Fortigate 60D has been used to do HA examples in this post.
The back of Fortigate 60D:
The configuration steps for Fortigate High Availability is the easiest one comparing other firewall vendors. Fortigate cookbook “High Availability with two FortiGates” has presented enough detailed steps for most situations. In this post, it records the steps I just recently did.
Topology:
WAN1 is connecting to External switch then connected to Internet.
LAN port 1 is connecting to Internal switch.
Both DMZ and WAN2 ports are used as HA heartbeat interface. Two regular Ethernet cables are connecting them together as show in the following photo:
Configuration steps:
1. Start with Primary which is running at standalone mode and has configured all interfaces and policy.
1. 1 Change the primary first from standalone to Active-passive mode.
1.2 Set the priority between 1 and 255. Since it is primary, I set it to 250.
1.3 type HAGroup1 as the HA group name and enter a password for this group.
1.4 Choose DMZ and WAN2 as Heartbeat Interfaces.
2. Add new Fortigate 60D as secondary device.
2.3 type HAGroup1 as the HA group name and enter a password for this group.
2.4 Choose DMZ and WAN2 as Heartbeat Interfaces.
3. Verify
After the configuration completed, you should be able to see both Fortigate 60D in the list. One is master and another is slave.
All configuration will be synchronised from Primary to Secondary through Heartbeat interfaces.
Notes: To make both devices HA configuration running well, you will need to make sure following requirements met;
- Same hardware
- Same FortiOS version
- License for some special features
- LAN Switch mode (Switch / Interface)
Manual Failover Test Command:
diagnose sys ha reset-uptime
Upgrade Procedures:
Reference: