- Go to System Settings > HA.
- Configure HA settings.
Example remote backup configuration:
Failover Mode
Manual
Operation Mode
Secondary
Priority
5 (Keep the default setting.)
Peer IP
192.168.20.23
Peer SN
<serial_number>
Cluster ID
15
Group Password
password
File Quota
4096
Heartbeat Interval
5 (Keep the default setting.)
Failover Threshold
3 (Keep the default setting.)
- Click Apply.
To change the network configuration so that the remote backup unit and the primary unit can communicate with each other:
Configure the appropriate firewalls or routers to allow HA heartbeat and synchronization traffic to pass between the primary unit and the remote backup unit using the peer IPs added to the primary unit and remote backup unit configurations.
HA traffic uses TCP port 5199.
To connect the cluster to the networks:
- Connect the cluster units.
No special network configuration is required for the cluster.
- Power on the cluster units.
The units start and use HA heartbeat packets to find each other, establish the cluster, and synchronize their configurations.
To add basic configuration settings to the cluster:
Configure the cluster to connect to your network as required.