Fortinet black logo

Handbook

Home FortiDDoS-F 6.3.2 Handbook

HA synchronization

6.3.2
7.0.0
6.6.3
6.6.3
6.6.1
6.6.0
6.5.1
6.5.0
6.4.1
6.4.0
6.3.3
6.3.2
6.3.1
6.2.3
6.2.2
6.2.1
6.2.0
6.1.1
Copy Link
Copy Doc ID 7b437c33-fcc7-11ec-bb32-fa163e15d75b:324012
Download PDF

HA synchronization

The Primary node pushes the following configuration elements to the Secondary node. This is known as synchronization.

Setting

Synced (Yes/No)

Editable on Secondary in Active/Passive Mode (Yes/No)

System

High Availability

No

Yes

Admin

  • Administrator

Yes

No
  • Profile

Yes

No
  • Settings

Yes

No
  • Host Name

No

No

Authentication

  • RADIUS

Yes

No
  • LDAP

Yes

No
  • TACACS+

Yes

No

SNMP

  • System Information

No

Yes
  • Thresholds

Yes

No
  • Community

Yes

No
  • User

Yes

No

Certificate

No

Yes

Maintenance

  • Backup & Restore

Backup/Restore Allowed

Only Backup Allowed
  • Date & Time

Yes

Yes
  • Date & Time by NTP

Yes

No
  • Time Zone

Yes

No
  • Daily Config Backup

No

Yes

FortiGuard

Yes

No

Address and Service

  • Address IPv4

Yes

No
  • Address IPv4 Group

Yes

No
  • Address IPv6

Yes

No
  • Address IPv6 Group

Yes

No
  • Service

Yes

No
  • Service Group

Yes

No

Network

Interface

  • Traffic Ports

No

Yes
  • Management Ports

No

Yes

Route

No

Yes

DNS

No

Yes

Packet Capture

No

Yes

Global Settings

Deployment

  • Deployment

No

Yes
  • Bypass MAC

Yes

No

Proxy IP

  • Proxy IP Detection

Yes

No
  • Proxy IP List

Yes

No

Cloud Signaling

No

Yes

Access Control List

  • IPv4

Yes

No
  • IPv6

Yes

No

Blocklist

  • Blocklisted IPv4 Address

No

Yes
  • Blocklisted Domains

No

Yes

Do Not Track Policy

  • IPv4

Yes

No
  • IPv6

Yes

No

GRE Tunnel Endpoint

Yes

No

Service Protection

Service Protection Profiles

  • Service Protection Policy

Yes

No
  • Source Tracking

Yes

No
  • Blocking Settings

Yes

No
  • Service Ports Setting

Yes

No
  • Protection Profile Settings

Yes

No
  • Protection Subnets

Yes

No
  • ACL

Yes

No
  • Thresholds

Yes

No

IP Profile

Yes

No

ICMP Profile

Yes

No

TCP Profile

Yes

No

HTTP Profile

Yes

No

SSL/TLS Profile

Yes

No

NTP Profile

Yes

No

DNS Profile

Yes

No

DTLS Profile

Yes

No

Log & Report

Log configuration

No - all settings and Reports are independent.

  • Local Log Settings

No

Yes
  • Event Log Remote

No

Yes
  • DDoS Attack Log Remote

No

Yes
  • Alert Email Settings

No

Yes
  • Log Purge Settings

No

Yes
  • SNMP Trap Receivers

No

Yes
  • Remote Log Settings

No

Yes

Log Access

  • Logs

No

Not Applicable Logs are displayed independently on each appliance
  • Log Backup

No

Yes

Report Configuration

No

Yes

Report Purge

No

Yes

Report Browse

No

Yes

Flowspec

No

Yes

Monitor

All Graphs

No

Not Applicable All graphing is independent to each appliance. There are no configuration options in Monitor graphs.

Synchronization occurs immediately when an appliance joins the cluster, and thereafter every 30 seconds. In an active-passive cluster, any synchronized settings (Yes in the 'Synced' column above) are read-only on the Secondary node.

All other system configuration, network and interface configuration, HA configuration, and log/report configuration (Yes in the 'Editable' column above) are not synchronized but may be edited on the Secondary even when it is in Active-Passive Mode.

Note the following:

  • It is not recommended to perform the below actions on a Primary node when it is in HA Active-Passive mode. You need to switch to standalone mode to modify these settings:
    • Configuration restore - this is likely to cause Secondary system reboots. It is better to put the systems in standalone mode and restore to each system, then place in Active-Passive mode, unless Secondary rebooting is acceptable.
    • TAP mode change
  • HA Secondary does not synchronize time/date from HA Primary.
  • HA settings are read-write on all nodes in all modes so that you can switch from HA to standalone mode as needed.

Collected data is also not synchronized. The following data is not synchronized:

  • Session data—It does not synchronize session information or any other element of the data traffic.
  • Estimated thresholds—Configured thresholds are part of the configuration and are synchronized, but estimated thresholds that are shown in Monitor graphs are based on the history of traffic processed by the local system.
  • Log messages—These describe events that happened on that specific appliance. After a failover, you might notice that there is a gap in the original active appliance’s log files that corresponds to the period of its down time. Log messages created during the time when the standby was acting as the active appliance (if you have configured local log storage) are stored there, on the original standby appliance.
  • Generated reports—Like the log messages that they are based upon, PDF, HTML, RTF, and plain text reports also describe events that happened on that specific appliance. As such, report settings are synchronized, but report output is not.
Previous
Next

HA synchronization

The Primary node pushes the following configuration elements to the Secondary node. This is known as synchronization.

Setting

Synced (Yes/No)

Editable on Secondary in Active/Passive Mode (Yes/No)

System

High Availability

No

Yes

Admin

  • Administrator

Yes

No
  • Profile

Yes

No
  • Settings

Yes

No
  • Host Name

No

No

Authentication

  • RADIUS

Yes

No
  • LDAP

Yes

No
  • TACACS+

Yes

No

SNMP

  • System Information

No

Yes
  • Thresholds

Yes

No
  • Community

Yes

No
  • User

Yes

No

Certificate

No

Yes

Maintenance

  • Backup & Restore

Backup/Restore Allowed

Only Backup Allowed
  • Date & Time

Yes

Yes
  • Date & Time by NTP

Yes

No
  • Time Zone

Yes

No
  • Daily Config Backup

No

Yes

FortiGuard

Yes

No

Address and Service

  • Address IPv4

Yes

No
  • Address IPv4 Group

Yes

No
  • Address IPv6

Yes

No
  • Address IPv6 Group

Yes

No
  • Service

Yes

No
  • Service Group

Yes

No

Network

Interface

  • Traffic Ports

No

Yes
  • Management Ports

No

Yes

Route

No

Yes

DNS

No

Yes

Packet Capture

No

Yes

Global Settings

Deployment

  • Deployment

No

Yes
  • Bypass MAC

Yes

No

Proxy IP

  • Proxy IP Detection

Yes

No
  • Proxy IP List

Yes

No

Cloud Signaling

No

Yes

Access Control List

  • IPv4

Yes

No
  • IPv6

Yes

No

Blocklist

  • Blocklisted IPv4 Address

No

Yes
  • Blocklisted Domains

No

Yes

Do Not Track Policy

  • IPv4

Yes

No
  • IPv6

Yes

No

GRE Tunnel Endpoint

Yes

No

Service Protection

Service Protection Profiles

  • Service Protection Policy

Yes

No
  • Source Tracking

Yes

No
  • Blocking Settings

Yes

No
  • Service Ports Setting

Yes

No
  • Protection Profile Settings

Yes

No
  • Protection Subnets

Yes

No
  • ACL

Yes

No
  • Thresholds

Yes

No

IP Profile

Yes

No

ICMP Profile

Yes

No

TCP Profile

Yes

No

HTTP Profile

Yes

No

SSL/TLS Profile

Yes

No

NTP Profile

Yes

No

DNS Profile

Yes

No

DTLS Profile

Yes

No

Log & Report

Log configuration

No - all settings and Reports are independent.

  • Local Log Settings

No

Yes
  • Event Log Remote

No

Yes
  • DDoS Attack Log Remote

No

Yes
  • Alert Email Settings

No

Yes
  • Log Purge Settings

No

Yes
  • SNMP Trap Receivers

No

Yes
  • Remote Log Settings

No

Yes

Log Access

  • Logs

No

Not Applicable Logs are displayed independently on each appliance
  • Log Backup

No

Yes

Report Configuration

No

Yes

Report Purge

No

Yes

Report Browse

No

Yes

Flowspec

No

Yes

Monitor

All Graphs

No

Not Applicable All graphing is independent to each appliance. There are no configuration options in Monitor graphs.

Synchronization occurs immediately when an appliance joins the cluster, and thereafter every 30 seconds. In an active-passive cluster, any synchronized settings (Yes in the 'Synced' column above) are read-only on the Secondary node.

All other system configuration, network and interface configuration, HA configuration, and log/report configuration (Yes in the 'Editable' column above) are not synchronized but may be edited on the Secondary even when it is in Active-Passive Mode.

Note the following:

  • It is not recommended to perform the below actions on a Primary node when it is in HA Active-Passive mode. You need to switch to standalone mode to modify these settings:
    • Configuration restore - this is likely to cause Secondary system reboots. It is better to put the systems in standalone mode and restore to each system, then place in Active-Passive mode, unless Secondary rebooting is acceptable.
    • TAP mode change
  • HA Secondary does not synchronize time/date from HA Primary.
  • HA settings are read-write on all nodes in all modes so that you can switch from HA to standalone mode as needed.

Collected data is also not synchronized. The following data is not synchronized:

  • Session data—It does not synchronize session information or any other element of the data traffic.
  • Estimated thresholds—Configured thresholds are part of the configuration and are synchronized, but estimated thresholds that are shown in Monitor graphs are based on the history of traffic processed by the local system.
  • Log messages—These describe events that happened on that specific appliance. After a failover, you might notice that there is a gap in the original active appliance’s log files that corresponds to the period of its down time. Log messages created during the time when the standby was acting as the active appliance (if you have configured local log storage) are stored there, on the original standby appliance.
  • Generated reports—Like the log messages that they are based upon, PDF, HTML, RTF, and plain text reports also describe events that happened on that specific appliance. As such, report settings are synchronized, but report output is not.
Previous
Next