beautypg.com

High availability, High, Mode, see – Fortinet FortiGate 4000 User Manual

Page 81

background image

FortiGate-4000 Installation and Configuration Guide Version 2.50

FortiGate-4000 Installation and Configuration Guide

81

High availability

Fortinet achieves high availability (HA) using redundant hardware and the FortiGate
Clustering Protocol (FGCP). Each FortiGate unit in an HA cluster uses the same
overall security policy and shares the same configuration settings. You can add up to
32 FortiGate units to an HA cluster. Each FortiGate unit in an HA cluster must be the
same model and must run the same FortiOS firmware image.

FortiGate HA is device redundant. If one of the FortiGate units in an HA cluster fails,
all functions, all established firewall connections, and all IPSec VPN sessions

1

are

maintained by the other FortiGate units in the HA cluster.

You manage the cluster by connecting to the cluster web-based manager from any
cluster interface configured for HTTPS administrative access. You can also manage
the cluster by connecting to the cluster CLI from any cluster interface configured for
SSH administrative access. All configuration changes made to the cluster are
automatically synchronized to all cluster members.

From the web-based manager you can monitor the status and log messages of the
cluster and of each of the FortiGate units in the cluster. You can also monitor the
cluster by using an SNMP manager to get SNMP information from or receive traps for
any cluster interface configured for SNMP administrative access.

The FortiGate units in the cluster use dedicated HA ethernet interfaces to
communicate cluster session information, synchronize the cluster configuration, and
report individual system status.The units in the cluster constantly communicate HA
status information to make sure that the cluster is operating properly. For this reason,
the connection between the HA interface of all the FortiGate units in the cluster must
be well maintained. An interruption of this communication can have unpredictable
results.

FortiGate units can be configured to operate in active-passive (A-P) or active-active
(A-A) HA mode. Active-active and active-passive clusters can run in either NAT/Route
or Transparent mode.

1.HA does not provide session failover for PPPoE, DHCP, PPTP, and L2TP services.

Note: The HA interfaces of the FortiGate units in a cluster are assigned IP addresses during
cluster negotiation. These IP addresses cannot be viewed using the web-based manager or the
CLI. Attempting to change the IP address of an HA interface using the web-based manager or
the CLI has no effect on the IP address assigned during cluster negotiation. HA interfaces only
accept connections used for HA communication between units in the cluster. You cannot
connect to the HA interfaces to manage the cluster or to manage individual FortiGate units in
the cluster.