Fortinet black logo

Handbook

6.6.0
7.0.0
6.6.3
6.6.3
6.6.1
6.6.0
6.5.1
6.5.0
6.4.1
6.4.0
6.3.3
6.3.2
6.3.1
6.2.3
6.2.2
6.2.1
6.2.0
6.1.1

Deploying an active-passive cluster

Deploying an active-passive cluster

This topic includes the following information:

Overview

The following figure shows an active-passive deployment. When HA is enabled, the system sends heartbeat packets between the pair to monitor availability, and the primary node pushes its configuration to the secondary node.

Active-passive cluster

When the primary node goes down, the secondary becomes the primary node. When the primary node comes back online, the system selects the primary based on lowest device priority number (1 has greater priority than 2)

  • Note: Before you configure HA Settings, familiarize yourself on how FortiDDoS High Availability works.

Basic steps

To deploy an active-passive cluster:

  1. License all FortiDDoS-F appliances in the HA cluster, and register them, including FortiGuard services, with the Fortinet Technologies Inc. Technical Support website: https://support.fortinet.com/
  2. Link the FortiDDoS-F appliances that make up the HA cluster.
    You must link one port on each system (for example, mgmt2 to mgmt2) for heartbeat and synchronization traffic between members of the cluster. You can do either of the following:
  • Connect the two appliances directly with an Ethernet cable.
  • Link the appliances through a network. If connected through a network, the HA interfaces must be reachable by Layer 2 multicast (multicast MAC addresses).
  • Configure the secondary node:
    1. Log into the secondary appliance as the admin user.
    2. Go to Global Settings > Settings and set the Power Failure Bypass Mode to Fail Open or Fail Closed, according to your preference on how to handle traffic when both nodes fail. If you use an external bypass unit, you configure Fail Closed.
    3. Complete the HA settings as described in Configuring HA settings.

    Important: Set the Secondary system Device Priority to a higher number than the primary appliance; for example, set Device Priority to 2.

  • Configure the primary node:
    1. Log into the primary appliance as the admin user.
    2. Go to Global Settings > Settings and set the Power Failure Bypass Mode to Fail Closed.
    3. Complete the configuration for all features, as well as the HA configuration.

    Important: Set the Device Priority to a lower number than the secondary appliance; for example, set Device Priority to 1.

    • Note: After you have saved the HA configuration changes, cluster members might join or rejoin the cluster. The Secondary system may reboot after joining the HA pair, to take a full configuration from the Primary.

    After you have saved configuration changes on the primary node, it automatically pushes most configuration settings to the secondary node. See HA synchronization table for more detail on which settings are synchronized or independent.

    Previous
    Next

    Deploying an active-passive cluster

    This topic includes the following information:

    Overview

    The following figure shows an active-passive deployment. When HA is enabled, the system sends heartbeat packets between the pair to monitor availability, and the primary node pushes its configuration to the secondary node.

    Active-passive cluster

    When the primary node goes down, the secondary becomes the primary node. When the primary node comes back online, the system selects the primary based on lowest device priority number (1 has greater priority than 2)

    • Note: Before you configure HA Settings, familiarize yourself on how FortiDDoS High Availability works.

    Basic steps

    To deploy an active-passive cluster:

    1. License all FortiDDoS-F appliances in the HA cluster, and register them, including FortiGuard services, with the Fortinet Technologies Inc. Technical Support website: https://support.fortinet.com/
    2. Link the FortiDDoS-F appliances that make up the HA cluster.
      You must link one port on each system (for example, mgmt2 to mgmt2) for heartbeat and synchronization traffic between members of the cluster. You can do either of the following:
    • Connect the two appliances directly with an Ethernet cable.
    • Link the appliances through a network. If connected through a network, the HA interfaces must be reachable by Layer 2 multicast (multicast MAC addresses).
  • Configure the secondary node:
    1. Log into the secondary appliance as the admin user.
    2. Go to Global Settings > Settings and set the Power Failure Bypass Mode to Fail Open or Fail Closed, according to your preference on how to handle traffic when both nodes fail. If you use an external bypass unit, you configure Fail Closed.
    3. Complete the HA settings as described in Configuring HA settings.

    Important: Set the Secondary system Device Priority to a higher number than the primary appliance; for example, set Device Priority to 2.

  • Configure the primary node:
    1. Log into the primary appliance as the admin user.
    2. Go to Global Settings > Settings and set the Power Failure Bypass Mode to Fail Closed.
    3. Complete the configuration for all features, as well as the HA configuration.

    Important: Set the Device Priority to a lower number than the secondary appliance; for example, set Device Priority to 1.

    • Note: After you have saved the HA configuration changes, cluster members might join or rejoin the cluster. The Secondary system may reboot after joining the HA pair, to take a full configuration from the Primary.

    After you have saved configuration changes on the primary node, it automatically pushes most configuration settings to the secondary node. See HA synchronization table for more detail on which settings are synchronized or independent.

    Previous
    Next