HA system and network requirements
- Two identical appliances (the same hardware model and same firmware version).
- By default, use MGMT2 port to connect the HA appliances directly or through a network. The HA port can be changed and can be used simultaneously with the GUI/CLI management port but be aware of the settings on the System > Network > Interface page before changing from default.
Heartbeat and synchronization traffic between cluster nodes occur over the physical network ports you specify.
FortiDDoS supports 2 different HA communications protocols:
-
Layer 2 (MAC address) multicast on MGMT2 is the default protocol (see below). HA multicast can be used from MGMT1 if desired. However, Layer 2 multicast often results in problem when traversing network switches, resulting in HA failures.
-
From Release 7.0.1 FortiDDoS supports unicast HA communications. In this case, if MGMT2 is use, it must be assigned an IP address. Whichever port is used, the HA configuration must have the IP address of the peer MGMT port on the HA partner.
Layer 2 Multicast HA communications
If switches are used to connect heartbeat interfaces between nodes, the heartbeat interfaces must be reachable by Layer 2 multicast (multicast MAC addresses).
From Release 7.0.0, FortiDDoS encapsulates HA packets in EtherType 8895 (heartbeat) and EtherType 889f (synchronization). While network switches typically allow these packets to pass through, some switches may default to blocking Layer 2 (L2) Multicast. To guarantee seamless end-to-end HA connectivity, consider disabling Internet Group Management Protocol (IGMP) within a VLAN.
For tracing, look for Layer 2 packets with Destination multicast MAC addresses beginning with 01-00-5E. These packets generally show as malformed in packet analysis applications, but for FortiDDoS heartbeat packets, the packet decode window should display the serial number of the Transmitting system as below.
