Fortinet FortiGate-800 manual High availability

FortiGate-800 Installation and Configuration Guide Version 2.50

High availability

Fortinet achieves high availability (HA) using redundant hardware and the FortiGate Clustering Protocol (FGCP). Each FortiGate unit in an HA cluster uses the same overall security policy and shares the same configuration settings. You can add up to 32 FortiGate units to an HA cluster. Each FortiGate unit in an HA cluster must be the same model and must run the same FortiOS firmware image.

FortiGate HA is device redundant. If one of the FortiGate units in an HA cluster fails, all functions, all established firewall connections, and all IPSec VPN sessions1 are maintained by the other FortiGate units in the HA cluster.

You manage the cluster by connecting to the cluster web-based manager from any cluster interface configured for HTTPS administrative access. You can also manage the cluster by connecting to the cluster CLI from any cluster interface configured for SSH administrative access. All configuration changes made to the cluster are automatically synchronized to all cluster members.

From the web-based manager you can monitor the status and log messages of the cluster and of each of the FortiGate units in the cluster. You can also monitor the cluster by using an SNMP manager to get SNMP information from or receive traps for any cluster interface configured for SNMP administrative access.

The FortiGate units in the cluster use dedicated HA ethernet interfaces to communicate cluster session information, synchronize the cluster configuration, and report individual system status.The units in the cluster constantly communicate HA status information to make sure that the cluster is operating properly. For this reason, the connection between the HA interface of all the FortiGate units in the cluster must be well maintained. An interruption of this communication can have unpredictable results.

Note: The HA interfaces of the FortiGate units in a cluster are assigned IP addresses during cluster negotiation. These IP addresses cannot be viewed using the web-based manager or the CLI. Attempting to change the IP address of an HA interface using the web-based manager or the CLI has no effect on the IP address assigned during cluster negotiation. HA interfaces only accept connections used for HA communication between units in the cluster. You cannot connect to the HA interfaces to manage the cluster or to manage individual FortiGate units in the cluster.

FortiGate units can be configured to operate in active-passive (A-P) or active-active (A-A) HA mode. Active-active and active-passive clusters can run in either NAT/Route or Transparent mode.

1.HA does not provide session failover for PPPoE, DHCP, PPTP, and L2TP services.