Fortinet 100A User Manual

84

01-28007-0068-20041203

Fortinet Inc.

System config

To modify the dead gateway detection settings

Modify dead gateway detection to control how the FortiGate unit confirms connectivity
with a ping server added to an interface configuration. For information about adding a
ping server to an interface, see

“To add a ping server to an interface” on page 56

.

1

Go to System > Config > Options.

2

For Detection Interval, type a number in seconds to specify how often the FortiGate
unit tests the connection to the ping target.

3

For Fail-over Detection, type a number of times that the connection test fails before
the FortiGate unit assumes that the gateway is no longer functioning.

4

Select Apply.

HA

Fortinet achieves high availability (HA) using redundant hardware and the FortiGate
Clustering Protocol (FGCP). Each FortiGate unit in an HA cluster enforces the same
overall security policy and shares the same configuration settings. You can add up to
32 FortiGate units to an HA cluster. Each FortiGate unit in an HA cluster must be the
same model and must be running the same FortiOS firmware image.

The FortiGate units in the cluster use cluster ethernet interfaces to communicate
cluster session information, synchronize the cluster configuration, synchronize the
cluster routing table, and report individual cluster member status. The units in the
cluster are constantly communicating HA status information to make sure that the
cluster is operating properly. This communication is called the HA heartbeat.

FortiGate HA supports link failover, device failover, and HA heartbeat failover.

FortiGate units can be configured to operate in active-passive (A-P) or active-active
(A-A) HA mode. Active-active and active-passive clusters can run in either NAT/Route
or Transparent mode.

Note: You should select the language that the management computer operating system uses.

Link failover

If one of the links to a FortiGate unit in an HA cluster fails, all functions, all

established firewall connections, and all IPSec VPN sessions

a

are maintained

by the other FortiGate units in the HA cluster. For information about link

failover, see

“Monitor priorities” on page 90

.

a.HA does not provide session failover for PPPoE, DHCP, PPTP, and L2TP services.

Device failover If one of the FortiGate units in an HA cluster fails, all functions, all established

firewall connections, and all IPSec VPN sessions are maintained by the other

FortiGate units in the HA cluster.

HA heartbeat
failover

You can configure multiple interfaces to be HA heartbeat devices. If an

interface functioning as an HA heartbeat device fails, the HA heartbeat is

transferred to another interface also configured as an HA heartbeat device.