FortiAnalyzer HA configuration

To configure the HA primary (fazha001):

1. In the fazha001 CLI, configure the following:

   config system ha

   set mode a-p

   set group-id 99

   set group-name "fazha"

   set password ENC *****

   config peer

   edit 1

   set ip "10.0.10.5"

   set serial-number "FAZVMSTMxxxxxxx4"

   next

   end

   set preferred-role primary

   set priority 120

   config vip

   edit 1

   set vip "10.0.10.10"

   set vip-interface "port1"

   next

   end

   end

In the fazha001 CLI, enter get system ha:

load-balance : round-robin

mode : a-p

cfg-sync-hb-interval: 4

group-id : 99

group-name : fazha

hb-interface : (null)

hb-interval : 4

healthcheck :

initial-sync-threads: 4

log-sync : enable

password : *

peer:

== [ 1 ]

id: 1

preferred-role : primary

priority : 120

unicast : enable

vip:

== [ 1 ]

id: 1

In the fazha001 CLI, enter diagnose ha status:

HA-Status: Primary

up-time: 24m54.471s

config-sync: Allow

serial-no: FAZVMSTMxxxxxxx3

fazuid: 3433169053

hostname: fazha001

load balance status: 0x0

HA-Secondary fazha@10.0.10.5 FAZVMSTMxxxxxxx4

ip: 10.0.10.5

serial-no: FAZVMSTMxxxxxxx4

fazuid: 4148610926

hostname: fazha002

conn-st: up

up/down-time: 24m52.671s

conn-msg:

cfgsync-st: up, 24m29.860s

data-init-sync-st: done, 24m41.864s

In the fazha001 CLI, diagnose the sniffer "VRRP Traffic" by entering diagnose sniffer packet port1 "ip proto 112" 4:

interfaces=[port1]

filters=[ip proto 112]

0.738575 10.0.10.4 -> 10.0.10.5: ip-proto-112 20

4.738635 10.0.10.4 -> 10.0.10.5: ip-proto-112 20

8.738767 10.0.10.4 -> 10.0.10.5: ip-proto-112 20

12.738834 10.0.10.4 -> 10.0.10.5: ip-proto-112 20

16.738975 10.0.10.4 -> 10.0.10.5: ip-proto-112 20

20.739038 10.0.10.4 -> 10.0.10.5: ip-proto-112 20

^C

6 packets received by filter

0 packets dropped by kernel

The VRRP traffic is sent every 4 seconds as asked with the system.ha.hb-interval.

To configure the HA secondary (fazha002):

1. In the fazha002 CLI, configure the following:

   config system ha

   set mode a-p

   set group-id 99

   set group-name "fazha"

   set password ENC *****

   config peer

   edit 1

   set ip "10.0.10.4"

   set serial-number "FAZVMSTMxxxxxxx3"

   next

   end

   config vip

   edit 1

   set vip "10.0.10.10"

   set vip-interface "port1"

   next

   end

   end

In the fazha002 CLI, enter get system ha:

load-balance : round-robin

mode : a-p

cfg-sync-hb-interval: 4

group-id : 99

group-name : fazha

hb-interface : (null)

hb-interval : 4

healthcheck :

initial-sync-threads: 4

log-sync : enable

password : *

peer:

== [ 1 ]

id: 1

preferred-role : secondary

priority : 100

unicast : enable

vip:

== [ 1 ]

id: 1

In the fazha002 CLI, enter diagnose ha status:

HA-Status: Secondary

up-time: 30m17.138s

config-sync: Allow

serial-no: FAZVMSTMxxxxxxx4

fazuid: 4148610926

hostname: fazha002

load balance status: 0x8

HA-Primary fazha@10.0.10.4 FAZVMSTMxxxxxxx3

ip: 10.0.10.4

serial-no: FAZVMSTMxxxxxxx3

fazuid: 3433169053

hostname: fazha001

conn-st: up

up/down-time: 30m15.638s

conn-msg:

cfgsync-st: up, 29m55.529s

data-init-sync-st: done, 30m13.335s

In the fazha002 CLI, diagnose the sniffer "VRRP Traffic" by entering diagnose sniffer packet port1 "ip proto 112" 4:

interfaces=[port1]

filters=[ip proto 112]

2.742323 10.0.10.4 -> 10.0.10.5: ip-proto-112 20

6.742478 10.0.10.4 -> 10.0.10.5: ip-proto-112 20

10.742971 10.0.10.4 -> 10.0.10.5: ip-proto-112 20

14.742574 10.0.10.4 -> 10.0.10.5: ip-proto-112 20

18.742743 10.0.10.4 -> 10.0.10.5: ip-proto-112 20

22.742777 10.0.10.4 -> 10.0.10.5: ip-proto-112 20

^C

6 packets received by filter

0 packets dropped by kernel

The VRRP traffic is sent every 4 seconds as asked with the system.ha.hb-interval.