Fortinet black logo

Handbook

Home FortiDDoS-F 6.3.2 Handbook

HA feature overview

6.3.2
7.0.0
6.6.3
6.6.3
6.6.1
6.6.0
6.5.1
6.5.0
6.4.1
6.4.0
6.3.3
6.3.2
6.3.1
6.2.3
6.2.2
6.2.1
6.2.0
6.1.1
Copy Link
Copy Doc ID 7b437c33-fcc7-11ec-bb32-fa163e15d75b:260448
Download PDF

HA feature overview

FortiDDoS-F appliances can be deployed as standalone appliances or as members of a high availability (HA) pair. FortiDDoS supports active-passive cluster pairs. In an HA pair, one node is the primary node, and the other is called the secondary node.

The figure below shows an active-passive deployment. The cluster uses the connection of MGMT2 ports for two types of HA communication:

  • Heartbeats. A cluster node indicates to other nodes in the cluster that it is up and available. The absence of heartbeat traffic indicates the node is not up and is unavailable.
  • Synchronization. During initialization and periodically thereafter, the primary node pushes its configuration (with noted exceptions) to the secondary nodes.

You can log into the management interface (MGMT1) of either node, but you actively manage the configuration of the primary node only.

Active-passive cluster

Although one appliance is deemed active (the primary) and one passive (the secondary), the ports are not turned off on the passive node. It can receive traffic, mitigate attacks and forward it.

You should use the adjacent routers to ensure that traffic is forwarded through only the active path. For example, you can set a path priority or costing to set a high priority (low cost) path that goes through the primary node, ignoring the secondary, even if it can pass traffic. If the primary fails, its interfaces can be configured to 'fail closed'; the router can detect this and switch to the alternative path.

If that secondary node fails as well (double failure) and you do not want the traffic to fail, configure the secondary system to 'fail open' (For appliances only. VM not supported).

In some applications, you can utilize the ability to pass traffic on the passive node to your advantage. For example, your can create a multi-link LACP and allow the traffic to be distributed between FortiDDoS appliances, doubling the available bandwidth for mitigation. Since traffic is evenly distributed, the thresholds learned and implemented in the Primary system will work equally well in the Secondary system. However, each system graphs data, logs and creates reports independently. These logs can be aggregated by FortiAnalyzer or FortiSIEM.

Previous
Next

HA feature overview

FortiDDoS-F appliances can be deployed as standalone appliances or as members of a high availability (HA) pair. FortiDDoS supports active-passive cluster pairs. In an HA pair, one node is the primary node, and the other is called the secondary node.

The figure below shows an active-passive deployment. The cluster uses the connection of MGMT2 ports for two types of HA communication:

  • Heartbeats. A cluster node indicates to other nodes in the cluster that it is up and available. The absence of heartbeat traffic indicates the node is not up and is unavailable.
  • Synchronization. During initialization and periodically thereafter, the primary node pushes its configuration (with noted exceptions) to the secondary nodes.

You can log into the management interface (MGMT1) of either node, but you actively manage the configuration of the primary node only.

Active-passive cluster

Although one appliance is deemed active (the primary) and one passive (the secondary), the ports are not turned off on the passive node. It can receive traffic, mitigate attacks and forward it.

You should use the adjacent routers to ensure that traffic is forwarded through only the active path. For example, you can set a path priority or costing to set a high priority (low cost) path that goes through the primary node, ignoring the secondary, even if it can pass traffic. If the primary fails, its interfaces can be configured to 'fail closed'; the router can detect this and switch to the alternative path.

If that secondary node fails as well (double failure) and you do not want the traffic to fail, configure the secondary system to 'fail open' (For appliances only. VM not supported).

In some applications, you can utilize the ability to pass traffic on the passive node to your advantage. For example, your can create a multi-link LACP and allow the traffic to be distributed between FortiDDoS appliances, doubling the available bandwidth for mitigation. Since traffic is evenly distributed, the thresholds learned and implemented in the Primary system will work equally well in the Secondary system. However, each system graphs data, logs and creates reports independently. These logs can be aggregated by FortiAnalyzer or FortiSIEM.

Previous
Next