Fortinet Document Library

Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:


Table of Contents

CLI Reference

config system ha

Configure HA.

config system ha

Description: Configure HA.

set group-id {integer}

set group-name {string}

set mode [standalone|a-a|...]

set sync-packet-balance [enable|disable]

set password {password}

set key {password}

set hbdev {user}

set session-sync-dev {user}

set route-ttl {integer}

set route-wait {integer}

set route-hold {integer}

set multicast-ttl {integer}

set load-balance-all [enable|disable]

set sync-config [enable|disable]

set encryption [enable|disable]

set authentication [enable|disable]

set hb-interval {integer}

set hb-lost-threshold {integer}

set hello-holddown {integer}

set gratuitous-arps [enable|disable]

set arps {integer}

set arps-interval {integer}

set session-pickup [enable|disable]

set session-pickup-connectionless [enable|disable]

set session-pickup-expectation [enable|disable]

set session-pickup-nat [enable|disable]

set session-pickup-delay [enable|disable]

set link-failed-signal [enable|disable]

set uninterruptible-upgrade [enable|disable]

set standalone-mgmt-vdom [enable|disable]

set ha-mgmt-status [enable|disable]

config ha-mgmt-interfaces

Description: Reserve interfaces to manage individual cluster units.

edit <id>

set interface {string}

set dst {ipv4-classnet}

set gateway {ipv4-address}

set gateway6 {ipv6-address}

next

end

set ha-eth-type {string}

set hc-eth-type {string}

set l2ep-eth-type {string}

set ha-uptime-diff-margin {integer}

set standalone-config-sync [enable|disable]

set logical-sn [enable|disable]

set vcluster2 [enable|disable]

set vcluster-id {integer}

set override [enable|disable]

set priority {integer}

set override-wait-time {integer}

set schedule [none|hub|...]

set weight {user}

set cpu-threshold {user}

set memory-threshold {user}

set http-proxy-threshold {user}

set ftp-proxy-threshold {user}

set imap-proxy-threshold {user}

set nntp-proxy-threshold {user}

set pop3-proxy-threshold {user}

set smtp-proxy-threshold {user}

set monitor {user}

set pingserver-monitor-interface {user}

set pingserver-failover-threshold {integer}

set pingserver-slave-force-reset [enable|disable]

set pingserver-flip-timeout {integer}

set vdom {user}

config secondary-vcluster

Description: Configure virtual cluster 2.

set vcluster-id {integer}

set override [enable|disable]

set priority {integer}

set override-wait-time {integer}

set monitor {user}

set pingserver-monitor-interface {user}

set pingserver-failover-threshold {integer}

set pingserver-slave-force-reset [enable|disable]

set vdom {user}

end

set ha-direct [enable|disable]

set ssd-failover [enable|disable]

set memory-compatible-mode [enable|disable]

set inter-cluster-session-sync [enable|disable]

end

config system ha

Parameter name

Description

Type

Size

group-id

Cluster group ID (0 - 255). Must be the same for all members.

integer

Minimum value: 0 Maximum value: 255

group-name

Cluster group name. Must be the same for all members.

string

Maximum length: 32

mode

HA mode. Must be the same for all members. FGSP requires standalone.

option

-

 

Option

Description

standalone

Standalone mode.

a-a

Active-active mode.

a-p

Active-passive mode.

sync-packet-balance

Enable/disable HA packet distribution to multiple CPUs.

option

-

 

Option

Description

enable

Enable HA packet distribution to multiple CPUs.

disable

Disable HA packet distribution to multiple CPUs.

password

Cluster password. Must be the same for all members.

password

Not Specified

key

key

password

Not Specified

hbdev

Heartbeat interfaces. Must be the same for all members.

user

Not Specified

session-sync-dev

Offload session-sync process to kernel and sync sessions using connected interface(s) directly.

user

Not Specified

route-ttl

TTL for primary unit routes (5 - 3600 sec). Increase to maintain active routes during failover.

integer

Minimum value: 5 Maximum value: 3600

route-wait

Time to wait before sending new routes to the cluster (0 - 3600 sec).

integer

Minimum value: 0 Maximum value: 3600

route-hold

Time to wait between routing table updates to the cluster (0 - 3600 sec).

integer

Minimum value: 0 Maximum value: 3600

multicast-ttl

HA multicast TTL on master (5 - 3600 sec).

integer

Minimum value: 5 Maximum value: 3600

load-balance-all

Enable to load balance TCP sessions. Disable to load balance proxy sessions only.

option

-

 

Option

Description

enable

Enable load balance.

disable

Disable load balance.

sync-config

Enable/disable configuration synchronization.

option

-

 

Option

Description

enable

Enable configuration synchronization.

disable

Disable configuration synchronization.

encryption

Enable/disable heartbeat message encryption.

option

-

 

Option

Description

enable

Enable heartbeat message encryption.

disable

Disable heartbeat message encryption.

authentication

Enable/disable heartbeat message authentication.

option

-

 

Option

Description

enable

Enable heartbeat message authentication.

disable

Disable heartbeat message authentication.

hb-interval

Time between sending heartbeat packets (1 - 20 (100*ms)). Increase to reduce false positives.

integer

Minimum value: 1 Maximum value: 20

hb-lost-threshold

Number of lost heartbeats to signal a failure (1 - 60). Increase to reduce false positives.

integer

Minimum value: 1 Maximum value: 60

hello-holddown

Time to wait before changing from hello to work state (5 - 300 sec).

integer

Minimum value: 5 Maximum value: 300

gratuitous-arps

Enable/disable gratuitous ARPs. Disable if link-failed-signal enabled.

option

-

 

Option

Description

enable

Enable gratuitous ARPs.

disable

Disable gratuitous ARPs.

arps

Number of gratuitous ARPs (1 - 60). Lower to reduce traffic. Higher to reduce failover time.

integer

Minimum value: 1 Maximum value: 60

arps-interval

Time between gratuitous ARPs (1 - 20 sec). Lower to reduce failover time. Higher to reduce traffic.

integer

Minimum value: 1 Maximum value: 20

session-pickup

Enable/disable session pickup. Enabling it can reduce session down time when fail over happens.

option

-

 

Option

Description

enable

Enable session pickup.

disable

Disable session pickup.

session-pickup-connectionless

Enable/disable UDP and ICMP session sync.

option

-

 

Option

Description

enable

Enable setting.

disable

Disable setting.

session-pickup-expectation

Enable/disable session helper expectation session sync for FGSP.

option

-

 

Option

Description

enable

Enable setting.

disable

Disable setting.

session-pickup-nat

Enable/disable NAT session sync for FGSP.

option

-

 

Option

Description

enable

Enable setting.

disable

Disable setting.

session-pickup-delay

Enable to sync sessions longer than 30 sec. Only longer lived sessions need to be synced.

option

-

 

Option

Description

enable

Enable setting.

disable

Disable setting.

link-failed-signal

Enable to shut down all interfaces for 1 sec after a failover. Use if gratuitous ARPs do not update network.

option

-

 

Option

Description

enable

Enable setting.

disable

Disable setting.

uninterruptible-upgrade

Enable to upgrade a cluster without blocking network traffic.

option

-

 

Option

Description

enable

Enable setting.

disable

Disable setting.

standalone-mgmt-vdom

Enable/disable standalone management VDOM.

option

-

 

Option

Description

enable

Enable setting.

disable

Disable setting.

ha-mgmt-status

Enable to reserve interfaces to manage individual cluster units.

option

-

 

Option

Description

enable

Enable setting.

disable

Disable setting.

ha-eth-type

HA heartbeat packet Ethertype (4-digit hex).

string

Maximum length: 4

hc-eth-type

Transparent mode HA heartbeat packet Ethertype (4-digit hex).

string

Maximum length: 4

l2ep-eth-type

Telnet session HA heartbeat packet Ethertype (4-digit hex).

string

Maximum length: 4

ha-uptime-diff-margin

Normally you would only reduce this value for failover testing.

integer

Minimum value: 1 Maximum value: 65535

standalone-config-sync

Enable/disable FGSP configuration synchronization.

option

-

 

Option

Description

enable

Enable setting.

disable

Disable setting.

logical-sn

Enable/disable usage of the logical serial number.

option

-

 

Option

Description

enable

Enable usage of the logical serial number.

disable

Disable usage of the logical serial number.

vcluster2

Enable/disable virtual cluster 2 for virtual clustering.

option

-

 

Option

Description

enable

Enable setting.

disable

Disable setting.

vcluster-id

Cluster ID.

integer

Minimum value: 0 Maximum value: 255

override

Enable and increase the priority of the unit that should always be primary (master).

option

-

 

Option

Description

enable

Enable setting.

disable

Disable setting.

priority

Increase the priority to select the primary unit (0 - 255).

integer

Minimum value: 0 Maximum value: 255

override-wait-time

Delay negotiating if override is enabled (0 - 3600 sec). Reduces how often the cluster negotiates.

integer

Minimum value: 0 Maximum value: 3600

schedule

Type of A-A load balancing. Use none if you have external load balancers.

option

-

 

Option

Description

none

None.

hub

Hub.

leastconnection

Least connection.

round-robin

Round robin.

weight-round-robin

Weight round robin.

random

Random.

ip

IP.

ipport

IP port.

weight

Weight-round-robin weight for each cluster unit. Syntax <priority> <weight>.

user

Not Specified

cpu-threshold

Dynamic weighted load balancing CPU usage weight and high and low thresholds.

user

Not Specified

memory-threshold

Dynamic weighted load balancing memory usage weight and high and low thresholds.

user

Not Specified

http-proxy-threshold

Dynamic weighted load balancing weight and high and low number of HTTP proxy sessions.

user

Not Specified

ftp-proxy-threshold

Dynamic weighted load balancing weight and high and low number of FTP proxy sessions.

user

Not Specified

imap-proxy-threshold

Dynamic weighted load balancing weight and high and low number of IMAP proxy sessions.

user

Not Specified

nntp-proxy-threshold

Dynamic weighted load balancing weight and high and low number of NNTP proxy sessions.

user

Not Specified

pop3-proxy-threshold

Dynamic weighted load balancing weight and high and low number of POP3 proxy sessions.

user

Not Specified

smtp-proxy-threshold

Dynamic weighted load balancing weight and high and low number of SMTP proxy sessions.

user

Not Specified

monitor

Interfaces to check for port monitoring (or link failure).

user

Not Specified

pingserver-monitor-interface

Interfaces to check for remote IP monitoring.

user

Not Specified

pingserver-failover-threshold

Remote IP monitoring failover threshold (0 - 50).

integer

Minimum value: 0 Maximum value: 50

pingserver-slave-force-reset

Enable to force the cluster to negotiate after a remote IP monitoring failover.

option

-

 

Option

Description

enable

Enable force reset of slave after PING server failure.

disable

Disable force reset of slave after PING server failure.

pingserver-flip-timeout

Time to wait in minutes before renegotiating after a remote IP monitoring failover.

integer

Minimum value: 6 Maximum value: 2147483647

vdom

VDOMs in virtual cluster 1.

user

Not Specified

ha-direct

Enable/disable using ha-mgmt interface for syslog, SNMP, remote authentication (RADIUS), FortiAnalyzer, and FortiSandbox.

option

-

 

Option

Description

enable

Enable using ha-mgmt interface for syslog, SNMP, remote authentication (RADIUS), FortiAnalyzer, FortiManager and FortiSandbox.

disable

Disable using ha-mgmt interface for syslog, SNMP, remote authentication (RADIUS), FortiAnalyzer, FortiManager and FortiSandbox.

ssd-failover

Enable/disable automatic HA failover on SSD disk failure.

option

-

 

Option

Description

enable

Enable setting.

disable

Disable setting.

memory-compatible-mode

Enable/disable memory compatible mode.

option

-

 

Option

Description

enable

Enable setting.

disable

Disable setting.

inter-cluster-session-sync

Enable/disable synchronization of sessions among HA clusters.

option

-

 

Option

Description

enable

Enable synchronization of sessions among HA clusters.

disable

Disable synchronization of sessions among HA clusters.

Parameter name

Description

Type

Size

interface

Interface to reserve for HA management.

string

Maximum length: 15

dst

Default route destination for reserved HA management interface.

ipv4-classnet

Not Specified

gateway

Default route gateway for reserved HA management interface.

ipv4-address

Not Specified

gateway6

Default IPv6 gateway for reserved HA management interface.

ipv6-address

Not Specified

Parameter name

Description

Type

Size

vcluster-id

Cluster ID.

integer

Minimum value: 0 Maximum value: 255

override

Enable and increase the priority of the unit that should always be primary (master).

option

-

 

Option

Description

enable

Enable setting.

disable

Disable setting.

priority

Increase the priority to select the primary unit (0 - 255).

integer

Minimum value: 0 Maximum value: 255

override-wait-time

Delay negotiating if override is enabled (0 - 3600 sec). Reduces how often the cluster negotiates.

integer

Minimum value: 0 Maximum value: 3600

monitor

Interfaces to check for port monitoring (or link failure).

user

Not Specified

pingserver-monitor-interface

Interfaces to check for remote IP monitoring.

user

Not Specified

pingserver-failover-threshold

Remote IP monitoring failover threshold (0 - 50).

integer

Minimum value: 0 Maximum value: 50

pingserver-slave-force-reset

Enable to force the cluster to negotiate after a remote IP monitoring failover.

option

-

 

Option

Description

enable

Enable force reset of slave after PING server failure.

disable

Disable force reset of slave after PING server failure.

vdom

VDOMs in virtual cluster 2.

user

Not Specified

config system ha

Configure HA.

config system ha

Description: Configure HA.

set group-id {integer}

set group-name {string}

set mode [standalone|a-a|...]

set sync-packet-balance [enable|disable]

set password {password}

set key {password}

set hbdev {user}

set session-sync-dev {user}

set route-ttl {integer}

set route-wait {integer}

set route-hold {integer}

set multicast-ttl {integer}

set load-balance-all [enable|disable]

set sync-config [enable|disable]

set encryption [enable|disable]

set authentication [enable|disable]

set hb-interval {integer}

set hb-lost-threshold {integer}

set hello-holddown {integer}

set gratuitous-arps [enable|disable]

set arps {integer}

set arps-interval {integer}

set session-pickup [enable|disable]

set session-pickup-connectionless [enable|disable]

set session-pickup-expectation [enable|disable]

set session-pickup-nat [enable|disable]

set session-pickup-delay [enable|disable]

set link-failed-signal [enable|disable]

set uninterruptible-upgrade [enable|disable]

set standalone-mgmt-vdom [enable|disable]

set ha-mgmt-status [enable|disable]

config ha-mgmt-interfaces

Description: Reserve interfaces to manage individual cluster units.

edit <id>

set interface {string}

set dst {ipv4-classnet}

set gateway {ipv4-address}

set gateway6 {ipv6-address}

next

end

set ha-eth-type {string}

set hc-eth-type {string}

set l2ep-eth-type {string}

set ha-uptime-diff-margin {integer}

set standalone-config-sync [enable|disable]

set logical-sn [enable|disable]

set vcluster2 [enable|disable]

set vcluster-id {integer}

set override [enable|disable]

set priority {integer}

set override-wait-time {integer}

set schedule [none|hub|...]

set weight {user}

set cpu-threshold {user}

set memory-threshold {user}

set http-proxy-threshold {user}

set ftp-proxy-threshold {user}

set imap-proxy-threshold {user}

set nntp-proxy-threshold {user}

set pop3-proxy-threshold {user}

set smtp-proxy-threshold {user}

set monitor {user}

set pingserver-monitor-interface {user}

set pingserver-failover-threshold {integer}

set pingserver-slave-force-reset [enable|disable]

set pingserver-flip-timeout {integer}

set vdom {user}

config secondary-vcluster

Description: Configure virtual cluster 2.

set vcluster-id {integer}

set override [enable|disable]

set priority {integer}

set override-wait-time {integer}

set monitor {user}

set pingserver-monitor-interface {user}

set pingserver-failover-threshold {integer}

set pingserver-slave-force-reset [enable|disable]

set vdom {user}

end

set ha-direct [enable|disable]

set ssd-failover [enable|disable]

set memory-compatible-mode [enable|disable]

set inter-cluster-session-sync [enable|disable]

end

config system ha

Parameter name

Description

Type

Size

group-id

Cluster group ID (0 - 255). Must be the same for all members.

integer

Minimum value: 0 Maximum value: 255

group-name

Cluster group name. Must be the same for all members.

string

Maximum length: 32

mode

HA mode. Must be the same for all members. FGSP requires standalone.

option

-

 

Option

Description

standalone

Standalone mode.

a-a

Active-active mode.

a-p

Active-passive mode.

sync-packet-balance

Enable/disable HA packet distribution to multiple CPUs.

option

-

 

Option

Description

enable

Enable HA packet distribution to multiple CPUs.

disable

Disable HA packet distribution to multiple CPUs.

password

Cluster password. Must be the same for all members.

password

Not Specified

key

key

password

Not Specified

hbdev

Heartbeat interfaces. Must be the same for all members.

user

Not Specified

session-sync-dev

Offload session-sync process to kernel and sync sessions using connected interface(s) directly.

user

Not Specified

route-ttl

TTL for primary unit routes (5 - 3600 sec). Increase to maintain active routes during failover.

integer

Minimum value: 5 Maximum value: 3600

route-wait

Time to wait before sending new routes to the cluster (0 - 3600 sec).

integer

Minimum value: 0 Maximum value: 3600

route-hold

Time to wait between routing table updates to the cluster (0 - 3600 sec).

integer

Minimum value: 0 Maximum value: 3600

multicast-ttl

HA multicast TTL on master (5 - 3600 sec).

integer

Minimum value: 5 Maximum value: 3600

load-balance-all

Enable to load balance TCP sessions. Disable to load balance proxy sessions only.

option

-

 

Option

Description

enable

Enable load balance.

disable

Disable load balance.

sync-config

Enable/disable configuration synchronization.

option

-

 

Option

Description

enable

Enable configuration synchronization.

disable

Disable configuration synchronization.

encryption

Enable/disable heartbeat message encryption.

option

-

 

Option

Description

enable

Enable heartbeat message encryption.

disable

Disable heartbeat message encryption.

authentication

Enable/disable heartbeat message authentication.

option

-

 

Option

Description

enable

Enable heartbeat message authentication.

disable

Disable heartbeat message authentication.

hb-interval

Time between sending heartbeat packets (1 - 20 (100*ms)). Increase to reduce false positives.

integer

Minimum value: 1 Maximum value: 20

hb-lost-threshold

Number of lost heartbeats to signal a failure (1 - 60). Increase to reduce false positives.

integer

Minimum value: 1 Maximum value: 60

hello-holddown

Time to wait before changing from hello to work state (5 - 300 sec).

integer

Minimum value: 5 Maximum value: 300

gratuitous-arps

Enable/disable gratuitous ARPs. Disable if link-failed-signal enabled.

option

-

 

Option

Description

enable

Enable gratuitous ARPs.

disable

Disable gratuitous ARPs.

arps

Number of gratuitous ARPs (1 - 60). Lower to reduce traffic. Higher to reduce failover time.

integer

Minimum value: 1 Maximum value: 60

arps-interval

Time between gratuitous ARPs (1 - 20 sec). Lower to reduce failover time. Higher to reduce traffic.

integer

Minimum value: 1 Maximum value: 20

session-pickup

Enable/disable session pickup. Enabling it can reduce session down time when fail over happens.

option

-

 

Option

Description

enable

Enable session pickup.

disable

Disable session pickup.

session-pickup-connectionless

Enable/disable UDP and ICMP session sync.

option

-

 

Option

Description

enable

Enable setting.

disable

Disable setting.

session-pickup-expectation

Enable/disable session helper expectation session sync for FGSP.

option

-

 

Option

Description

enable

Enable setting.

disable

Disable setting.

session-pickup-nat

Enable/disable NAT session sync for FGSP.

option

-

 

Option

Description

enable

Enable setting.

disable

Disable setting.

session-pickup-delay

Enable to sync sessions longer than 30 sec. Only longer lived sessions need to be synced.

option

-

 

Option

Description

enable

Enable setting.

disable

Disable setting.

link-failed-signal

Enable to shut down all interfaces for 1 sec after a failover. Use if gratuitous ARPs do not update network.

option

-

 

Option

Description

enable

Enable setting.

disable

Disable setting.

uninterruptible-upgrade

Enable to upgrade a cluster without blocking network traffic.

option

-

 

Option

Description

enable

Enable setting.

disable

Disable setting.

standalone-mgmt-vdom

Enable/disable standalone management VDOM.

option

-

 

Option

Description

enable

Enable setting.

disable

Disable setting.

ha-mgmt-status

Enable to reserve interfaces to manage individual cluster units.

option

-

 

Option

Description

enable

Enable setting.

disable

Disable setting.

ha-eth-type

HA heartbeat packet Ethertype (4-digit hex).

string

Maximum length: 4

hc-eth-type

Transparent mode HA heartbeat packet Ethertype (4-digit hex).

string

Maximum length: 4

l2ep-eth-type

Telnet session HA heartbeat packet Ethertype (4-digit hex).