Press J to jump to the feed. Press question mark to learn the rest of the keyboard shortcuts

Adding second FortiGate to create a A-P HA pair.

What steps do I need to perform on the second out of the box fresh FortiGate before connecting it to the active?

I’ve configured the HA group on the main and heartbeat ports.

I configured the passive with the same HA group and lower priority but for some reason connecting them causes the first box to take the almost blank config of the new passive box rather than send it’s config to the passive!

Is the second box meant to have an interface configured on a different ip so I can manage them separately? How does this work in terms of the config being sync’d? Won’t is overwrite any config I put in it when a copy of the active is sent to the passive?

67% Upvoted
What are your thoughts? Log in or Sign uplog insign up
level 1

Your problem is likely to be HA priority. Higher priority will take primary when they negotiate. If you set same priority (eg default on both) then decision is made based on a number of other factors.

Either way set your original to a higher HA priority and it should work fine.

level 1

I usually just backup config on primary. Edit the config file to change the hostname of the slave and the HA priority. Restore edited config to slave.

You really don't need to edit the slave while it is running except in rare cases (manual failover comes to mind).

level 2

I’d do this and firmware match the two

level 2
Original Poster1 point · 3 months ago

So I wouldn’t need to give the failover it’s own internal interface with different up to manage? I assume that’s correct. But I’ve seen other firewalls like sonicwall where each firewall has its own management IP address despite being active / passive.

level 3

You don't need to, but you can do this (and personally I think it's desirable to do it) . The details are here:

Just remember to do the conf sys ha / set ha-direct enable command it mentions or it won't work.

level 1

To manage the fortigates separately during the first config sync, the best way to go about it is using a console cable.

Once they are in sync, use the "execute ha manage <peer-id>" command under global config mode to get into the second fortigate.

I've always done a failover and failback test after adding a device to the cluster. If you've got a change/outage window open- then it is the best time to do this ( use diag sys ha reset-uptime).

level 1

Also make sure all UTM licenses are applied.... And depending on the model, make sure your heartbeat ports aren't default one-arm sniffer ports

level 2
Original Poster1 point · 3 months ago

I think some of my interfaces are in switch mode. I’ve heard different things regarding this being a deal breaker for ha.

Community Details





###Enterprise Networking Routers, switches and firewalls. Network blogs, news and network management articles. Cisco, Juniper, Brocade and more all welcome.

Create Post
r/networking Rules
Rule #1: No Home Networking.
Rule #2: No Certification Brain Dumps / Cheating.
Rule #3: No BlogSpam / Traffic re-direction.
Rule #4: No Low Quality Posts.
Rule #5: No Early Career Advice.
Rule #6: Educational Questions must show effort.
Cookies help us deliver our Services. By using our Services or clicking I agree, you agree to our use of cookies. Learn More.