Help
FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
vjoshi_FTNT
Staff
Staff

Created on ‎12-13-2004 12:00 AM Edited on ‎11-18-2022 02:38 AM By Moderator

Article Id 193933

Technical Tip: FortiGate HA and dynamic interface support (DHCP, PPPoE)

Description

 

This article describes how works FortiGate HA and dynamic interface support (DHCP, PPPoE).

 

Scope

 

FortiGate.

 

Solution

 

FortiGate HA compatibility with DHCP and PPPoE:

 

DHCP and PPPOE Support for Active-Passive Mod.

 

FortiGate HA with firmware V5.2.0 or later is now compatible with DHCP and PPPoE but care should be taken when configuring a cluster that includes a FortiGate interface configured to get its IP address with DHCP or PPPoE.

 

Fortinet recommends that has been turned on DHCP or PPPoE addressing for an interface after the cluster has been configured.

 

If an interface is configured for DHCP or PPPoE, turning on high availability may result in the interface receiving an incorrect address or not being able to connect to the DHCP or PPPoE server correctly.

 

On V5.0 and earlier versions :

 

If any of the FortiGate interfaces have DHCP or PPPoE enabled, HA cannot be enabled or vice versa.

 

Case 1) DHCP Enabled on the Interface already and to enable HA:

 

From GUI, when the mode is changed from Standalone to a-p or a-a and select 'Apply', HA mode will switch back to standalone without any error.

 

From CLI, the only mode available under HA is ‘standalone’ which means the HA is not supported.

 

FGT1KD-2 (ha) # set mode

standalone    Standalone mode.

 

The system may run in HA A-A or HA A-P mode only when all interfaces are NOT using DHCP/PPPoE as an addressing mode.

 

Case 2) If the HA is already enabled with a-p or a-a mode and now the mode of the interface is changed from manual to DHCP or PPPoE, the error: 'Cannot set mode to DHCP or PPPoE when HA is on' will appear.

 

On FortiOS 5.6 and Above: 

 

In HA A-P mode, when the Interface mode is changed from Manual to PPPoE/DHCP, the Interface mode will switch without any error.

 

In HA A-A mode, configuring an interface with mode 'PPPoE' and 'DHCP' is not supported; attempting to change the mode from Manual to PPPoE/DHCP would result in the error 'Cannot set mode to 'PPPoE' while HA is in Active-Active mode'.

 

Error In CLI:

 

# set mode pppoe
Cannot set mode to 'PPPoE' when HA is in Active-Active mode
node_check_object fail! for mode pppoe

value parse error before 'pppoe'
Command fail. Return code -217

 

Error In GUI:

 

akileshc_0-1668766502621.png

 

If a standalone device is used with a PPPoE or DHCP enabled interface and it is wanted to change the HA Mode, the option to configure it with HA A-A mode will be unavailable, and only HA A-P mode will be allowed.

 

In CLI:

 

(ha) # set mode
standalone Standalone mode.
a-p Active-passive mode.

 

In GUI:

 

akileshc_1-1668767210123.png

15596
0 Kudos
Submit Article Idea
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2024 Fortinet, Inc. All Rights Reserved.