Fortinet white logo
Fortinet docs logo DOCUMENT LIBRARY
Fortinet white logo
Fortinet docs logo DOCUMENT LIBRARY
Products Best Practices Hardware Guides Products A-Z
Summary
By Solution
By 4D Pillars
By Cloud
Secure Networking
Unified SASE
Security Operations
Secure SD-WAN
Secure Access Service Edge (SASE)
ZTNA
LAN Edge
Identity and Access Management
Next Generation Firewall
Public Cloud
Private Cloud
FortiCloud
Secure Networking
  • Hybrid Mesh Firewall
  • NOC Management
  • LAN
  • WAN
    • More >>
    Unified SASE
  • Single Vendor SASE
  • Cloud Network Security
  • Secure Endpoint Connectivity
  • Web Application / API Protection
    • More >>
    Security Operations
  • Security Operations Automation
  • Identity
  • Early Detection & Prevention
    • More >>
    Secure Networking
  • Hybrid Mesh Firewall
  • NOC Management
  • LAN
  • WAN
  • Communication & Surveillance
    • Unified SASE
  • Single Vendor SASE
  • Secure Endpoint Connectivity
  • Cloud Network Security
  • Cloud-Native Security
  • Web Application / API Protection
    • Security Operations
  • Security Operations Automation
  • Endpoint
  • Data Protection
  • Identity
  • Email
  • Early Detection & Prevention
  • Expert Services
  • Edge Firewall
  • Orchestration & management
  • SD Branch
  • Application Delivery
  • Single Vendor SASE
  • Secure Endpoint Connectivity
  • Secure Private Access
  • Thin Edge
  • Identity
  • Application Gateway
  • Enterprise Asset Management
  • Endpoint Agent
  • Agentless Security Posture
  • Identity
  • Wireless
  • Switching
  • Identity
  • Privilege Acccess Management
  • Next Generation Firewall
  • Orchestration & management
  • Expert Services
  • All
  • All
  • Account Management
  • SAAS Management
  • SAAS Application Security
  • Managed Services
  • Platform as a service (PAAS)
  • Other SAAS Services
    • 4D Resources
    Solution Hubs
  • 4D Pillars
  • Cloud
  • Popular Solutions

    • Handbook

    7.0.3
    7.0.3
    7.0.1
    7.0.0
    6.6.3
    6.6.3
    6.6.1
    6.6.0
    6.5.1
    6.5.0
    6.4.1
    6.4.0
    6.3.3
    6.3.2
    6.3.1
    6.2.3
    6.2.2
    6.2.1
    6.2.0
    6.1.1

    Configuring HA settings

    Configuring HA settings

    Before you begin:

    • You must have Read-Write permission to items in the System category.
    • Before you configure HA Settings, familiarize yourself on how FortiDDoS High Availability works, here.
    To configure HA settings:
    1. Go to System > High Availability.
    2. Complete the configuration as described in the table below.
    3. Save the configuration.

    After you have saved the configuration, cluster members begin to send heartbeat traffic to each other. Members with the same Group ID join the cluster. They send synchronization traffic directly through the HA connection.

    NOTE: If you change the HA Mode from Active-Passive to Standalone, HA settings will be reset to Default. Before you change to Standalone, take a screenshot or otherwise record the Active-Passive settings so you can restore them when you return to Active-Passive Mode.

    High availability page

    High availability settings
    Settings Guidelines
    Configured HA Mode
    • Standalone
    • Active-passive

    This setting should only be changed after other non-synchronized settings are complete, although this is not mandatory. See HA synchronization for settings that are not synchronized between devices. When changed to active-passive, all synchronized parameters on the Secondary device will be replaced with data from the primary device and made read-only. Non-synchronized parameters may be modified on the Secondary device, as required, while it is in Active-Passive mode.
    Port Select the Mgmt port so use for HA monitoring and synching. If you are using a direct-connect cable, use Mgmt2 on both appliances to keep Mgmt1 free for system management. For Unicast and Multicast HA, you can use Mgmt1 for everything but using Mgmt2 offers some diversity.

    HA Loss Bypass Mode

    Note: this option will not appear on VMs since they have no Fail-Open Mode.

    • Deployment — The default option; when an appliance loses HA heartbeats from its paired appliance, it retains the bypass settings configured in Global Protection > Deployment > Power Off Bypass Mode.

    • Fail Open — Select this option for deployments where both appliances are in fail-closed mode and traffic is active on both appliances. If either appliance fails, it blocks BGP on that link which forces the traffic to the surviving FortiDDoS. With this setting enabled, the surviving FortiDDoS changes its Power Off Bypass Mode from Fail Closed to Fail Open when it detects no heartbeats from the failed appliance. If the surviving FortiDDoS also experiences a failure, it will be in Fail Open mode and traffic will continue to flow instead of being blocked.

      Please note, this feature has no effect if the Power Off Bypass Mode is already Fail Open.

    HA Protocol

    Multicast – use for direct-connect cable for collocated FortiDDoS appliances/VMs. This CAN be used for HA to remote datacenters, but all intermediate data switched must support L2 Multicast on the VLAN used (IGMP snooping must be disabled).

    Unicast – Preferred method for communication between geographically separated data centers. This requires a unicast IP address on each Mgmt2 port of each appliance/VM and Layer 3 connectivity between datacenters.

    Peer Address

    If Unicast is used from above, the IP address of Mgmt2 on the partner HA device.

    Note, if this is configured and the device you are configuring does not already have an IP address for its Mgmt2 port, you will be warned.
    Group Name Name to identify the HA pair. This setting is optional, and does not affect HA function. The maximum length is 35 characters (special characters . _ - @ ! * allowed).
    Device Priority Number indicating priority of the member node when electing the cluster primary node. The smaller the number, the higher the priority. It is mandatory to set this correctly. The valid range is 0 to 9 and the default is 5.
    Group ID

    Number that identifies the HA cluster.

    Nodes with the same group ID join the cluster. If you have more than one HA cluster on the same network, each cluster must have a different group ID.
    Note: You can only join 2 nodes to one cluster (HA pair).


    The valid range is 0 to 63. The default is 0.
    Detection Interval Number of 100-millisecond intervals at which heartbeat packets are sent. This is also the interval at which a node expects to receive heartbeat packets. These numbers must match on Primary and Secondary.

    The valid range is 1 to 20 (that is, between 100 and 2,000 milliseconds). The default is 2 (200ms).
    Heartbeat Lost Threshold The number of times a node waits to receive HA heartbeat packets from the other node before concluding the other node is down. The valid range is from 1 to 60. The default is 6. Thus, default time is 200ms x 6 tries = 1.2 seconds.

    CLI commands:

    config system ha

    set mode <standalone | active-passive>

    set hbdev <mgmt1 | mgmt2>

    set ha-loss-bypass-mode < deployment | fail-open>

    set hb-type < multicast | unicast >

    set group-name <group_name_str>

    set group-id <0-63> Group ID must match on each appliance.

    set priority <0-9> 0 Priority is higher.

    set hb-interval <Detection Interval 1-20> In 100ms increments.

    set hb-lost-threshold <1-60>

    end

    Previous
    Next

    Configuring HA settings

    Configuring HA settings

    Before you begin:

    • You must have Read-Write permission to items in the System category.
    • Before you configure HA Settings, familiarize yourself on how FortiDDoS High Availability works, here.
    To configure HA settings:
    1. Go to System > High Availability.
    2. Complete the configuration as described in the table below.
    3. Save the configuration.

    After you have saved the configuration, cluster members begin to send heartbeat traffic to each other. Members with the same Group ID join the cluster. They send synchronization traffic directly through the HA connection.

    NOTE: If you change the HA Mode from Active-Passive to Standalone, HA settings will be reset to Default. Before you change to Standalone, take a screenshot or otherwise record the Active-Passive settings so you can restore them when you return to Active-Passive Mode.

    High availability page

    High availability settings
    Settings Guidelines
    Configured HA Mode
    • Standalone
    • Active-passive

    This setting should only be changed after other non-synchronized settings are complete, although this is not mandatory. See HA synchronization for settings that are not synchronized between devices. When changed to active-passive, all synchronized parameters on the Secondary device will be replaced with data from the primary device and made read-only. Non-synchronized parameters may be modified on the Secondary device, as required, while it is in Active-Passive mode.
    Port Select the Mgmt port so use for HA monitoring and synching. If you are using a direct-connect cable, use Mgmt2 on both appliances to keep Mgmt1 free for system management. For Unicast and Multicast HA, you can use Mgmt1 for everything but using Mgmt2 offers some diversity.

    HA Loss Bypass Mode

    Note: this option will not appear on VMs since they have no Fail-Open Mode.

    • Deployment — The default option; when an appliance loses HA heartbeats from its paired appliance, it retains the bypass settings configured in Global Protection > Deployment > Power Off Bypass Mode.

    • Fail Open — Select this option for deployments where both appliances are in fail-closed mode and traffic is active on both appliances. If either appliance fails, it blocks BGP on that link which forces the traffic to the surviving FortiDDoS. With this setting enabled, the surviving FortiDDoS changes its Power Off Bypass Mode from Fail Closed to Fail Open when it detects no heartbeats from the failed appliance. If the surviving FortiDDoS also experiences a failure, it will be in Fail Open mode and traffic will continue to flow instead of being blocked.

      Please note, this feature has no effect if the Power Off Bypass Mode is already Fail Open.

    HA Protocol

    Multicast – use for direct-connect cable for collocated FortiDDoS appliances/VMs. This CAN be used for HA to remote datacenters, but all intermediate data switched must support L2 Multicast on the VLAN used (IGMP snooping must be disabled).

    Unicast – Preferred method for communication between geographically separated data centers. This requires a unicast IP address on each Mgmt2 port of each appliance/VM and Layer 3 connectivity between datacenters.

    Peer Address

    If Unicast is used from above, the IP address of Mgmt2 on the partner HA device.

    Note, if this is configured and the device you are configuring does not already have an IP address for its Mgmt2 port, you will be warned.
    Group Name Name to identify the HA pair. This setting is optional, and does not affect HA function. The maximum length is 35 characters (special characters . _ - @ ! * allowed).
    Device Priority Number indicating priority of the member node when electing the cluster primary node. The smaller the number, the higher the priority. It is mandatory to set this correctly. The valid range is 0 to 9 and the default is 5.
    Group ID

    Number that identifies the HA cluster.

    Nodes with the same group ID join the cluster. If you have more than one HA cluster on the same network, each cluster must have a different group ID.
    Note: You can only join 2 nodes to one cluster (HA pair).


    The valid range is 0 to 63. The default is 0.
    Detection Interval Number of 100-millisecond intervals at which heartbeat packets are sent. This is also the interval at which a node expects to receive heartbeat packets. These numbers must match on Primary and Secondary.

    The valid range is 1 to 20 (that is, between 100 and 2,000 milliseconds). The default is 2 (200ms).
    Heartbeat Lost Threshold The number of times a node waits to receive HA heartbeat packets from the other node before concluding the other node is down. The valid range is from 1 to 60. The default is 6. Thus, default time is 200ms x 6 tries = 1.2 seconds.

    CLI commands:

    config system ha

    set mode <standalone | active-passive>

    set hbdev <mgmt1 | mgmt2>

    set ha-loss-bypass-mode < deployment | fail-open>

    set hb-type < multicast | unicast >

    set group-name <group_name_str>

    set group-id <0-63> Group ID must match on each appliance.

    set priority <0-9> 0 Priority is higher.

    set hb-interval <Detection Interval 1-20> In 100ms increments.

    set hb-lost-threshold <1-60>

    end

    Previous
    Next