Fortinet black logo

Handbook

7.0.0
7.0.0
6.6.3
6.6.3
6.6.1
6.6.0
6.5.1
6.5.0
6.4.1
6.4.0
6.3.3
6.3.2
6.3.1
6.2.3
6.2.2
6.2.1
6.2.0
6.1.1

HA system and network requirements

HA system and network requirements

  • Two identical appliances (the same hardware model and same firmware version).
  • By default, use MGMT2 port to connect the HA appliances directly or through a network. The HA port can be changed and can be used simultaneously with the GUI/CLI management port but be aware of the settings on the System > Network > Interface page before changing from default.

Heartbeat and synchronization traffic between cluster nodes occur over the physical network ports you specify. If switches are used to connect heartbeat interfaces between nodes, the heartbeat interfaces must be reachable by Layer 2 multicast (multicast MAC addresses).

From Release 7.0.0, FortiDDoS encapsulates HA packets in EtherType 8895 (heartbeat) and EtherType 889f (synchronization). While network switches typically allow these packets to pass through, some switches may default to blocking Layer 2 (L2) Multicast. To guarantee seamless end-to-end HA connectivity, consider disabling Internet Group Management Protocol (IGMP) within a VLAN.

For tracing, look for Layer 2 packets with Destination multicast MAC addresses beginning with 01-00-5E. These packets generally show as malformed in packet analysis applications, but for FortiDDoS heartbeat packets, the packet decode window should display the serial number of the Transmitting system as below.

Previous
Next

HA system and network requirements

  • Two identical appliances (the same hardware model and same firmware version).
  • By default, use MGMT2 port to connect the HA appliances directly or through a network. The HA port can be changed and can be used simultaneously with the GUI/CLI management port but be aware of the settings on the System > Network > Interface page before changing from default.

Heartbeat and synchronization traffic between cluster nodes occur over the physical network ports you specify. If switches are used to connect heartbeat interfaces between nodes, the heartbeat interfaces must be reachable by Layer 2 multicast (multicast MAC addresses).

From Release 7.0.0, FortiDDoS encapsulates HA packets in EtherType 8895 (heartbeat) and EtherType 889f (synchronization). While network switches typically allow these packets to pass through, some switches may default to blocking Layer 2 (L2) Multicast. To guarantee seamless end-to-end HA connectivity, consider disabling Internet Group Management Protocol (IGMP) within a VLAN.

For tracing, look for Layer 2 packets with Destination multicast MAC addresses beginning with 01-00-5E. These packets generally show as malformed in packet analysis applications, but for FortiDDoS heartbeat packets, the packet decode window should display the serial number of the Transmitting system as below.

Previous
Next