Fortinet Document Library

Version:

Version:


Table of Contents

Download PDF
Copy Link

HA modes

HA Active-Passive Mode

When the FortiADC devices are configured as HA Active-Passive mode, the active device (also called master) handles all the traffic under normal circumstances. If the something wrong happens on the active device, the passive device (also called slave) becomes active and handles all the traffic instead.

Above chart is the HA-AP mode deployment. Normally, slave doesn’t handle the traffic, all the traffic is handled by the master whatever for the client side or server side. However, the slave can always sync the data from master, such as incremental configuration changes, layer4 session/persistence table, layer7 persistence, health-check status. Once there is something wrong with the current master, such as the monitored interfaces are down (in this case the monitored interface connected to ISP directly), or the physical device is failing, the slave will become the new master, so that handle all the traffic going through FortiADC.

HA-AP mode is the most stable deployment mode, and if can be deployed on any platforms without problem. In this mode, the FortiADC’s interface is applied with virtual mac address, once the HA peer takes over the master, new master will inherit the virtual mac address on the interfaces. This can reduce the traffic failing time while failover happening. On the other hand, this can provide the benefit if the security device such as firewall in your network need Mac address binding. Please be aware that HA-AP mode on Microsoft Hyper-V platform uses the physical Mac Address due to the platform limitation.

HA Active-Active Mode

In the HA Active-Active mode, both the master and slave is able to handle the traffic normally. There is one thing should be detailed. Although both master and slave can handle the traffic, FortiADC can only sync the layer4 virtual-server session to its peers. So for layer4 traffic, if the traffic returned from real server goes to FortiADC devices which is different from the inbound traffic, this FortiADC can still forward the traffic back to client. For the traffic which will be routed by FortiADC, it has the similar issue. This may cause the performance decrease. So ideally, you should have a routing device between FortiADC and real servers, which has the function can send the return traffic to its original FortiADC devices. For layer 7 virtual-server, usually FortiADC establishes the session to real servers by its own interface IP address, so the traffic can be returned to itself natively, unless you enable the “source-address” on it.

If one of the device monitored link is down or if even the entire device is failing, its HA peer can take over all the traffic.

HA VRRP Mode

HA-VRRP mode on the other hand divides the resources into groups, so that we can create multiple VRRP groups, and then assign the public IP resources into the groups. In this way, we can get the another active-active mode. In this mode, every HA node has its own interface IP, but we can define the floating IP on the interface which belongs to one of the VRRP groups.

In general, the connected devices or servers are pointing the gateway to the floating-ip of the VRRP group. The floating-ip is the IP address which can only work on the VRRP group master. If the failover happens, the floating-ip will work on the new VRRP master. This can assure the floating-ip is always online.

Loot at the chart above, this an example of HA-VRRP mode. Typically, we create 2 VRRP groups, let’s say, one is the VRRP_Group1, the other one is VRRP_Group2. We make FortiADC1 the master of VRRP_Group1, the slave of VRRP-Group2; while the FortiADC2 will be the slave of VRRP_Group1, and master of VRRP_Group2. Then we divide the real servers into these 2 groups. The servers in group1 point the default gateway to VRRP_Group1’s floating-ip, while the servers in group2 point the default gateway to VRRP_Group2’s floating-ip. Then normally, FortiADC1 handles the traffic to VRRP_Group1, FortiADC handles the traffic to VRRP_Group2. If one of the monitored link or device is down, the HA peer can take over the traffic.

Choose HA mode

We support 3 kinds of HA deployment mode. They are HA-AP, HA-AA, HA-VRRP mode. If you are willing to have a very stable system, please use the HA-AP mode. Although only one device is processing the data, the backup device can take over the master work smoothly, it offers the most reliable environment while needs least deployment conditions.

If you are interested in the all active plan, then the HA-VRRP should be your first choice. Once you’ve arranged the servers in group, all the FortiADC devices can handle the traffic, which increase the throughput and other performance a lot. It requires less deployment conditions over HA-AA mode, and can provide the performance increasing.

Only if you can make sure you can make all the ideal preconditions for the HA-AA, then choose the HA-AA mode. This mode requires the most, but providing the easier configuration logic. It can also offer the good performance in the ideal conditions.

HA modes

HA Active-Passive Mode

When the FortiADC devices are configured as HA Active-Passive mode, the active device (also called master) handles all the traffic under normal circumstances. If the something wrong happens on the active device, the passive device (also called slave) becomes active and handles all the traffic instead.

Above chart is the HA-AP mode deployment. Normally, slave doesn’t handle the traffic, all the traffic is handled by the master whatever for the client side or server side. However, the slave can always sync the data from master, such as incremental configuration changes, layer4 session/persistence table, layer7 persistence, health-check status. Once there is something wrong with the current master, such as the monitored interfaces are down (in this case the monitored interface connected to ISP directly), or the physical device is failing, the slave will become the new master, so that handle all the traffic going through FortiADC.

HA-AP mode is the most stable deployment mode, and if can be deployed on any platforms without problem. In this mode, the FortiADC’s interface is applied with virtual mac address, once the HA peer takes over the master, new master will inherit the virtual mac address on the interfaces. This can reduce the traffic failing time while failover happening. On the other hand, this can provide the benefit if the security device such as firewall in your network need Mac address binding. Please be aware that HA-AP mode on Microsoft Hyper-V platform uses the physical Mac Address due to the platform limitation.

HA Active-Active Mode

In the HA Active-Active mode, both the master and slave is able to handle the traffic normally. There is one thing should be detailed. Although both master and slave can handle the traffic, FortiADC can only sync the layer4 virtual-server session to its peers. So for layer4 traffic, if the traffic returned from real server goes to FortiADC devices which is different from the inbound traffic, this FortiADC can still forward the traffic back to client. For the traffic which will be routed by FortiADC, it has the similar issue. This may cause the performance decrease. So ideally, you should have a routing device between FortiADC and real servers, which has the function can send the return traffic to its original FortiADC devices. For layer 7 virtual-server, usually FortiADC establishes the session to real servers by its own interface IP address, so the traffic can be returned to itself natively, unless you enable the “source-address” on it.

If one of the device monitored link is down or if even the entire device is failing, its HA peer can take over all the traffic.

HA VRRP Mode

HA-VRRP mode on the other hand divides the resources into groups, so that we can create multiple VRRP groups, and then assign the public IP resources into the groups. In this way, we can get the another active-active mode. In this mode, every HA node has its own interface IP, but we can define the floating IP on the interface which belongs to one of the VRRP groups.

In general, the connected devices or servers are pointing the gateway to the floating-ip of the VRRP group. The floating-ip is the IP address which can only work on the VRRP group master. If the failover happens, the floating-ip will work on the new VRRP master. This can assure the floating-ip is always online.

Loot at the chart above, this an example of HA-VRRP mode. Typically, we create 2 VRRP groups, let’s say, one is the VRRP_Group1, the other one is VRRP_Group2. We make FortiADC1 the master of VRRP_Group1, the slave of VRRP-Group2; while the FortiADC2 will be the slave of VRRP_Group1, and master of VRRP_Group2. Then we divide the real servers into these 2 groups. The servers in group1 point the default gateway to VRRP_Group1’s floating-ip, while the servers in group2 point the default gateway to VRRP_Group2’s floating-ip. Then normally, FortiADC1 handles the traffic to VRRP_Group1, FortiADC handles the traffic to VRRP_Group2. If one of the monitored link or device is down, the HA peer can take over the traffic.

Choose HA mode

We support 3 kinds of HA deployment mode. They are HA-AP, HA-AA, HA-VRRP mode. If you are willing to have a very stable system, please use the HA-AP mode. Although only one device is processing the data, the backup device can take over the master work smoothly, it offers the most reliable environment while needs least deployment conditions.

If you are interested in the all active plan, then the HA-VRRP should be your first choice. Once you’ve arranged the servers in group, all the FortiADC devices can handle the traffic, which increase the throughput and other performance a lot. It requires less deployment conditions over HA-AA mode, and can provide the performance increasing.

Only if you can make sure you can make all the ideal preconditions for the HA-AA, then choose the HA-AA mode. This mode requires the most, but providing the easier configuration logic. It can also offer the good performance in the ideal conditions.