Fortinet white logo
Fortinet docs logo DOCUMENT LIBRARY
Fortinet white logo
Fortinet docs logo DOCUMENT LIBRARY
Products Best Practices Hardware Guides Products A-Z
Summary
By Solution
By 4D Pillars
By Cloud
Secure Networking
Unified SASE
Security Operations
Secure SD-WAN
Secure Access Service Edge (SASE)
ZTNA
LAN Edge
Identity and Access Management
Next Generation Firewall
Public Cloud
Private Cloud
FortiCloud
Secure Networking
  • Hybrid Mesh Firewall
  • NOC Management
  • LAN
  • WAN
    • More >>
    Unified SASE
  • Single Vendor SASE
  • Cloud Network Security
  • Secure Endpoint Connectivity
  • Web Application / API Protection
    • More >>
    Security Operations
  • Security Operations Automation
  • Identity
  • Early Detection & Prevention
    • More >>
    Secure Networking
  • Hybrid Mesh Firewall
  • NOC Management
  • LAN
  • WAN
  • Communication & Surveillance
    • Unified SASE
  • Single Vendor SASE
  • Secure Endpoint Connectivity
  • Cloud Network Security
  • Cloud-Native Security
  • Web Application / API Protection
    • Security Operations
  • Security Operations Automation
  • Endpoint
  • Data Protection
  • Identity
  • Email
  • Early Detection & Prevention
  • Expert Services
  • Edge Firewall
  • Orchestration & management
  • SD Branch
  • Application Delivery
  • Single Vendor SASE
  • Secure Endpoint Connectivity
  • Secure Private Access
  • Thin Edge
  • Identity
  • Application Gateway
  • Enterprise Asset Management
  • Endpoint Agent
  • Agentless Security Posture
  • Identity
  • Wireless
  • Switching
  • Identity
  • Privilege Acccess Management
  • Next Generation Firewall
  • Orchestration & management
  • Expert Services
  • All
  • All
  • Account Management
  • SAAS Management
  • SAAS Application Security
  • Managed Services
  • Platform as a service (PAAS)
  • Other SAAS Services
    • 4D Resources
    Solution Hubs
  • 4D Pillars
  • Cloud
  • Popular Solutions

    • Administration Guide

    Home FortiIsolator 2.4.5 Administration Guide
    2.4.5
    2.4.5
    2.4.4
    2.4.3
    2.4.2
    2.4.1
    2.4.0
    2.3.4
    2.3.1
    2.3.0
    2.2.0
    2.1.2
    2.1.1
    2.1.0
    2.0.1
    2.0.0
    1.2.2
    1.2.1
    1.2.0
    1.1.0

    High Availability

    High Availability

    High availability (HA) is usually required in a system where there is high demand for little downtime. There are usually hot-swaps, backup routes, or standby backup units and as soon as the active entity fails, backup entities will start functioning. This results in minimal interruption for the users.

    Architecture

    FortiIsolator provides an HA solution whereby FortiIsolator can find other member FortiIsolators to negotiate and create a cluster, which consists of 2 to 255 FortiIsolator members/nodes configured for HA operation. The cluster works like a device but always has a hot backup device.

    Configuration

    The nodes in the cluster do not have to be the same model (e.g. FIS 1000F, KVM, or ESXi) and their IP addresses can vary. However, the same firmware must be installed on all nodes and some HA setting (bold in table below) must be the same.

    Note

    When you use domain names instead of IP addresses in HA mode, make sure your DNS server has load balancing capabilities. Otherwise, all requests will go to the primary node.
    GUI

    Under System > HA, configure the following options.

    Parameter

    Description

    Enable

    Specifies whether to enable HA mode for this node.

    Virtual IP

    IP for web browsers access from all nodes in the cluster. Only the primary device has virtual IP address, which is shared among all nodes within the cluster so all nodes can use this same virtual IP address to access sites. The virtual IP address must be the same subnet as the internal interface.

    In HA mode, web browsers access the virtual IP address in the following modes:

    • IP Forwarding—The web browser first connects to the virtual IP address of the primary node which then forwards the request to itself or another node in the cluster through the internal IP of the recipient node in the cluster, which can be the primary node itself or a secondary node.

    • ProxyThe web browser connects to the virtual IP address of the primary node and keeps communicating with the primary node, which then connects to a node (can be the primary node itself) on its internal IP through web socket connection. The web browser then runs the session on that node.

    Priority

    Priority of the node indicated with an integer between 0 to 254, where 0 means the highest priority.

    You must assign a unique priority ID to each node. The node with the highest priority ID automatically becomes the primary device of the HA cluster.

    Group Id

    A unique number to identify the cluster. One Group ID number represents one cluster, while different Group ID numbers represent different clusters. Group ID must be an integer between 1 – 255.

    Password

    Password for the group, which protects the cluster from unauthorized access.

    Allow Override

    Specifies whether to allow other nodes to override as a primary node when this node is primary. This option does not take effect when the node is secondary.

    Group IP

    IP multicast in the range of 224.0.0.0 and 239.255.255.255.

    Group Port

    Port of the group IP address.

    Schedule Type

    • round robin—Send URL requests can to all member nodes in circular order one by one. All handlings have equal priority.
    • weighted round robin: Round robin scheduling with a fixed number as configured weight which allows member nodes to deal with more than one URL requests in one circular order.

    FQDN NEW

    Domain name of the HA cluster. When defined, you can log into the FortiIsolator using the domain name instead of the internal IP address of the HA cluster.

    Interface Name

    Name of the network interface for network traffic, such as the heartbeats to detect whether the member nodes are alive, and communication among all member nodes within the cluster.

    Lost Threshold

    Maximum number of successive heartbeat packets that can be missed from other nodes within the cluster. The HA cluster fails as soon as the number of successive missing packets exceeds Lost Threshold.

    Hello Holddown

    Duration (in seconds) of the transition from HA in Hello state to HA in work state. This parameter accepts integers between 5 - 300.

    Interval

    Duration (in seconds) between two successive packets.

    The following is an example of an HA cluster setup. After you apply the HA settings, reboot the FortiIsolator and close all existing tabs before opening new ones to avoid any web page display issues.

    To verify HA cluster information, go to the Dashboard of the GUI and check the HA Cluster Information section. See example below.

    CLI

    To configure HA from CLI:

    set ha-enabled 1

    set ha-virtual-ip 172.30.157.99

    set ha-priority 2

    set ha-group-id 31

    set ha-interface mgmt

    set ha-password password

    To verify HA cluster Information from CLI:

    show ha-all

    enabled : Enabled

    gid : 11

    lost-threshold : 10

    interval : 10

    holddown : 5

    priority : 68

    allow-override : 0

    schedule : Round Robin

    vip : 172.30.157.99

    password : ffff18ff28ff38ffff60ff3678ff2e03

    interface : mgmt

    ha-group-ip : 239.0.0.1

    ha-group-port : 5001

    Cluster Information

    Number of Machine : 4

    Primary node

    (Primary) IP Priority running session

    172.30.157.67 : 67 0

    Secondary node Priority running session

    172.30.157.68 : 68 0

    172.30.157.69 : 69 0

    172.30.157.72 : 72 0

    Database

    FortiIsolator saves the following HA-related information and configuration in an internal database:

    By default, FortiIsolator saves the information in an internal database on the primary node, which gets synchronized to the database of all secondary nodes each time the primary node has changes. Each secondary node then reads from its own local database. To avoid the performance overhead of multiple databases running concurrently, you can set up a dedicated database server for the whole system:

    1. Configure a node to be the dedicated database server by running the set remote-database-enabled 1 command.
    2. Connect to the dedicated database server by running the set database-server <server IP> 6397 <server name> <server password> command on each node that you want to connect to the database.
    3. Verify the server connection by running the show database-server command.

    Batch Upgrade

    FortiIsolator supports batch upgrade in HA mode. Upgrading one FortiIsolator appliance or VM in the cluster automatically batch upgrades all FortiIsolator appliances or VMs in the cluster. Each appliance or VM automatically reboots after it gets upgraded. The appliance or VM that triggers the batch upgrade is upgraded last. The reboot might take a few minutes.

    For more information about how to upgrade a FortiIsolator appliance or VM, see Upgrade.

    Previous
    Next

    High Availability

    High Availability

    High availability (HA) is usually required in a system where there is high demand for little downtime. There are usually hot-swaps, backup routes, or standby backup units and as soon as the active entity fails, backup entities will start functioning. This results in minimal interruption for the users.

    Architecture

    FortiIsolator provides an HA solution whereby FortiIsolator can find other member FortiIsolators to negotiate and create a cluster, which consists of 2 to 255 FortiIsolator members/nodes configured for HA operation. The cluster works like a device but always has a hot backup device.

    Configuration

    The nodes in the cluster do not have to be the same model (e.g. FIS 1000F, KVM, or ESXi) and their IP addresses can vary. However, the same firmware must be installed on all nodes and some HA setting (bold in table below) must be the same.

    Note

    When you use domain names instead of IP addresses in HA mode, make sure your DNS server has load balancing capabilities. Otherwise, all requests will go to the primary node.
    GUI

    Under System > HA, configure the following options.

    Parameter

    Description

    Enable

    Specifies whether to enable HA mode for this node.

    Virtual IP

    IP for web browsers access from all nodes in the cluster. Only the primary device has virtual IP address, which is shared among all nodes within the cluster so all nodes can use this same virtual IP address to access sites. The virtual IP address must be the same subnet as the internal interface.

    In HA mode, web browsers access the virtual IP address in the following modes:

    • IP Forwarding—The web browser first connects to the virtual IP address of the primary node which then forwards the request to itself or another node in the cluster through the internal IP of the recipient node in the cluster, which can be the primary node itself or a secondary node.

    • ProxyThe web browser connects to the virtual IP address of the primary node and keeps communicating with the primary node, which then connects to a node (can be the primary node itself) on its internal IP through web socket connection. The web browser then runs the session on that node.

    Priority

    Priority of the node indicated with an integer between 0 to 254, where 0 means the highest priority.

    You must assign a unique priority ID to each node. The node with the highest priority ID automatically becomes the primary device of the HA cluster.

    Group Id

    A unique number to identify the cluster. One Group ID number represents one cluster, while different Group ID numbers represent different clusters. Group ID must be an integer between 1 – 255.

    Password

    Password for the group, which protects the cluster from unauthorized access.

    Allow Override

    Specifies whether to allow other nodes to override as a primary node when this node is primary. This option does not take effect when the node is secondary.

    Group IP

    IP multicast in the range of 224.0.0.0 and 239.255.255.255.

    Group Port

    Port of the group IP address.

    Schedule Type

    • round robin—Send URL requests can to all member nodes in circular order one by one. All handlings have equal priority.
    • weighted round robin: Round robin scheduling with a fixed number as configured weight which allows member nodes to deal with more than one URL requests in one circular order.

    FQDN NEW

    Domain name of the HA cluster. When defined, you can log into the FortiIsolator using the domain name instead of the internal IP address of the HA cluster.

    Interface Name

    Name of the network interface for network traffic, such as the heartbeats to detect whether the member nodes are alive, and communication among all member nodes within the cluster.

    Lost Threshold

    Maximum number of successive heartbeat packets that can be missed from other nodes within the cluster. The HA cluster fails as soon as the number of successive missing packets exceeds Lost Threshold.

    Hello Holddown

    Duration (in seconds) of the transition from HA in Hello state to HA in work state. This parameter accepts integers between 5 - 300.

    Interval

    Duration (in seconds) between two successive packets.

    The following is an example of an HA cluster setup. After you apply the HA settings, reboot the FortiIsolator and close all existing tabs before opening new ones to avoid any web page display issues.

    To verify HA cluster information, go to the Dashboard of the GUI and check the HA Cluster Information section. See example below.

    CLI

    To configure HA from CLI:

    set ha-enabled 1

    set ha-virtual-ip 172.30.157.99

    set ha-priority 2

    set ha-group-id 31

    set ha-interface mgmt

    set ha-password password

    To verify HA cluster Information from CLI:

    show ha-all

    enabled : Enabled

    gid : 11

    lost-threshold : 10

    interval : 10

    holddown : 5

    priority : 68

    allow-override : 0

    schedule : Round Robin

    vip : 172.30.157.99

    password : ffff18ff28ff38ffff60ff3678ff2e03

    interface : mgmt

    ha-group-ip : 239.0.0.1

    ha-group-port : 5001

    Cluster Information

    Number of Machine : 4

    Primary node

    (Primary) IP Priority running session

    172.30.157.67 : 67 0

    Secondary node Priority running session

    172.30.157.68 : 68 0

    172.30.157.69 : 69 0

    172.30.157.72 : 72 0

    Database

    FortiIsolator saves the following HA-related information and configuration in an internal database:

    By default, FortiIsolator saves the information in an internal database on the primary node, which gets synchronized to the database of all secondary nodes each time the primary node has changes. Each secondary node then reads from its own local database. To avoid the performance overhead of multiple databases running concurrently, you can set up a dedicated database server for the whole system:

    1. Configure a node to be the dedicated database server by running the set remote-database-enabled 1 command.
    2. Connect to the dedicated database server by running the set database-server <server IP> 6397 <server name> <server password> command on each node that you want to connect to the database.
    3. Verify the server connection by running the show database-server command.

    Batch Upgrade

    FortiIsolator supports batch upgrade in HA mode. Upgrading one FortiIsolator appliance or VM in the cluster automatically batch upgrades all FortiIsolator appliances or VMs in the cluster. Each appliance or VM automatically reboots after it gets upgraded. The appliance or VM that triggers the batch upgrade is upgraded last. The reboot might take a few minutes.

    For more information about how to upgrade a FortiIsolator appliance or VM, see Upgrade.

    Previous
    Next