High availability HA in NAT/Route mode
FortiGate-400 Installation and Configuration Guide 77
During startup the members of the HA cluster negotiate to select the primary unit. The
primary unit allows other FortiGate units to join the HA cluster as subordinate units
and assigns each subordinate unit a priority.
The FortiGate units in the HA cluster communicate status and session information
using their HA interfaces. All FortiGate units in the cluster maintain all session
information. For load balancing, when the primary FortiGate unit forwards a packet to
a subordinate unit it sends the packet back out the interface on which it received the
packet to the corresponding interface on the subordinate FortiGate unit.
If the primary FortiGate unit fails, the first subordinate unit to register that the primary
unit has failed becomes the new primary unit. The new primary unit notifies the other
FortiGate units that it is the new primary unit and resets the priority of each of the
remaining subordinate units. The new primary unit also redistributes communication
sessions among the units in the HA cluster.
During a fail-over, the new primary FortiGate unit notifies the adjacent networking
devices so that the entire network can quickly converge to the new data path. The new
primary unit also alerts administrators of the changes to the HA cluster by writing a
message to the event log, sending an SNMP trap (if SNMP is enabled), and sending
an alert email.
If a subordinate FortiGate unit fails, the primary unit writes a message to the event log,
and sends an SNMP trap and an alert email. The primary unit also adjusts the priority
of each of the remaining units in the HA cluster.
HA in NAT/Route modeUse the following steps to configure a group of FortiGate units to operate as an HA
cluster in NAT/Route mode.
•Installing and configuring the FortiGate units
•Configuring the HA interfaces
•Configuring the HA cluster
•Connecting the HA cluster to your network
•Starting the HA cluster
Installing and configuring the FortiGate units
Follow the instructions in “NAT/Route mode installation” on page 45 to install and
configure the FortiGate units. All of the FortiGate units in the HA cluster should have
the same configuration. Do not connect the FortiGate units to the network. Instead,
proceed to “Configuring the HA interfaces”.
Configuring the HA interfaces
Configure the 4/HA interfaces of all of the FortiGate-400s in the HA cluster to operate
in HA mode. When you switch the 4/HA interface to HA mode, the System > Config >
HA options become active. When running in HA mode, the 4/HA interfaces cannot be
connected to a network because they are dedicated to HA communication.