Geo-redundant High Availability (HA)
This information is also available in the FortiAnalyzer 7.4 Administration Guide: |
An active-active mode is now available on FortiAnalyzer HA to help create a geo-redundant solution.
In FortiAnalyzer HA active-passive mode, a layer 2 connection is required between HA members in order to set up the HA cluster virtual IP. In active-active mode, however, a layer 2 connection is not required between data centers at different locations.
Below is a brief comparison between FortiAnalyzer HA in active-passive and active-active mode.
active-passive | active-active |
---|---|
Only the HA primary can receive logs and archive files from its directly connected device and forward them to HA secondary. | All HA members can receive logs and archive files from its directly connected device and forward logs and archive files to its HA peer. |
Only the HA primary can forward data to the remote server. | All HA members can forward its directly received logs and archive file to the remote server. |
In the examples below, the goal is to build an active-active geo-redundant layer 3 FortiAnalyzer HA cluster between two data centers. The FortiAnalyzer HA members are located in different places. They are communicating with each other via routers. There is no layer 2 connection.
Unicast must be enabled for the HA heartbeat in order for the cluster to operate in this mode. This setting can only be configured from the CLI. For more information on enabling the unicast heartbeat setting, see the FortiAnalyzer CLI Reference. When unicast is enabled, VRRP packets are sent to the peer address instead of the multicast address. VRRP (IP protocol 112) must be allowed through any connecting firewalls. |
To build a geo-redundant FortiAnalyzer HA via the GUI:
-
In the first FortiAnalyzer, configure the primary in System Settings > HA.
-
For Operation Mode, select Active-Active.
-
For Preferred Role, select Primary.
-
Complete the other fields, including Peer IP and Peer SN.
-
Cluster Virtual IP (VIP) is optional. It requires a layer 2 connection between HA members. If VIP is not configured, select the interface which is used to communicate with the peer as Heart Beat Interface. You can click the X icon next to the VIP entry to remove it.
-
-
In the second FortiAnalyzer, configure the primary in System Settings > HA.
-
For Operation Mode, select Active-Active.
-
For Preferred Role, select Secondary.
-
Complete the other fields, including Peer IP and Peer SN.
-
Cluster VIP is optional. It requires a layer 2 connection between HA members. If VIP is not configured, select the interface which is used to communicate with the peer as Heart Beat Interface. You can click the X icon next to the VIP entry to remove it.
-
To build a geo-redundant FortiAnalyzer HA via the CLI:
For more information about the FortiAnalyzer CLI commands, see the FortiAnalyzer 7.4 CLI Reference.
-
Configure the FortiAnalyzer HA.
When configuring the FortiAnalyzer
system ha
, setmode
toa-a
. Thevip
is optional; if there is no layer 2 connection between HA members,vip
will not work. In this case, sethb-interface
as the interface which is used to communicate with the peer.-
Configure the first FortiAnalyzer. In the CLI, enter the following commands:
config system ha
set mode a-a
set group-id 100
set group-name "FAZVM64-HA"
set hb-interface "port1"
set unicast enable
set password xxxxxx
config peer
edit 1
set ip "192.168.1.101"
set serial-number "FAZ-VMTM-----6"
next
end
set preferred-role primary
set priority 120
end
-
Configure the second FortiAnalyzer. In the CLI, enter the following commands:
config system ha
set mode a-a
set group-id 100
set group-name "FAZVM64-HA"
set hb-interface "port1"
set unicast enable
set password xxxxxx
config peer
edit 1
set ip "192.168.2.102"
set serial-number "FAZ-VMTM-----7"
next
end
end
-
-
If the alternate FortiAnalyzer can be configured on FortiGate,
set server
to the HA primary andset alt-server
to the HA secondary. In the FortiGate CLI, enter:config log fortianalyzer setting
set status enable
set ?
...
*server The main remote FortiAnalyzer.
alt-server The alternate remote FortiAnalyzer.
...
set server 192.168.2.102
set alt-server 192.168.1.101
...
end
-
If the alternate FortiAnalyzer cannot be configured on FortiGate,
set server
to a HA member which is reachable from the FortiGate or to the VIP address of the FortiAnalyzer HA, if any. In the FortiGate CLI, enter:config log fortianalyzer setting
set status enable
...
set server 192.168.2.102 (or 10.2.60.93)
...
end