Fortinet white logo
Fortinet white logo

Handbook

HA feature overview

HA feature overview

FortiDDoS-F appliances can be deployed as standalone appliances or as members of a high availability (HA) pair. FortiDDoS supports active-passive cluster pairs. In an HA pair, one node is the primary node, and the other is called the secondary node.

In this context, the term "Active-Passive" deviates from the standard usage found in most Layer 3 Networking devices. Instead, it specifically refers to a configuration methodology where the Primary device takes the lead in creating configurations, which are then synchronized to the Secondary device.

Please note the following:

  • Out-of-band Management ports require different IP addresses for each device

  • Since Traffic ports have no IP Address they are not “downed” on the “passive”/Secondary system

  • Data Ports on BOTH devices process traffic and mitigate attacks based on the features and Thresholds configured on the Primary and passed to the Secondary.

  • Thresholds and most features are synchronized from the Primary to the Secondary and these settings cannot be configured on the Secondary

  • All graphing, logging, and reporting are independent on each appliance

The figure below shows an active-passive deployment. The cluster uses the connection of MGMT2 ports for two types of HA communication:

  • Heartbeats. A cluster node indicates to other nodes in the cluster that it is up and available. The absence of heartbeat traffic indicates the node is not up and is unavailable.
  • Synchronization. During initialization and periodically thereafter, the primary node pushes its configuration (with noted exceptions) to the secondary nodes.

You can log into the management interface (MGMT1 or MGMT2) of either node, but generally, you can only actively manage the configuration of the primary node with a few exceptions.

Active-passive cluster

Although one appliance is deemed active (the primary) and one passive (the secondary), the ports are not turned off on the passive node. It can receive traffic, mitigate attacks and forward it.

You should use the adjacent routers to ensure that traffic is forwarded through only the active path. For example, you can set a path priority or costing to set a high priority (low cost) path that goes through the primary node, ignoring the secondary, even if it can pass traffic. If the primary fails, its interfaces can be configured to 'fail closed'; the router can detect this and switch to the alternative path.

If that secondary node fails as well (double failure) and you do not want the traffic to fail, configure the secondary system to 'fail open' (For appliances only. VM not supported).

In some applications, you can utilize the ability to pass traffic on the passive node to your advantage. For example, your can create a multi-link LACP and allow the traffic to be distributed between FortiDDoS appliances, doubling the available bandwidth for mitigation. Since traffic is evenly distributed, the thresholds learned and implemented in the Primary system will work equally well in the Secondary system. However, each system graphs data, logs and creates reports independently. These logs can be aggregated by FortiAnalyzer or FortiSIEM.

HA feature overview

HA feature overview

FortiDDoS-F appliances can be deployed as standalone appliances or as members of a high availability (HA) pair. FortiDDoS supports active-passive cluster pairs. In an HA pair, one node is the primary node, and the other is called the secondary node.

In this context, the term "Active-Passive" deviates from the standard usage found in most Layer 3 Networking devices. Instead, it specifically refers to a configuration methodology where the Primary device takes the lead in creating configurations, which are then synchronized to the Secondary device.

Please note the following:

  • Out-of-band Management ports require different IP addresses for each device

  • Since Traffic ports have no IP Address they are not “downed” on the “passive”/Secondary system

  • Data Ports on BOTH devices process traffic and mitigate attacks based on the features and Thresholds configured on the Primary and passed to the Secondary.

  • Thresholds and most features are synchronized from the Primary to the Secondary and these settings cannot be configured on the Secondary

  • All graphing, logging, and reporting are independent on each appliance

The figure below shows an active-passive deployment. The cluster uses the connection of MGMT2 ports for two types of HA communication:

  • Heartbeats. A cluster node indicates to other nodes in the cluster that it is up and available. The absence of heartbeat traffic indicates the node is not up and is unavailable.
  • Synchronization. During initialization and periodically thereafter, the primary node pushes its configuration (with noted exceptions) to the secondary nodes.

You can log into the management interface (MGMT1 or MGMT2) of either node, but generally, you can only actively manage the configuration of the primary node with a few exceptions.

Active-passive cluster

Although one appliance is deemed active (the primary) and one passive (the secondary), the ports are not turned off on the passive node. It can receive traffic, mitigate attacks and forward it.

You should use the adjacent routers to ensure that traffic is forwarded through only the active path. For example, you can set a path priority or costing to set a high priority (low cost) path that goes through the primary node, ignoring the secondary, even if it can pass traffic. If the primary fails, its interfaces can be configured to 'fail closed'; the router can detect this and switch to the alternative path.

If that secondary node fails as well (double failure) and you do not want the traffic to fail, configure the secondary system to 'fail open' (For appliances only. VM not supported).

In some applications, you can utilize the ability to pass traffic on the passive node to your advantage. For example, your can create a multi-link LACP and allow the traffic to be distributed between FortiDDoS appliances, doubling the available bandwidth for mitigation. Since traffic is evenly distributed, the thresholds learned and implemented in the Primary system will work equally well in the Secondary system. However, each system graphs data, logs and creates reports independently. These logs can be aggregated by FortiAnalyzer or FortiSIEM.