10 Fortigate HA Best Practices
High availability (HA) is a key feature of the Fortinet FortiGate platform. This document provides best practices for configuring an HA cluster.
Fortigate HA is a high availability solution that offers redundancy and failover capabilities for Fortinet security appliances. By deploying two or more Fortinet devices in an HA cluster, organizations can ensure that their network security is never interrupted in the event of a hardware or software failure.
In this article, we will discuss 10 best practices for deploying Fortigate HA. By following these best practices, organizations can ensure that their HA cluster is properly configured and provides the desired level of redundancy and failover protection.
1. Use the same FortiGate model for both units
If you use different models, they will have different features and capabilities. This can lead to inconsistency and potential problems down the road. It’s much easier to manage and maintain a consistent HA configuration when both units are the same.
Additionally, using the same model ensures that both units are running the same firmware version. This is important because different firmware versions can introduce compatibility issues. By keeping both units on the same firmware version, you can avoid these potential problems.
2. Use the same firmware version on both units
If the firmware versions are different, it can cause problems with communication between the units and can even lead to data loss. In some cases, it might be possible to downgrade the firmware on one of the units to match the other, but this is not always recommended.
It’s also important to keep the Fortigate HA configuration in sync. This can be done manually or by using a tool like FortiSync.
Finally, make sure to test your Fortigate HA setup regularly. This will help ensure that it is working properly and will give you peace of mind in the event of a real emergency.
3. Configure the same interfaces and VDOMs on both units
If you have different interfaces or VDOMs configured on each unit, then traffic will not be properly balanced between the two units. This can lead to one unit being overloaded while the other unit sits idle, which defeats the purpose of having HA in the first place.
It’s also important to make sure that both units are running the same firmware version. If there is a mismatch, then the units will not be able to sync properly and this can again lead to traffic imbalance and potential outages.
4. Set up a management interface on each unit
If you only have a single management interface, and that interface fails, you will lose all connectivity to the device. This can make it very difficult to troubleshoot and fix the problem.
By having a management interface on each unit, you can still connect to the other unit in the event that one of the interfaces goes down. This can be a lifesaver when trying to troubleshoot an issue.
It’s also a good idea to have a dedicated management interface for each unit. This way, if you need to access the web-based manager, you can still do so even if the other unit is down.
5. Synchronize system time between the two units
If the system time is not synchronized, and a failover occurs, the logs on the secondary unit will be timestamped with the current time on the unit, which may be different from the actual time of the events. This can make it difficult to troubleshoot issues, as you won’t be able to accurately correlate events between the two units.
To avoid this issue, it’s recommended that you use an external NTP server to synchronize the system time on both units. This way, even if a failover does occur, the logs will still be accurate and easy to work with.
6. Ensure that the cluster MAC address is unique
If two or more Fortigate devices are using the same MAC address for their cluster interface, it can cause problems with communication between the devices. This is because the MAC address is used to identify the cluster, and if two devices have the same MAC address, they will both be seen as part of the same cluster.
To avoid this problem, make sure that each Fortigate device in an HA cluster has a unique MAC address for its cluster interface. You can do this by setting the “cluster-mac” parameter to a unique value in the device’s config file.
7. Create an HA heartbeat link
The heartbeat link is used to monitor the health of each Fortigate unit in the cluster. If one unit goes down, the other unit will take over and keep the cluster up and running.
Without a heartbeat link, there’s no way to know if one of the units has failed, which could lead to an interruption in service.
Creating an HA heartbeat link is simple and only takes a few minutes. Just follow these steps:
1. Connect the two Fortigate units together with a cable.
2. Go to System > High Availability and click on Create New.
3. Select the type of link you want to create. For most cases, the default option of Link Aggregation will work fine.
4. Enter a name for the link and select the ports you want to use.
5. Click OK to save the changes.
Now your Fortigate cluster is much more resilient and less likely to experience an interruption in service.
8. Configure the same administrative settings on both units
If you have different administrative settings on each unit, then when one unit fails over to the other, the new active unit will have different settings. This can cause problems, because the new settings may not be compatible with the rest of the network.
For example, if you have different administrator passwords on each unit, then when one unit fails over to the other, the new active unit will have a different password. This can cause problems, because the other devices on the network may not be able to authenticate with the new password.
To avoid this problem, it’s important to configure the same administrative settings on both units. That way, when one unit fails over to the other, the new active unit will have the same settings, and there will be no compatibility issues.
9. Configure the same security policies on both units
If you don’t have the same security policies configured on both units, then traffic will be allowed or denied based on which unit is currently active. This can lead to inconsistency and potential security breaches.
To avoid this, make sure to configure the same security policies on both units. You can use the Fortigate’s web interface to do this, or you can use the CLI.
10. Configure the same routing configuration on both units
If the routing configuration is not identical on both units, then traffic may not be properly balanced between the two units. This can lead to one unit becoming overloaded while the other unit has capacity, which can impact performance and availability.
It’s also important to ensure that both units have the same security policies and objects configured. If there are differences, then traffic may not be properly processed by both units, which could again lead to performance and availability issues.
