Fortinet white logo
Fortinet docs logo DOCUMENT LIBRARY
Fortinet white logo
Fortinet docs logo DOCUMENT LIBRARY
Products Best Practices Hardware Guides Products A-Z
Summary
By Solution
By 4D Pillars
By Cloud
Secure Networking
Unified SASE
Security Operations
Secure SD-WAN
Secure Access Service Edge (SASE)
ZTNA
LAN Edge
Identity and Access Management
Next Generation Firewall
Public Cloud
Private Cloud
FortiCloud
Secure Networking
  • Hybrid Mesh Firewall
  • NOC Management
  • LAN
  • WAN
    • More >>
    Unified SASE
  • Single Vendor SASE
  • Cloud Network Security
  • Secure Endpoint Connectivity
  • Web Application / API Protection
    • More >>
    Security Operations
  • Security Operations Automation
  • Identity
  • Early Detection & Prevention
    • More >>
    Secure Networking
  • Hybrid Mesh Firewall
  • NOC Management
  • LAN
  • WAN
  • Communication & Surveillance
    • Unified SASE
  • Single Vendor SASE
  • Secure Endpoint Connectivity
  • Cloud Network Security
  • Cloud-Native Security
  • Web Application / API Protection
    • Security Operations
  • Security Operations Automation
  • Endpoint
  • Data Protection
  • Identity
  • Email
  • Early Detection & Prevention
  • Expert Services
  • Edge Firewall
  • Orchestration & management
  • SD Branch
  • Application Delivery
  • Single Vendor SASE
  • Secure Endpoint Connectivity
  • Secure Private Access
  • Thin Edge
  • Identity
  • Application Gateway
  • Enterprise Asset Management
  • Endpoint Agent
  • Agentless Security Posture
  • Identity
  • Wireless
  • Switching
  • Identity
  • Privilege Acccess Management
  • Next Generation Firewall
  • Orchestration & management
  • Expert Services
  • All
  • All
  • Account Management
  • SAAS Management
  • SAAS Application Security
  • Managed Services
  • Platform as a service (PAAS)
  • Other SAAS Services
    • 4D Resources
    Solution Hubs
  • 4D Pillars
  • Cloud
  • Popular Solutions

    • Handbook

    6.6.1
    7.0.3
    7.0.1
    7.0.0
    6.6.3
    6.6.3
    6.6.1
    6.6.0
    6.5.1
    6.5.0
    6.4.1
    6.4.0
    6.3.3
    6.3.2
    6.3.1
    6.2.3
    6.2.2
    6.2.1
    6.2.0
    6.1.1

    HA synchronization

    HA synchronization

    The Primary node pushes the following configuration elements to the Secondary node. This is known as synchronization.

    Setting

    Synced (Yes/No)

    Editable on Secondary in Active/Passive Mode (Yes/No)

    System

    High Availability

    No

    Yes

    Admin

    • Administrator

    Yes

    No
    • Profile

    Yes

    No
    • Settings

    Yes

    No
    • Host Name

    No

    No

    Authentication

    • RADIUS

    Yes

    No
    • LDAP

    Yes

    No
    • TACACS+

    Yes

    No

    SNMP

    • System Information

    No

    Yes
    • Thresholds

    Yes

    No
    • Community

    Yes

    No
    • User

    Yes

    No

    Certificate

    No

    Yes

    Maintenance

    • Backup & Restore

    Backup/Restore Allowed

    Only Backup Allowed
    • Date & Time

    Yes

    Yes
    • Date & Time by NTP

    Yes

    No
    • Time Zone

    Yes

    No
    • Daily Config Backup

    No

    Yes

    FortiGuard

    Yes

    No

    Address and Service

    • Address IPv4

    Yes

    No
    • Address IPv4 Group

    Yes

    No
    • Address IPv6

    Yes

    No
    • Address IPv6 Group

    Yes

    No
    • Service

    Yes

    No
    • Service Group

    Yes

    No

    Network

    Interface

    • Traffic Ports

    No

    Yes
    • Management Ports

    No

    Yes

    Route

    No

    Yes

    DNS

    No

    Yes

    Packet Capture

    No

    Yes

    Global Settings

    Deployment

    • Deployment

    No

    Yes
    • Bypass MAC

    Yes

    No

    Proxy IP

    • Proxy IP Detection

    Yes

    No
    • Proxy IP List

    Yes

    No

    Cloud Signaling

    No

    Yes

    Access Control List

    • IPv4

    Yes

    No
    • IPv6

    Yes

    No

    Blocklist

    • Blocklisted IPv4 Address

    No

    Yes
    • Blocklisted Domains

    No

    Yes

    Do Not Track Policy

    • IPv4

    Yes

    No
    • IPv6

    Yes

    No

    GRE Tunnel Endpoint

    Yes

    No

    Service Protection

    Service Protection Profiles

    • Service Protection Policy

    Yes

    No
    • Source Tracking

    Yes

    No
    • Blocking Settings

    Yes

    No
    • Service Ports Setting

    Yes

    No
    • Protection Profile Settings

    Yes

    No
    • Protection Subnets

    Yes

    No
    • ACL

    Yes

    No
    • Thresholds

    Yes

    No

    IP Profile

    Yes

    No

    ICMP Profile

    Yes

    No

    TCP Profile

    Yes

    No

    HTTP Profile

    Yes

    No

    SSL/TLS Profile

    Yes

    No

    NTP Profile

    Yes

    No

    DNS Profile

    Yes

    No

    DTLS Profile

    Yes

    No

    Log & Report

    Log configuration

    No - all settings and Reports are independent.

    • Local Log Settings

    No

    Yes
    • Event Log Remote

    No

    Yes
    • DDoS Attack Log Remote

    No

    Yes
    • Alert Email Settings

    No

    Yes
    • Log Purge Settings

    No

    Yes
    • SNMP Trap Receivers

    No

    Yes
    • Remote Log Settings

    No

    Yes

    Log Access

    • Logs

    No

    Not Applicable Logs are displayed independently on each appliance
    • Log Backup

    No

    Yes

    Report Configuration

    No

    Yes

    Report Purge

    No

    Yes

    Report Browse

    No

    Yes

    Flowspec

    No

    Yes

    Monitor

    All Graphs

    No

    Not Applicable All graphing is independent to each appliance. There are no configuration options in Monitor graphs.

    Synchronization occurs immediately when an appliance joins the cluster, and thereafter every 30 seconds. In an active-passive cluster, any synchronized settings (Yes in the 'Synced' column above) are read-only on the Secondary node.

    All other system configuration, network and interface configuration, HA configuration, and log/report configuration (Yes in the 'Editable' column above) are not synchronized but may be edited on the Secondary even when it is in Active-Passive Mode.

    Note the following:

    • It is not recommended to perform the below actions on a Primary node when it is in HA Active-Passive mode. You need to switch to standalone mode to modify these settings:
      • Configuration restore - this is likely to cause Secondary system reboots. It is better to put the systems in standalone mode and restore to each system, then place in Active-Passive mode, unless Secondary rebooting is acceptable.
      • TAP mode change
    • HA Secondary does not synchronize time/date from HA Primary.
    • HA settings are read-write on all nodes in all modes so that you can switch from HA to standalone mode as needed.

    Collected data is also not synchronized. The following data is not synchronized:

    • Session data—It does not synchronize session information or any other element of the data traffic.
    • Estimated thresholds—Configured thresholds are part of the configuration and are synchronized, but estimated thresholds that are shown in Monitor graphs are based on the history of traffic processed by the local system.
    • Event and Attack Log messages—These describe events that happened on that specific appliance. After a failover, you might notice that there is a gap in the original active appliance’s log files that corresponds to the period of its down time. Log messages created during the time when the standby was acting as the active appliance (if you have configured local log storage) are stored there, on the original standby appliance. Fortinet recommends using FortiAnalyzer to aggregate Event and Attack logs from an HA pair.
    • Generated reports—Like the log messages that they are based upon, PDF, HTML, RTF, and plain text reports also describe events that happened on that specific appliance. As such, report settings are synchronized, but report output is not.
    Previous
    Next

    HA synchronization

    HA synchronization

    The Primary node pushes the following configuration elements to the Secondary node. This is known as synchronization.

    Setting

    Synced (Yes/No)

    Editable on Secondary in Active/Passive Mode (Yes/No)

    System

    High Availability

    No

    Yes

    Admin

    • Administrator

    Yes

    No
    • Profile

    Yes

    No
    • Settings

    Yes

    No
    • Host Name

    No

    No

    Authentication

    • RADIUS

    Yes

    No
    • LDAP

    Yes

    No
    • TACACS+

    Yes

    No

    SNMP

    • System Information

    No

    Yes
    • Thresholds

    Yes

    No
    • Community

    Yes

    No
    • User

    Yes

    No

    Certificate

    No

    Yes

    Maintenance

    • Backup & Restore

    Backup/Restore Allowed

    Only Backup Allowed
    • Date & Time

    Yes

    Yes
    • Date & Time by NTP

    Yes

    No
    • Time Zone

    Yes

    No
    • Daily Config Backup

    No

    Yes

    FortiGuard

    Yes

    No

    Address and Service

    • Address IPv4

    Yes

    No
    • Address IPv4 Group

    Yes

    No
    • Address IPv6

    Yes

    No
    • Address IPv6 Group

    Yes

    No
    • Service

    Yes

    No
    • Service Group

    Yes

    No

    Network

    Interface

    • Traffic Ports

    No

    Yes
    • Management Ports

    No

    Yes

    Route

    No

    Yes

    DNS

    No

    Yes

    Packet Capture

    No

    Yes

    Global Settings

    Deployment

    • Deployment

    No

    Yes
    • Bypass MAC

    Yes

    No

    Proxy IP

    • Proxy IP Detection

    Yes

    No
    • Proxy IP List

    Yes

    No

    Cloud Signaling

    No

    Yes

    Access Control List

    • IPv4

    Yes

    No
    • IPv6

    Yes

    No

    Blocklist

    • Blocklisted IPv4 Address

    No

    Yes
    • Blocklisted Domains

    No

    Yes

    Do Not Track Policy

    • IPv4

    Yes

    No
    • IPv6

    Yes

    No

    GRE Tunnel Endpoint

    Yes

    No

    Service Protection

    Service Protection Profiles

    • Service Protection Policy

    Yes

    No
    • Source Tracking

    Yes

    No
    • Blocking Settings

    Yes

    No
    • Service Ports Setting

    Yes

    No
    • Protection Profile Settings

    Yes

    No
    • Protection Subnets

    Yes

    No
    • ACL

    Yes

    No
    • Thresholds

    Yes

    No

    IP Profile

    Yes

    No

    ICMP Profile

    Yes

    No

    TCP Profile

    Yes

    No

    HTTP Profile

    Yes

    No

    SSL/TLS Profile

    Yes

    No

    NTP Profile

    Yes

    No

    DNS Profile

    Yes

    No

    DTLS Profile

    Yes

    No

    Log & Report

    Log configuration

    No - all settings and Reports are independent.

    • Local Log Settings

    No

    Yes
    • Event Log Remote

    No

    Yes
    • DDoS Attack Log Remote

    No

    Yes
    • Alert Email Settings

    No

    Yes
    • Log Purge Settings

    No

    Yes
    • SNMP Trap Receivers

    No

    Yes
    • Remote Log Settings

    No

    Yes

    Log Access

    • Logs

    No

    Not Applicable Logs are displayed independently on each appliance
    • Log Backup

    No

    Yes

    Report Configuration

    No

    Yes

    Report Purge

    No

    Yes

    Report Browse

    No

    Yes

    Flowspec

    No

    Yes

    Monitor

    All Graphs

    No

    Not Applicable All graphing is independent to each appliance. There are no configuration options in Monitor graphs.

    Synchronization occurs immediately when an appliance joins the cluster, and thereafter every 30 seconds. In an active-passive cluster, any synchronized settings (Yes in the 'Synced' column above) are read-only on the Secondary node.

    All other system configuration, network and interface configuration, HA configuration, and log/report configuration (Yes in the 'Editable' column above) are not synchronized but may be edited on the Secondary even when it is in Active-Passive Mode.

    Note the following:

    • It is not recommended to perform the below actions on a Primary node when it is in HA Active-Passive mode. You need to switch to standalone mode to modify these settings:
      • Configuration restore - this is likely to cause Secondary system reboots. It is better to put the systems in standalone mode and restore to each system, then place in Active-Passive mode, unless Secondary rebooting is acceptable.
      • TAP mode change
    • HA Secondary does not synchronize time/date from HA Primary.
    • HA settings are read-write on all nodes in all modes so that you can switch from HA to standalone mode as needed.

    Collected data is also not synchronized. The following data is not synchronized:

    • Session data—It does not synchronize session information or any other element of the data traffic.
    • Estimated thresholds—Configured thresholds are part of the configuration and are synchronized, but estimated thresholds that are shown in Monitor graphs are based on the history of traffic processed by the local system.
    • Event and Attack Log messages—These describe events that happened on that specific appliance. After a failover, you might notice that there is a gap in the original active appliance’s log files that corresponds to the period of its down time. Log messages created during the time when the standby was acting as the active appliance (if you have configured local log storage) are stored there, on the original standby appliance. Fortinet recommends using FortiAnalyzer to aggregate Event and Attack logs from an HA pair.
    • Generated reports—Like the log messages that they are based upon, PDF, HTML, RTF, and plain text reports also describe events that happened on that specific appliance. As such, report settings are synchronized, but report output is not.
    Previous
    Next