Fortinet Document Library

Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:


Table of Contents

CLI Reference

config system ha

Configure HA.

config system ha

Description: Configure HA.

set group-id {integer}

set group-name {string}

set mode [standalone|a-a|...]

set sync-packet-balance [enable|disable]

set password {password}

set key {password}

set hbdev {user}

set session-sync-dev {user}

set route-ttl {integer}

set route-wait {integer}

set route-hold {integer}

set multicast-ttl {integer}

set load-balance-all [enable|disable]

set sync-config [enable|disable]

set encryption [enable|disable]

set authentication [enable|disable]

set hb-interval {integer}

set hb-interval-in-milliseconds [100ms|10ms]

set hb-lost-threshold {integer}

set hello-holddown {integer}

set gratuitous-arps [enable|disable]

set arps {integer}

set arps-interval {integer}

set session-pickup [enable|disable]

set session-pickup-connectionless [enable|disable]

set session-pickup-expectation [enable|disable]

set session-pickup-nat [enable|disable]

set session-pickup-delay [enable|disable]

set link-failed-signal [enable|disable]

set uninterruptible-upgrade [enable|disable]

set standalone-mgmt-vdom [enable|disable]

set ha-mgmt-status [enable|disable]

config ha-mgmt-interfaces

Description: Reserve interfaces to manage individual cluster units.

edit <id>

set interface {string}

set dst {ipv4-classnet}

set gateway {ipv4-address}

set gateway6 {ipv6-address}

next

end

set ha-eth-type {string}

set hc-eth-type {string}

set l2ep-eth-type {string}

set ha-uptime-diff-margin {integer}

set standalone-config-sync [enable|disable]

set logical-sn [enable|disable]

set vcluster-id {integer}

set override [enable|disable]

set priority {integer}

set override-wait-time {integer}

set schedule [none|hub|...]

set weight {user}

set cpu-threshold {user}

set memory-threshold {user}

set http-proxy-threshold {user}

set ftp-proxy-threshold {user}

set imap-proxy-threshold {user}

set nntp-proxy-threshold {user}

set pop3-proxy-threshold {user}

set smtp-proxy-threshold {user}

set monitor {user}

set pingserver-monitor-interface {user}

set pingserver-failover-threshold {integer}

set pingserver-secondary-force-reset [enable|disable]

set pingserver-flip-timeout {integer}

set vdom {user}

set vcluster2 [enable|disable]

config secondary-vcluster

Description: Configure virtual cluster 2.

set vcluster-id {integer}

set override [enable|disable]

set priority {integer}

set override-wait-time {integer}

set monitor {user}

set pingserver-monitor-interface {user}

set pingserver-failover-threshold {integer}

set pingserver-secondary-force-reset [enable|disable]

set vdom {user}

end

set ha-direct [enable|disable]

set ssd-failover [enable|disable]

set memory-compatible-mode [enable|disable]

set memory-based-failover [enable|disable]

set memory-failover-threshold {integer}

set memory-failover-monitor-period {integer}

set memory-failover-sample-rate {integer}

set memory-failover-flip-timeout {integer}

set failover-hold-time {integer}

end

config system ha

Parameter

Description

Type

Size

Default

group-id

HA group ID . Must be the same for all members.

integer

Minimum value: 0 Maximum value: 255

0

group-name

Cluster group name. Must be the same for all members.

string

Maximum length: 32

mode

HA mode. Must be the same for all members. FGSP requires standalone.

option

-

standalone

 

Option

Description

standalone

Standalone mode.

a-a

Active-active mode.

a-p

Active-passive mode.

sync-packet-balance

Enable/disable HA packet distribution to multiple CPUs.

option

-

disable

 

Option

Description

enable

Enable HA packet distribution to multiple CPUs.

disable

Disable HA packet distribution to multiple CPUs.

password

Cluster password. Must be the same for all members.

password

Not Specified

key

key

password

Not Specified

hbdev

Heartbeat interfaces. Must be the same for all members.

user

Not Specified

session-sync-dev

Offload session-sync process to kernel and sync sessions using connected interface(s) directly.

user

Not Specified

route-ttl

TTL for primary unit routes . Increase to maintain active routes during failover.

integer

Minimum value: 5 Maximum value: 3600

10

route-wait

Time to wait before sending new routes to the cluster .

integer

Minimum value: 0 Maximum value: 3600

0

route-hold

Time to wait between routing table updates to the cluster .

integer

Minimum value: 0 Maximum value: 3600

10

multicast-ttl

HA multicast TTL on primary .

integer

Minimum value: 5 Maximum value: 3600

600

load-balance-all

Enable to load balance TCP sessions. Disable to load balance proxy sessions only.

option

-

disable

 

Option

Description

enable

Enable load balance.

disable

Disable load balance.

sync-config

Enable/disable configuration synchronization.

option

-

enable

 

Option

Description

enable

Enable configuration synchronization.

disable

Disable configuration synchronization.

encryption

Enable/disable heartbeat message encryption.

option

-

disable

 

Option

Description

enable

Enable heartbeat message encryption.

disable

Disable heartbeat message encryption.

authentication

Enable/disable heartbeat message authentication.

option

-

disable

 

Option

Description

enable

Enable heartbeat message authentication.

disable

Disable heartbeat message authentication.

hb-interval

Time between sending heartbeat packets . Increase to reduce false positives.

integer

Minimum value: 1 Maximum value: 20

2

hb-interval-in-milliseconds

Number of milliseconds for each heartbeat interval: 100ms or 10ms.

option

-

100ms

 

Option

Description

100ms

Each heartbeat interval is 100ms.

10ms

Each heartbeat interval is 10ms.

hb-lost-threshold

Number of lost heartbeats to signal a failure . Increase to reduce false positives.

integer

Minimum value: 1 Maximum value: 60

6 **

hello-holddown

Time to wait before changing from hello to work state .

integer

Minimum value: 5 Maximum value: 300

20

gratuitous-arps

Enable/disable gratuitous ARPs. Disable if link-failed-signal enabled.

option

-

enable

 

Option

Description

enable

Enable gratuitous ARPs.

disable

Disable gratuitous ARPs.

arps

Number of gratuitous ARPs . Lower to reduce traffic. Higher to reduce failover time.

integer

Minimum value: 1 Maximum value: 60

5

arps-interval

Time between gratuitous ARPs . Lower to reduce failover time. Higher to reduce traffic.

integer

Minimum value: 1 Maximum value: 20

8

session-pickup

Enable/disable session pickup. Enabling it can reduce session down time when fail over happens.

option

-

disable

 

Option

Description

enable

Enable session pickup.

disable

Disable session pickup.

session-pickup-connectionless

Enable/disable UDP and ICMP session sync.

option

-

disable

 

Option

Description

enable

Enable setting.

disable

Disable setting.

session-pickup-expectation

Enable/disable session helper expectation session sync for FGSP.

option

-

disable

 

Option

Description

enable

Enable setting.

disable

Disable setting.

session-pickup-nat

Enable/disable NAT session sync for FGSP.

option

-

disable

 

Option

Description

enable

Enable setting.

disable

Disable setting.

session-pickup-delay

Enable to sync sessions longer than 30 sec. Only longer lived sessions need to be synced.

option

-

disable

 

Option

Description

enable

Enable setting.

disable

Disable setting.

link-failed-signal

Enable to shut down all interfaces for 1 sec after a failover. Use if gratuitous ARPs do not update network.

option

-

disable

 

Option

Description

enable

Enable setting.

disable

Disable setting.

uninterruptible-upgrade

Enable to upgrade a cluster without blocking network traffic.

option

-

enable

 

Option

Description

enable

Enable setting.

disable

Disable setting.

standalone-mgmt-vdom

Enable/disable standalone management VDOM.

option

-

disable

 

Option

Description

enable

Enable setting.

disable

Disable setting.

ha-mgmt-status

Enable to reserve interfaces to manage individual cluster units.

option

-

disable

 

Option

Description

enable

Enable setting.

disable

Disable setting.

ha-eth-type

HA heartbeat packet Ethertype (4-digit hex).

string

Maximum length: 4

8890

hc-eth-type

Transparent mode HA heartbeat packet Ethertype (4-digit hex).

string

Maximum length: 4

8891

l2ep-eth-type

Telnet session HA heartbeat packet Ethertype (4-digit hex).

string

Maximum length: 4

8893

ha-uptime-diff-margin

Normally you would only reduce this value for failover testing.

integer

Minimum value: 1 Maximum value: 65535

300

standalone-config-sync

Enable/disable FGSP configuration synchronization.

option

-

disable

 

Option

Description

enable

Enable setting.

disable

Disable setting.

logical-sn

Enable/disable usage of the logical serial number.

option

-

disable

 

Option

Description

enable

Enable usage of the logical serial number.

disable

Disable usage of the logical serial number.

vcluster-id

Cluster ID.

integer

Minimum value: 0 Maximum value: 255

0

override

Enable and increase the priority of the unit that should always be primary.

option

-

disable

 

Option

Description

enable

Enable setting.

disable

Disable setting.

priority

Increase the priority to select the primary unit .

integer

Minimum value: 0 Maximum value: 255

128

override-wait-time

Delay negotiating if override is enabled . Reduces how often the cluster negotiates.

integer

Minimum value: 0 Maximum value: 3600

0

schedule

Type of A-A load balancing. Use none if you have external load balancers.

option

-

round-robin

 

Option

Description

none

None.

hub

Hub.

leastconnection

Least connection.

round-robin

Round robin.

weight-round-robin

Weight round robin.

random

Random.

ip

IP.

ipport

IP port.

weight

Weight-round-robin weight for each cluster unit. Syntax <priority> <weight>.

user

Not Specified

0 40

cpu-threshold

Dynamic weighted load balancing CPU usage weight and high and low thresholds.

user

Not Specified

memory-threshold

Dynamic weighted load balancing memory usage weight and high and low thresholds.

user

Not Specified

http-proxy-threshold

Dynamic weighted load balancing weight and high and low number of HTTP proxy sessions.

user

Not Specified

ftp-proxy-threshold

Dynamic weighted load balancing weight and high and low number of FTP proxy sessions.

user

Not Specified

imap-proxy-threshold

Dynamic weighted load balancing weight and high and low number of IMAP proxy sessions.

user

Not Specified

nntp-proxy-threshold

Dynamic weighted load balancing weight and high and low number of NNTP proxy sessions.

user

Not Specified

pop3-proxy-threshold

Dynamic weighted load balancing weight and high and low number of POP3 proxy sessions.

user

Not Specified

smtp-proxy-threshold

Dynamic weighted load balancing weight and high and low number of SMTP proxy sessions.

user

Not Specified

monitor

Interfaces to check for port monitoring (or link failure).

user

Not Specified

pingserver-monitor-interface

Interfaces to check for remote IP monitoring.

user

Not Specified

pingserver-failover-threshold

Remote IP monitoring failover threshold .

integer

Minimum value: 0 Maximum value: 50

0

pingserver-secondary-force-reset

Enable to force the cluster to negotiate after a remote IP monitoring failover.

option

-

enable

 

Option

Description

enable

Enable force reset of secondary after PING server failure.

disable

Disable force reset of secondary after PING server failure.

pingserver-flip-timeout

Time to wait in minutes before renegotiating after a remote IP monitoring failover.

integer

Minimum value: 6 Maximum value: 2147483647

60

vdom

VDOMs in virtual cluster 1.

user

Not Specified

vcluster2

Enable/disable virtual cluster 2 for virtual clustering.

option

-

disable

 

Option

Description

enable

Enable setting.

disable

Disable setting.

ha-direct

Enable/disable using ha-mgmt interface for syslog, SNMP, remote authentication (RADIUS), FortiAnalyzer, FortiSandbox, sFlow, and Netflow.

option

-

disable

 

Option

Description

enable

Enable using ha-mgmt interface for syslog, SNMP, remote authentication (RADIUS), FortiAnalyzer, FortiManager, FortiSandbox, sFlow, and Netflow.

disable

Disable using ha-mgmt interface for syslog, SNMP, remote authentication (RADIUS), FortiAnalyzer, FortiManager, FortiSandbox, sFlow, and Netflow.

ssd-failover *

Enable/disable automatic HA failover on SSD disk failure.

option

-

disable

 

Option

Description

enable

Enable setting.

disable

Disable setting.

memory-compatible-mode

Enable/disable memory compatible mode.

option

-

disable

 

Option

Description

enable

Enable setting.

disable

Disable setting.

memory-based-failover

Enable/disable memory based failover.

option

-

disable

 

Option

Description

enable

Enable setting.

disable

Disable setting.

memory-failover-threshold

Memory usage threshold to trigger memory based failover (0 means using conserve mode threshold).

integer

Minimum value: 0 Maximum value: 95

0

memory-failover-monitor-period

Duration of high memory usage before memory based failover is triggered in seconds .

integer

Minimum value: 1 Maximum value: 300

60

memory-failover-sample-rate

Rate at which memory usage is sampled in order to measure memory usage in seconds .

integer

Minimum value: 1 Maximum value: 60

1

memory-failover-flip-timeout

Time to wait between subsequent memory based failovers in minutes .

integer

Minimum value: 6 Maximum value: 2147483647

6

failover-hold-time

Time to wait before failover , to avoid flip.

integer

Minimum value: 0 Maximum value: 300

0

* This parameter may not exist in some models.

** Values may differ between models.

config ha-mgmt-interfaces

Parameter

Description

Type

Size

Default

interface

Interface to reserve for HA management.

string

Maximum length: 15

dst

Default route destination for reserved HA management interface.

ipv4-classnet

Not Specified

0.0.0.0 0.0.0.0

gateway

Default route gateway for reserved HA management interface.

ipv4-address

Not Specified

0.0.0.0

gateway6

Default IPv6 gateway for reserved HA management interface.

ipv6-address

Not Specified

::

config secondary-vcluster

Parameter

Description

Type

Size

Default

vcluster-id

Cluster ID.

integer

Minimum value: 0 Maximum value: 255

1

override

Enable and increase the priority of the unit that should always be primary.

option

-

enable

 

Option

Description

enable

Enable setting.

disable

Disable setting.

priority

Increase the priority to select the primary unit .

integer

Minimum value: 0 Maximum value: 255

128

override-wait-time

Delay negotiating if override is enabled . Reduces how often the cluster negotiates.

integer

Minimum value: 0 Maximum value: 3600

0

monitor

Interfaces to check for port monitoring (or link failure).

user

Not Specified

pingserver-monitor-interface

Interfaces to check for remote IP monitoring.

user

Not Specified

pingserver-failover-threshold

Remote IP monitoring failover threshold .

integer

Minimum value: 0 Maximum value: 50

0

pingserver-secondary-force-reset

Enable to force the cluster to negotiate after a remote IP monitoring failover.

option

-

enable

 

Option

Description

enable

Enable force reset of secondary after PING server failure.

disable

Disable force reset of secondary after PING server failure.

vdom

VDOMs in virtual cluster 2.

user

Not Specified

config system ha

Configure HA.

config system ha

Description: Configure HA.

set group-id {integer}

set group-name {string}

set mode [standalone|a-a|...]

set sync-packet-balance [enable|disable]

set password {password}

set key {password}

set hbdev {user}

set session-sync-dev {user}

set route-ttl {integer}

set route-wait {integer}

set route-hold {integer}

set multicast-ttl {integer}

set load-balance-all [enable|disable]

set sync-config [enable|disable]

set encryption [enable|disable]

set authentication [enable|disable]

set hb-interval {integer}

set hb-interval-in-milliseconds [100ms|10ms]

set hb-lost-threshold {integer}

set hello-holddown {integer}

set gratuitous-arps [enable|disable]

set arps {integer}

set arps-interval {integer}

set session-pickup [enable|disable]

set session-pickup-connectionless [enable|disable]

set session-pickup-expectation [enable|disable]

set session-pickup-nat [enable|disable]

set session-pickup-delay [enable|disable]

set link-failed-signal [enable|disable]

set uninterruptible-upgrade [enable|disable]

set standalone-mgmt-vdom [enable|disable]

set ha-mgmt-status [enable|disable]

config ha-mgmt-interfaces

Description: Reserve interfaces to manage individual cluster units.

edit <id>

set interface {string}

set dst {ipv4-classnet}

set gateway {ipv4-address}

set gateway6 {ipv6-address}

next

end

set ha-eth-type {string}

set hc-eth-type {string}

set l2ep-eth-type {string}

set ha-uptime-diff-margin {integer}

set standalone-config-sync [enable|disable]

set logical-sn [enable|disable]

set vcluster-id {integer}

set override [enable|disable]

set priority {integer}

set override-wait-time {integer}

set schedule [none|hub|...]

set weight {user}

set cpu-threshold {user}

set memory-threshold {user}

set http-proxy-threshold {user}

set ftp-proxy-threshold {user}

set imap-proxy-threshold {user}

set nntp-proxy-threshold {user}

set pop3-proxy-threshold {user}

set smtp-proxy-threshold {user}

set monitor {user}

set pingserver-monitor-interface {user}

set pingserver-failover-threshold {integer}

set pingserver-secondary-force-reset [enable|disable]

set pingserver-flip-timeout {integer}

set vdom {user}

set vcluster2 [enable|disable]

config secondary-vcluster

Description: Configure virtual cluster 2.

set vcluster-id {integer}

set override [enable|disable]

set priority {integer}

set override-wait-time {integer}

set monitor {user}

set pingserver-monitor-interface {user}

set pingserver-failover-threshold {integer}

set pingserver-secondary-force-reset [enable|disable]

set vdom {user}

end

set ha-direct [enable|disable]

set ssd-failover [enable|disable]

set memory-compatible-mode [enable|disable]

set memory-based-failover [enable|disable]

set memory-failover-threshold {integer}

set memory-failover-monitor-period {integer}

set memory-failover-sample-rate {integer}

set memory-failover-flip-timeout {integer}

set failover-hold-time {integer}

end

config system ha

Parameter

Description

Type

Size

Default

group-id

HA group ID . Must be the same for all members.

integer

Minimum value: 0 Maximum value: 255

0

group-name

Cluster group name. Must be the same for all members.

string

Maximum length: 32

mode

HA mode. Must be the same for all members. FGSP requires standalone.

option

-

standalone

 

Option

Description

standalone

Standalone mode.

a-a

Active-active mode.

a-p

Active-passive mode.

sync-packet-balance

Enable/disable HA packet distribution to multiple CPUs.

option

-

disable

 

Option

Description

enable

Enable HA packet distribution to multiple CPUs.

disable

Disable HA packet distribution to multiple CPUs.

password

Cluster password. Must be the same for all members.

password

Not Specified

key

key

password

Not Specified

hbdev

Heartbeat interfaces. Must be the same for all members.

user

Not Specified

session-sync-dev

Offload session-sync process to kernel and sync sessions using connected interface(s) directly.

user

Not Specified

route-ttl

TTL for primary unit routes . Increase to maintain active routes during failover.

integer

Minimum value: 5 Maximum value: 3600

10

route-wait

Time to wait before sending new routes to the cluster .

integer

Minimum value: 0 Maximum value: 3600

0

route-hold

Time to wait between routing table updates to the cluster .

integer

Minimum value: 0 Maximum value: 3600

10

multicast-ttl

HA multicast TTL on primary .

integer

Minimum value: 5 Maximum value: 3600

600

load-balance-all

Enable to load balance TCP sessions. Disable to load balance proxy sessions only.

option

-

disable

 

Option

D