HA between two FortiGate-5140 chassis

This article has been updated for FortiOS 3.0MR4 and to add information about the FortiGate-5005FA2 module.

This article describes how the FortiSwitch-5003 module supports HA clustering for FortiGate-5000 series modules installed in a single chassis and how FortiSwitch-5003 modules can also be used for HA clustering for FortiGate-5000 series modules installed in two FortiGate-5140 chassis.

The FortiSwitch-5003 module provides base backplane HA heartbeat communication between FortiGate-5000 series modules installed in a FortiGate-5140 chassis. If you have two FortiGate-5140 chassis that each contain the same FortiGate-5000 series modules and that also each contain one or two FortiSwitch-5003 modules, you can make ethernet connections between the two FortiGate-5140 chassis using the FortiSwitch-5003 modules. These ethernet connections can support in base backplane data and HA heartbeat communication between two FortiGate-5140 chassis.

Note: You can also use the FortiSwitch-5003 module for data and HA heartbeat communication between multiple FortiGate-5140 chassis and between FortiGate-5140 and FortiGate-5050 chassis.

FortiSwitch-5003 front panel

If you apply the same HA configuration to the FortiGate-5000 series modules in both chassis, these FortiGate-5000 series modules form a single HA cluster. The cluster is formed because an HA heartbeat link is established between the FortiGate-5000 series modules in both chassis.

Note: The FortiSwitch-5003 module supports HA clustering for all FortiGate-5000 series modules. Most of the examples described in this article use FortiGate-5001FA2 modules.

FortiGate-5140 base backplane interfaces

The FortiGate-5140 chassis has two 1-Gigabyte base backplane ethernet interfaces. You can use these base backplane interfaces just like any FortiGate interface for data communication between FortiGate-5000 units. You can also use the base backplane interfaces for HA heartbeat packets. To connect to the base backplane interfaces you must install FortiGate-5000 series modules in chassis slots 3 to 14. FortiGate-5001SX and FortiGate-5001FA2 modules connect to the base backplane interfaces using port9 and port10. FortiGate-5005FA2 modules connect to the base backplane interfaces using base1 and base2.

A FortiSwitch-5003 module installed in FortiGate-5140 chassis slot 1 supplies base backplane switching for the first base backplane interface (port9 for the FortiGate-5001SX and FortiGate-5001FA2 modules and base1 for the FortiGate-5005FA2 module). A FortiSwitch-5003 module installed in slot 2 provides switching for the second base backplane interface (port10 for the FortiGate-5001SX and FortiGate-5001FA2 modules and base2 for the FortiGate-5005FA2 module).

You can install FortiGate-5000 series modules in slots 1 and 2. However, in these slots the FortiGate-5000 series modules cannot connect to the base backplane interfaces. FortiSwitch-5003 modules can only be installed in slots 1 or 2 to provide base backplane interface switching.

HA cluster with 1 FortiSwitch-5003 module

Installing a single FortiSwitch-5003 module in a FortiGate-5140 chassis provides a single base backplane HA heartbeat link for up to 12 FortiGate-5001SX, FortiGate-5001FA2, or FortiGate-5005G-FA2 modules installed in chassis slots 3 to 14. Usually you would install a single FortiSwitch-5003 module in slot 2 of the FortiGate-5140 chassis although you could also install the FortiSwitch module in slot 1.

Port9 and port10 are the default FortiGate-5001SX and FortiGate-5001FA2 HA heartbeat interfaces. One FortiSwitch-5003 module installed in slot 2 means an HA cluster of FortiGate-5001SX or FortiGate-5001FA2 modules use port10 for HA heartbeat communication. No change to the default HA heartbeat configuration is required. You can set one or more of port2 to port8 to be HA heartbeat interfaces so that HA heartbeat communication fails over to one of these interfaces if base backplane communication fails or is interrupted.

FortiGate-5001SX default HA heartbeat interface configuration

The FortiGate-5005FA2 modules use fabric1 and fabric2 as default HA heartbeat interfaces. Fabric1 and fabric2 connect to the FortiGate-5050 fabric backplane. If you are using one or more FortiSwitch-5003 modules for HA between FortiGate-5005FA2 modules, you must configure the FortiGate-5005FA2 modules to use base1 or base2 for HA heartbeat communication. It is recommended that you select both base1 and base2 for HA heartbeat communication and set the HA heartbeat priority of both of these interfaces to 50.

FortiGate-5005FA2 using base1 and base2 HA heartbeat interfaces

One FortiSwitch-5003 module installed in slot 2 provides HA heartbeat communication on base backplane port10 for FortiGate-5001FA2 modules

A single FortiSwitch-5003 module for HA heartbeat communication introduces a single point of failure. If this FortiSwitch-5003 module fails or is removed, HA heartbeat communication will be interrupted. For enhanced reliability you can add a second FortiSwitch-5003 module to slot 1. You can also improve reliability by connecting and configuring one or more other FortiGate-5000 module interfaces as HA heartbeat interfaces.

Why install a single FortiSwitch-5003 module in slot 2?

If you are configuring a cluster of FortiGate-5001SX or FortiGate-5001FA2 modules, it is recommended that you install a single FortiSwitch-5003 module in slot 2 so that you can select one or more of the other FortiGate-5001SX or FortiGate-5001FA2 interfaces to be backup HA heartbeat interfaces. If two or more interfaces are configured to be HA heartbeat interfaces and if both of these interfaces have the same heartbeat interface priority, HA selects the connected HA heartbeat interface with the lowest index to use for HA heartbeat communication. Slot 2 connects to port10; which has the second lowest index (port1 the lowest and port9 the highest). So if the FortiSwitch-5003 module is in slot 2 you can select from port2 to port8 to be backup HA heartbeat interfaces. All HA heartbeat communications will use port10 and failover to an interface with a higher index if port10 becomes disconnected.

If you install a single FortiSwitch-5003 module in slot 1, the cluster uses port9 for HA heartbeat communication. If you select any other HA heartbeat interfaces, one of these other interfaces, if it is connected, will always be used for HA heartbeat communication instead of port9. This is because port9 has the highest interface index so is the last interface selected to be the HA heartbeat interface. So installing a single FortiSwitch-5003 module in slot 1 limits your options for selecting other interfaces for HA heartbeat communication.

Note: The FortiGate web-based manager and CLI always lists interfaces in index order.

If you install a single FortiSwitch-5003 module in slot 1, the cluster uses port9 for HA heartbeat communication. If you select any other HA heartbeat interfaces, one of these other interfaces, if it is connected, will always be used for HA heartbeat communication instead of port9. This is because port9 has the highest interface index so is the last interface selected to be the HA heartbeat interface. So installing a single FortiSwitch-5003 module in slot 1 limits your options for selecting other interfaces for HA heartbeat communication.

If you have configured FortiGate-5005FA2 modules to use base1 and base2 as HA heartbeat interfaces you can install a single FortiSwitch-5003 module in slot 1 or slot 2. The base1 and base2 interfaces appear together at the top of the interface list. The cluster always selects base1 or base2 because they are at the top of the interface list, just like port9 is for the FortiGate-5001SX and FortiGate-5001FA2 modules.

HA cluster with 2 FortiSwitch-5003 modules

Installing a second FortiSwitch-5003 module in slot 1 provides redundant HA heartbeat communication for FortiGate-5001SX and FortiGate-5001FA2 modules installed in slots 3 to 14. If port9 and port10 have the same heartbeat interface priority, as long as it is connected port10 is used for HA heartbeat communication. If port10 fails or becomes disconnected, HA heartbeat communication switches to port9.

Installing a second FortiSwitch-5003 module in slot 1 also provides redundant HA heartbeat communication for FortiGate-5005FA2 modules installed in slots 3 to 14. If base1 and base2 have the same heartbeat interface priority, as long as it is connected base1 is used for HA heartbeat communication. If base1 fails or becomes disconnected, HA heartbeat communication switches to base2.

FortiSwitch-5003 modules installed in slots 1 and 2 provide HA heartbeat communication on port9 and port10

HA between two FortiGate-5140 chassis

The Ethernet interfaces on the front panel of the FortiSwitch-5003 labelled ZRE0, ZRE1, and ZRE2 provide three connections to the chassis base backplane interface that the FortiSwitch-5003 is connected to. You can set up ethernet communications between the backplanes of two FortiGate-5140 chassis by connecting an ethernet cable from any ZRE interface on a FortiSwitch-5003 module in one chassis to a ZRE interface on a FortiSwitch-5003 module in the other chassis. You can use a regular or crossover ethernet cable for this connection. Using this inter-chassis connection, you can set up a cluster of FortiGate-5000 series modules even if the modules are installed in more than one FortiGate-5140 chassis.

For the purposes of inter-chassis connections it makes no difference whether you use the ZRE0, ZRE1, or ZRE2 interface. You can connect an ethernet cable from any of these interfaces on one FortiSwitch-5003 module to any of these interfaces on another FortiSwitch-5003 module installed in the other chassis. You can also use the ZRE interfaces to connect more that two FortiGate-5140 chassis together.

For the inter-chassis communication to work, the FortiGate-5000 series modules must be installed in slots 3 to 14. As well, the inter-chassis connections must be between FortiSwitch-5003 units installed in the same slot in each chassis.

To connect two chassis together, if each chassis has one FortiSwitch-5003 module, the module should be installed in slot 2 of both chassis. If each chassis has two FortiSwitch-5003 modules, the modules in slot 2 must be connected together and the modules in slot 1 must also be connected together.

Note: Installing the FortiSwitch-5003 modules in different slots would result in a mixture of HA heartbeat communications on port9 and port10 (or base1 and base2). FortiGate HA does not support HA heartbeat communication between different interfaces in this way. The result would be the formation of multiple clusters, some using port9 (or base1) for HA heartbeat communication and some using port10 (or base2).

Example FortiGate HA cluster between two FortiGate-5140 chassis

The following example shows how to create a cluster of six FortiGate-5001FA2 modules installed in two FortiGate-5140 chassis. Both of these chassis have two FortiSwitch-5003 modules installed in slots 1 and 2. An ethernet cable connects the ZRE0 interfaces of the FortiSwitch-5003 modules in slot 1. Another ethernet cable connects together the ZRE1 interfaces of the FortiSwitch-5003 modules in slot 2.

Note: The ZRE interfaces do not have to be connected as described in this example. The connections could be between ZRE0 of the FortiSwitch-5003 module in one chassis and the ZRE1 interface on the other. The connections between the FortiGate-5003 modules in slot 1 can be the same or different than the connections between the FortiGate-5003 modules in slot 2.

Both FortiGate-5140 chassis include three FortiGate-5001FA2 modules. The first FortiGate-5140 chassis has FortiGate-5001FA2 modules installed in slots 6, 8, and 10. The second FortiGate-5140 chassis has FortiGate-5001FA2 modules installed in slots 7, 9, and 11.

Other than configuring HA, no special configuration of the FortiGate-5001FA2 modules is required to form this cluster. Once the FortiSwitch-5003 modules are connected you can connect the FortiGate-5001FA2 modules together and to your network just as you would any cluster of six FortiGate units. The figure below shows an example network configuration with port1 of each FortiGate-5001FA2 module connected to a switch connected to an internal network. Port2 of each FortiGate-5001FA2 module is connected to a switch connected to the Internet.

HA cluster consisting of six FortiGate-5001FA2 modules installed in two FortiGate-5140 chassis connected by two FortiSwitch-5003 modules

Configure HA on each FortiGate-5001FA2 module according to your requirements. If you accept the default HA heartbeat configuration, the FortiGate-5001FA2 units will successfully form a cluster because the FortiGate-5001FA2 modules use port10 for HA heartbeat communication with port9 as a backup.

Example FortiGate-5001FA2 HA configuration

Example FortiGate-5001FA2 HA cluster members list (System > Config > HA). The host names of the FortiGate-5001FA2 units have been changed to show the locations of each module

Other configurations

Finally, a few brief notes about other possible configurations:

• Because you can use the FortiSwitch-5003 to connect more than two chassis it is possible to create a cluster of FortiGate modules installed in more than two chassis.
• FortiGate HA and FortiGate-5140/FortiSwitch-5003 chassis base backplane communication can support more than one cluster using the same base backplane interface for HA heartbeat communication. To separate the clusters, each one should have a unique Group Name and password.
• You can use the same base backplane interface for HA heartbeat traffic and for data traffic. However this configuration is not recommended because HA heartbeat traffic can use a considerable amount of bandwidth.
• Because the base backplane communication architectures of the FortiGate-5050 and 5140 chassis are the same, you can also connect FortiGate-5140 and FortiGate-5050 chassis together and form clusters between chassis in the same way as described in this article.