Fortinet HA – Intro

Fortigate HA High availability
Fortigate HA High availability

For any organization, to run business when it comes to availability is the main priority. With the boom in technology expansion more stringent emphasis is put onto security devices. A standalone box is a single point of failure, that is vulnerable to any number of software or hardware problems that could compromise the device and bring all traffic on the network to a standstill. In today’s world every organization is concerned over security and we cannot blame them. When it comes to security devices Fortigate in no doubt is one of the industry leaders. They have some pretty decent and standard approach when it comes to configuring their boxes in high availability.

Like Cisco, Fortigate has in total 6 redundancy options to customer to facilitate redundancy/HA. Out of which 5 of them are proprietary solutions and the last being the industry standard in HA i.e. VRRP. The proprietary solution that FortiOS offer are namely, FortiGate Cluster Protocol (FGCP) high availability, FortiGate Session Life Support Protocol (FGSP) high availability, Session-Aware Load Balancing Clustering (SLBC), Enhanced Load Balanced Clustering (ELBC) and Content Clustering.

Note: We can combine more than one high availability solution into a single configuration. A common reason for doing this could be to add VRRP to an FGCP or FGSP configuration.

For any HA deployment the first step is to determine the deployment model, whether the nodes in HA are going to run in active-passive or active-active. Inside the cluster the individual FortiGate units are called cluster units. These cluster units share state and configuration information. If one cluster unit fails, the other units in the cluster automatically replace that unit, taking over the work that the failed unit was doing. After the failure, the cluster continues to process network traffic and provide normal FortiGate services with virtually no interruption. The ability of an HA cluster to continue providing firewall services after a failure is called failover. FortiGate HA failover means that your network does not have to rely on one FortiGate unit to continue functioning. You can install additional units and form an HA cluster. Other units in the cluster will take over if one of the units fails. Every FortiGate cluster contains one primary unit (also called the master unit) and one or more subordinate units (also called slave or backup units). The primary unit controls how the cluster operates. The roles that the primary and subordinate units play in the cluster depend on the mode in which the cluster operates.

To configure a FortiGate unit to operate in active-active and secure cluster with HA protection log into CLI and type the following commands

config system ha
  set mode a-a
  set group-name <group_name_for_cluster>
  set password <password_for_HA_auth>

To configure a FortiGate unit to operate in active-passive and secure cluster with HA protection log into CLI and type the following commands

config system ha
  set mode a-p
  set group-name <name_for_cluster>
  set password <password_for_HA_auth>

Note: we must enter the exact same commands on every FortiGate unit in the cluster.

It is to be noted that to form a cluster the device model, firmware version and licensing has to be identical in all the nodes.

Let’ s dive into HA solutions supported by FortiOS one by one.

FortiGate Cluster Protocol (FGCP)

FortiGate Session Life Support Protocol (FGSP)

Session-Aware Load Balancing Clustering (SLBC)

Content Clustering



You may also like...

Leave a Reply

Your email address will not be published. Required fields are marked *