FortiGate Cluster Protocol (FGCP)

Fortigate HA High availability FGCP instaelearn.com
Fortigate HA High availability FGCP instaelearn.com

It is a FortiOS proprietary solution with the key objective to provide enhanced reliability and increased performance for all business-critical components. It facilitates device failover protection, link failover protection, remote link failover protection, and session failover protection. Some organizations prefer using the two units in HA simultaneously which is otherwise called active-active deployment. FGCP can be deployed in active-active which provides an opportunity to enhance the performance of the device, doubling processing power and throughput of the device. We can also fine-tune the performance of the FGCP to change how a cluster forms and shares information among cluster units and how the cluster responds to failures. An FGCP cluster appears like a single unit with configuration synchronization happening between both nodes. The deployment is fairly easy and simple, with having options open for fine-tuning and advanced configuration options. With FGCP the node can be configured either in NAT or transparent mode.

The FGCP provides a transparent device and link failover. A failover can be caused by a hardware failure, a software failure, or something as simple as a network cable being disconnected. When a failover occurs, the cluster detects and recognizes the failure and takes steps to respond so that the network can continue to operate without interruption. The internal operation of the cluster changes, but network components outside of the cluster notice little or no change.

FGCP supports a cluster of up to four FortiGates. We can add more than two units to a cluster to improve reliability: if two cluster units fail the third will continue to operate and so on. A cluster of three or four units in active-active mode may improve performance since another cluster unit is available for security profile processing. It is to be noted even though active-active FGCP HA results in diminishing performance returns as you add units to the cluster, so the additional performance achieved by adding the third cluster unit may not be worth the cost.

So now that we have a fundamental understanding of FGCP lets deep dive and see how to configure FGCP on FortiOS. We will be using CLI to configure the cluster in active-passive deployment.

Note: Ensure that all licenses are applied on the nodes, before initiating the configuration for the cluster.

To configure the active or master node in the cluster lets configure the hostname first so that we can identify the unit inside HA.

config system global
   set hostname Master_Node
end

 

Next to start the HA configuration let’s move to system HA hierarchy.

   config system ha

Now, let us configure the mode of HA deployment

   set mode a-p

To set the name of the cluster group

   set group-name <group_name_for_cluster>

To set a password to secure the HA

   set password <password_for_HA_auth>

To designate the unit to act as a primary unit set a higher priority than the secondary unit.

   set priority <set_a_higher_value>

To designate who will be the master during peacetime

   set override enable

Note: Enabling override may significantly increase traffic interruptions as every time the node becomes healthy it will try to take over the master role.

select ha1 and ha2 to be the heartbeat interfaces and sets their priorities to 50.

   set hbdev ha1 50 ha2 50

The config on the primary node would look like this.

config system ha
   set mode a-p
   set group-name <group_name_for_cluster>
   set password <password_for_HA_auth>
   set priority 250
   set override enable
   set hbdev ha1 50 ha2 50
end

Now that we are done with the cluster configuration on the primary node lets log in to the secondary node. It would be a good practice to wipe down the configuration on the node to factory default.

#exec factoryreset

Note: Use the command with caution, this will erase all configuration.

Now that we are running with factory default config lets set up the hostname for our secondary node

config system global
    set hostname Standby_FortiGate
end

Next to start the HA configuration let’s move to system HA hierarchy.

config system ha

Now, let us configure the mode of HA deployment

   set mode a-p

To set the name of the cluster group

   set group-name <group_name_for_cluster>

To set a password to secure the HA

   set password <password_for_HA_auth>

To designate the unit to act as a standby unit set a lower priority than the primary unit.

   set priority <set_a_lower_value>

To designate who will be the master in peacetime

   set override disable

Note: Enabling override may significantly increase traffic interruptions as every time the node becomes healthy it will try to take over the master role.

select ha1 and ha2 to be the heartbeat interfaces and sets their priorities to 50.

   set hbdev ha1 50 ha2 50

The config on the primary node would look like this.

config system ha
   set mode a-p
   set group-name <group_name_for_cluster>
   set password <password_for_HA_auth>
   set priority 200
   set override enable
   set hbdev ha1 50 ha2 50
end

Post the configuration on both nodes connect the HA cables. Once the cable is connected the primary unit will start synchronizing its configuration to the secondary unit. Check the cluster synchronization status to make sure the primary and backup units have the same configuration. Log into the primary unit CLI and enter this command:

#diag sys ha cluster-csum

If both cluster units have identical checksums, we can be sure that their configurations are synchronized. If the checksums are different wait a short while and enter the command again. Repeat until the checksums are identical.

 

We have also covered few other fortigate HA solutions listed in another blogs categorically and detailed How-To steps.

Basics

FortiGate Cluster Protocol (FGCP)

FortiGate Session Life Support Protocol (FGSP)

Session-Aware Load Balancing Clustering (SLBC)

Content Clustering

VRRP

 

You may also like...

Leave a Reply

Your email address will not be published. Required fields are marked *