Fortinet black logo

Administration Guide

Home FortiAnalyzer 7.4.2 Administration Guide
7.4.2
7.4.2
7.4.1
7.4.0
7.2.5
7.2.4
7.2.3
7.2.2
7.2.1
7.2.0
7.0.12
7.0.11
7.0.10
7.0.9
7.0.8
7.0.7
7.0.6
7.0.5
7.0.4
7.0.3
7.0.2
7.0.1
7.0.0
6.4.14
6.4.13
6.4.12
6.4.11
6.4.10
6.4.9
6.4.8
6.4.7
6.4.6
6.4.5
6.4.4
6.4.3
6.4.2
6.4.1
6.4.0
6.2.12
6.2.11
6.2.10
6.2.9
6.2.8
6.2.7
6.2.6
6.2.5
6.2.3
6.2.2
6.2.1
6.2.0
6.0.12
6.0.11
6.0.10
6.0.9
6.0.8
6.0.7
6.0.6
6.0.5
6.0.4
6.0.3
6.0.2
6.0.1
6.0.0
5.6.11
5.6.10
5.6.10
5.6.9
5.6.8
5.6.7
5.6.6
5.6.5
5.6.4
5.6.3
5.6.2
5.6.1
5.6.0
5.4.7
5.4.6
5.4.5
5.4.4
5.4.3
5.4.2
5.4.1
5.4.0
5.2.10
5.2.9
5.2.7
5.2.6
5.2.5
5.2.4
5.2.3
5.2.2
5.2.1
5.2.0
5.0.13
5.0.11
5.0.10
5.0.9
5.0.8
5.0.7
5.0.6
5.0.5
5.0.4
5.0.3
5.0.2
4.3.0
4.2.0
4.1.0
4.0.0

Geo-redundant HA

Geo-redundant HA

The active-active mode for FortiAnalyzer HA helps to create a geo-redundant solution.

In FortiAnalyzer HA active-passive mode, a layer 2 connection is required between HA members in order to set up the HA cluster virtual IP. In active-active mode, however, a layer 2 connection is not required between data centers at different locations.

Below is a brief comparison between FortiAnalyzer HA in active-passive and active-active mode.

active-passive active-active
Only the HA primary can receive logs and archive files from its directly connected device and forward them to HA secondary. All HA members can receive logs and archive files from its directly connected device and forward logs and archive files to its HA peer.
Only the HA primary can forward data to the remote server. All HA members can forward its directly received logs and archive file to the remote server.

In the examples below, the goal is to build an active-active geo-redundant layer 3 FortiAnalyzer HA cluster between two data centers. The FortiAnalyzer HA members are located in different places. They are communicating with each other via routers. There is no layer 2 connection.

Note

Unicast must be enabled for the HA heartbeat in order for the cluster to operate in this mode. This setting can only be configured from the CLI. For more information on enabling the unicast heartbeat setting, see the FortiAnalyzer CLI Reference.

When unicast is enabled, VRRP packets are sent to the peer address instead of the multicast address. VRRP (IP protocol 112) must be allowed through any connecting firewalls.

To build a geo-redundant FortiAnalyzer HA via the GUI:

  1. In the first FortiAnalyzer, configure the primary in System Settings > HA.

    • For Operation Mode, select Active-Active.

    • For Preferred Role, select Primary.

    • Complete the other fields, including Peer IP and Peer SN.

    • Cluster Virtual IP (VIP) is optional. It requires a layer 2 connection between HA members. If VIP is not configured, select the interface which is used to communicate with the peer as Heart Beat Interface. You can click the X icon next to the VIP entry to remove it.

  2. In the second FortiAnalyzer, configure the primary in System Settings > HA.

    • For Operation Mode, select Active-Active.

    • For Preferred Role, select Secondary.

    • Complete the other fields, including Peer IP and Peer SN.

    • Cluster VIP is optional. It requires a layer 2 connection between HA members. If VIP is not configured, select the interface which is used to communicate with the peer as Heart Beat Interface. You can click the X icon next to the VIP entry to remove it.

To build a geo-redundant FortiAnalyzer HA via the CLI:

For more information about the FortiAnalyzer CLI commands, see the FortiAnalyzer 7.4 CLI Reference.

  1. Configure the FortiAnalyzer HA.

    When configuring the FortiAnalyzersystem ha, set mode to a-a. The vip is optional; if there is no layer 2 connection between HA members, vip will not work. In this case, set hb-interface as the interface which is used to communicate with the peer.

    1. Configure the first FortiAnalyzer. In the CLI, enter the following commands:

      config system ha

      set mode a-a

      set group-id 100

      set group-name "FAZVM64-HA"

      set hb-interface "port1"

      set unicast enable

      set password xxxxxx

      config peer

      edit 1

      set ip "192.168.1.101"

      set serial-number "FAZ-VMTM-----6"

      next

      end

      set preferred-role primary

      set priority 120

      end

    2. Configure the second FortiAnalyzer. In the CLI, enter the following commands:

      config system ha

      set mode a-a

      set group-id 100

      set group-name "FAZVM64-HA"

      set hb-interface "port1"

      set unicast enable

      set password xxxxxx

      config peer

      edit 1

      set ip "192.168.2.102"

      set serial-number "FAZ-VMTM-----7"

      next

      end

      end

  2. If the alternate FortiAnalyzer can be configured on FortiGate, set server to the HA primary and set alt-server to the HA secondary. In the FortiGate CLI, enter:

    config log fortianalyzer setting

    set status enable

    set ?

    ...

    *server The main remote FortiAnalyzer.

    alt-server The alternate remote FortiAnalyzer.

    ...

    set server 192.168.2.102

    set alt-server 192.168.1.101

    ...

    end

  3. If the alternate FortiAnalyzer cannot be configured on FortiGate, set server to a HA member which is reachable from the FortiGate or to the VIP address of the FortiAnalyzer HA, if any. In the FortiGate CLI, enter:

    config log fortianalyzer setting

    set status enable

    ...

    set server 192.168.2.102 (or 10.2.60.93)

    ...

    end

Previous
Next

Geo-redundant HA

The active-active mode for FortiAnalyzer HA helps to create a geo-redundant solution.

In FortiAnalyzer HA active-passive mode, a layer 2 connection is required between HA members in order to set up the HA cluster virtual IP. In active-active mode, however, a layer 2 connection is not required between data centers at different locations.

Below is a brief comparison between FortiAnalyzer HA in active-passive and active-active mode.

active-passive active-active
Only the HA primary can receive logs and archive files from its directly connected device and forward them to HA secondary. All HA members can receive logs and archive files from its directly connected device and forward logs and archive files to its HA peer.
Only the HA primary can forward data to the remote server. All HA members can forward its directly received logs and archive file to the remote server.

In the examples below, the goal is to build an active-active geo-redundant layer 3 FortiAnalyzer HA cluster between two data centers. The FortiAnalyzer HA members are located in different places. They are communicating with each other via routers. There is no layer 2 connection.

Note

Unicast must be enabled for the HA heartbeat in order for the cluster to operate in this mode. This setting can only be configured from the CLI. For more information on enabling the unicast heartbeat setting, see the FortiAnalyzer CLI Reference.

When unicast is enabled, VRRP packets are sent to the peer address instead of the multicast address. VRRP (IP protocol 112) must be allowed through any connecting firewalls.

To build a geo-redundant FortiAnalyzer HA via the GUI:

  1. In the first FortiAnalyzer, configure the primary in System Settings > HA.

    • For Operation Mode, select Active-Active.

    • For Preferred Role, select Primary.

    • Complete the other fields, including Peer IP and Peer SN.

    • Cluster Virtual IP (VIP) is optional. It requires a layer 2 connection between HA members. If VIP is not configured, select the interface which is used to communicate with the peer as Heart Beat Interface. You can click the X icon next to the VIP entry to remove it.

  2. In the second FortiAnalyzer, configure the primary in System Settings > HA.

    • For Operation Mode, select Active-Active.

    • For Preferred Role, select Secondary.

    • Complete the other fields, including Peer IP and Peer SN.

    • Cluster VIP is optional. It requires a layer 2 connection between HA members. If VIP is not configured, select the interface which is used to communicate with the peer as Heart Beat Interface. You can click the X icon next to the VIP entry to remove it.

To build a geo-redundant FortiAnalyzer HA via the CLI:

For more information about the FortiAnalyzer CLI commands, see the FortiAnalyzer 7.4 CLI Reference.

  1. Configure the FortiAnalyzer HA.

    When configuring the FortiAnalyzersystem ha, set mode to a-a. The vip is optional; if there is no layer 2 connection between HA members, vip will not work. In this case, set hb-interface as the interface which is used to communicate with the peer.

    1. Configure the first FortiAnalyzer. In the CLI, enter the following commands:

      config system ha

      set mode a-a

      set group-id 100

      set group-name "FAZVM64-HA"

      set hb-interface "port1"

      set unicast enable

      set password xxxxxx

      config peer

      edit 1

      set ip "192.168.1.101"

      set serial-number "FAZ-VMTM-----6"

      next

      end

      set preferred-role primary

      set priority 120

      end

    2. Configure the second FortiAnalyzer. In the CLI, enter the following commands:

      config system ha

      set mode a-a

      set group-id 100

      set group-name "FAZVM64-HA"

      set hb-interface "port1"

      set unicast enable

      set password xxxxxx

      config peer

      edit 1

      set ip "192.168.2.102"

      set serial-number "FAZ-VMTM-----7"

      next

      end

      end

  2. If the alternate FortiAnalyzer can be configured on FortiGate, set server to the HA primary and set alt-server to the HA secondary. In the FortiGate CLI, enter:

    config log fortianalyzer setting

    set status enable

    set ?

    ...

    *server The main remote FortiAnalyzer.

    alt-server The alternate remote FortiAnalyzer.

    ...

    set server 192.168.2.102

    set alt-server 192.168.1.101

    ...

    end

  3. If the alternate FortiAnalyzer cannot be configured on FortiGate, set server to a HA member which is reachable from the FortiGate or to the VIP address of the FortiAnalyzer HA, if any. In the FortiGate CLI, enter:

    config log fortianalyzer setting

    set status enable

    ...

    set server 192.168.2.102 (or 10.2.60.93)

    ...

    end

Previous
Next