Fortinet white logo
Fortinet white logo

Administration Guide

High Availability

High Availability

High availability (HA) is usually required in a system where there is high demand for little downtime. There are usually hot-swaps, backup routes, or standby backup units and as soon as the active entity fails, backup entities will start functioning. This results in minimal interruption for the users.

FortiIsolator provides an HA solution whereby FortiIsolator can find other member FortiIsolators to negotiate and create a cluster. A FortiIsolator HA cluster consists of at least two FortiIsolator (members) configured for HA operation. All FortiIsolators in the cluster do not need to be the same model (e.g. FIS 1000F, KVM, or ESXi), but they have to had the same firmware installed. Cluster members must have the same configuration, except for their IP address and priority in the HA settings. The cluster works like a device but always has a hot backup device.

How it works

FortiIsolator allows each HA cluster to have up to 255 HA nodes. Each node must have the same settings for:

  • Virtual IP
  • Group ID
  • Password
  • Schedule Type
  • Interface Name
  • Lost Threshold
  • Hello Holddown
  • Interval

Each node must be assigned a unique priority ID, from 0 to 255, where 0 is the highest priority. The node with the highest priority ID in the cluster will be the master device for that HA cluster.

FortiIsolator currently saves HA-related information and configuration into an internal database. The database will be synchronized from master to slaves every time the master has changes.

The HA-related information that is saved into the database includes:

  • User Groups (Group Name, Group Policy Name)
  • Isolator profile (Isolator Profile Name, Max Download Size, Max Upload Size, Limit of view only, Image Quality, Video Frame Rate, Use doc-rewrite when scanning file, Scan files for malware, Permit for Right-Click, Send file to FortiSandbox, FortiSandbox IP, FortiSandbox Administrator Name, and FortiSandbox Password)
  • Web Filter profile (Web Filter profile name, actions of Web Filter category, white list, black list)
  • ICAP Profile (ICAP Profile Name, IP address, Port number, Service, Action when server fails)
  • Default policy (Default Isolator Profile Name, Default Web Filter Profile Name, Default ICAP Profile Name)
  • Agent server (Agent Server ID, Enable/Disable, IP address, Port number, Password for Agent server)
  • Polling server (Polling Server ID, Enable/Disable, IP address, Domain name, Port number, Username, Password, Max History, Frequency)

In an HA cluster, when making changes to any of these settings, all information will be saved into the master device, then synchronized to all slave devices. After this, only the master device's database is able to write. All slave devices will read from the master database and update to their own databases. Thus, all devices can read from their own database locally.

FortiIsolator uses HA interface/port for database synchronization and heartbeat. HA interface/port is designed for better performance purpose, but it can choose other interface/port as well.

The VIP address will be put on interface, so it has to be the same subnet as internal interface. This is the IP for the web browsers access. Only the master device has VIP.

In HA mode, all web browsers will access VIP address, through IP Forwarding mode or Proxy mode:

1. IP Forwarding mode:

Web browser connects to VIP of master device first. Master receives request, forwards it to a node in the cluster immediately. The node can be itself (master) or any other nodes (slave). So after the first request to VIP, all the following requests are sent to an internal IP of a node in the cluster, which includes the master and all slaves.

2. Proxy mode:

Web browser connects to VIP of master device, and it will keep communicating (talking) to master. The master device web socket connection will connect to each cluster, including itself (master) or any of other nodes (slaves), on their internal IP. Then the corresponding web browser will run in that node.

Example

The following is an example of an HA Cluster setup.

To configure HA (Slave) from CLI:

set ha-enabled 1

set ha-virtual-ip 172.30.157.99

set ha-priority 2

set ha-group-id 31

set ha-interface mgmt

set ha-password password

Verify HA Cluster Information in Master node from GUI - Dashboard:

Verify HA Cluster Information in Master node from CLI:

show ha-all

enabled : Enabled

gid : 31

lost threshold : 10

interval : 10

holddown : 5

priority : 1

allow override : 0

schedule : Round Robin

vip : 172.30.157.99

password : ffff18ff28ff38ffff60ff3678ff2e03

interface : mgmt

Cluster Information

Number of Slave : 1

Is Master : Yes

(Slaves)IP Priority

172.30.157.32 : 2

Verify HA Cluster Information in Slave node from GUI - Dashboard:

Verify HA Cluster Information in Slave node from CLI:

show ha-all

enabled : Enabled

gid : 31

lost threshold : 10

interval : 10

holddown : 5

priority : 2

allow override : 0

schedule : Round Robin

vip : 172.30.157.99

password : ffff18ff28ff38ffff60ff3678ff2e03

interface : mgmt

Cluster Information

Number of Slave : 1

Is Master : No

(Master)IP Priority

172.30.157.31 : 1

(Slaves)IP Priority

High Availability

High Availability

High availability (HA) is usually required in a system where there is high demand for little downtime. There are usually hot-swaps, backup routes, or standby backup units and as soon as the active entity fails, backup entities will start functioning. This results in minimal interruption for the users.

FortiIsolator provides an HA solution whereby FortiIsolator can find other member FortiIsolators to negotiate and create a cluster. A FortiIsolator HA cluster consists of at least two FortiIsolator (members) configured for HA operation. All FortiIsolators in the cluster do not need to be the same model (e.g. FIS 1000F, KVM, or ESXi), but they have to had the same firmware installed. Cluster members must have the same configuration, except for their IP address and priority in the HA settings. The cluster works like a device but always has a hot backup device.

How it works

FortiIsolator allows each HA cluster to have up to 255 HA nodes. Each node must have the same settings for:

  • Virtual IP
  • Group ID
  • Password
  • Schedule Type
  • Interface Name
  • Lost Threshold
  • Hello Holddown
  • Interval

Each node must be assigned a unique priority ID, from 0 to 255, where 0 is the highest priority. The node with the highest priority ID in the cluster will be the master device for that HA cluster.

FortiIsolator currently saves HA-related information and configuration into an internal database. The database will be synchronized from master to slaves every time the master has changes.

The HA-related information that is saved into the database includes:

  • User Groups (Group Name, Group Policy Name)
  • Isolator profile (Isolator Profile Name, Max Download Size, Max Upload Size, Limit of view only, Image Quality, Video Frame Rate, Use doc-rewrite when scanning file, Scan files for malware, Permit for Right-Click, Send file to FortiSandbox, FortiSandbox IP, FortiSandbox Administrator Name, and FortiSandbox Password)
  • Web Filter profile (Web Filter profile name, actions of Web Filter category, white list, black list)
  • ICAP Profile (ICAP Profile Name, IP address, Port number, Service, Action when server fails)
  • Default policy (Default Isolator Profile Name, Default Web Filter Profile Name, Default ICAP Profile Name)
  • Agent server (Agent Server ID, Enable/Disable, IP address, Port number, Password for Agent server)
  • Polling server (Polling Server ID, Enable/Disable, IP address, Domain name, Port number, Username, Password, Max History, Frequency)

In an HA cluster, when making changes to any of these settings, all information will be saved into the master device, then synchronized to all slave devices. After this, only the master device's database is able to write. All slave devices will read from the master database and update to their own databases. Thus, all devices can read from their own database locally.

FortiIsolator uses HA interface/port for database synchronization and heartbeat. HA interface/port is designed for better performance purpose, but it can choose other interface/port as well.

The VIP address will be put on interface, so it has to be the same subnet as internal interface. This is the IP for the web browsers access. Only the master device has VIP.

In HA mode, all web browsers will access VIP address, through IP Forwarding mode or Proxy mode:

1. IP Forwarding mode:

Web browser connects to VIP of master device first. Master receives request, forwards it to a node in the cluster immediately. The node can be itself (master) or any other nodes (slave). So after the first request to VIP, all the following requests are sent to an internal IP of a node in the cluster, which includes the master and all slaves.

2. Proxy mode:

Web browser connects to VIP of master device, and it will keep communicating (talking) to master. The master device web socket connection will connect to each cluster, including itself (master) or any of other nodes (slaves), on their internal IP. Then the corresponding web browser will run in that node.

Example

The following is an example of an HA Cluster setup.

To configure HA (Slave) from CLI:

set ha-enabled 1

set ha-virtual-ip 172.30.157.99

set ha-priority 2

set ha-group-id 31

set ha-interface mgmt

set ha-password password

Verify HA Cluster Information in Master node from GUI - Dashboard:

Verify HA Cluster Information in Master node from CLI:

show ha-all

enabled : Enabled

gid : 31

lost threshold : 10

interval : 10

holddown : 5

priority : 1

allow override : 0

schedule : Round Robin

vip : 172.30.157.99

password : ffff18ff28ff38ffff60ff3678ff2e03

interface : mgmt

Cluster Information

Number of Slave : 1

Is Master : Yes

(Slaves)IP Priority

172.30.157.32 : 2

Verify HA Cluster Information in Slave node from GUI - Dashboard:

Verify HA Cluster Information in Slave node from CLI:

show ha-all

enabled : Enabled

gid : 31

lost threshold : 10

interval : 10

holddown : 5

priority : 2

allow override : 0

schedule : Round Robin

vip : 172.30.157.99

password : ffff18ff28ff38ffff60ff3678ff2e03

interface : mgmt

Cluster Information

Number of Slave : 1

Is Master : No

(Master)IP Priority

172.30.157.31 : 1

(Slaves)IP Priority