<group_name>

Enter the name for the HA cluster.

Group HA settings are used only if type {group | member} is group.

<interface_name>

Enter the name of the network interface.

<member_name>

Enter the name for the FortiMail unit in the HA cluster. By default, the first entry's name is the hostname of this FortiMail unit.

action-on-failure {off | become-secondary | restore-role}

Select what the primary unit will do after it fails (if it can recover), either:

• off — Do not automatically rejoin the HA cluster. To manually rejoin it to the cluster, manually select the effective role (exec ha restore).

• become-secondary — Automatically rejoin the cluster, but the effective role becomes secondary. To restore it to acting as primary, manually select the effective role (exec ha restore).

  Tip: In most cases, you should select become-secondary.

• restore-role — Automatically rejoin the cluster, but the effective role becomes primary again.The secondary unit that was temporarily acting as primary also automatically becomes secondary again. This option may be useful if the cause of failure is temporary and rare, but may cause problems if the cause of failure is recurring, resulting in many extra role changes.

This setting applies only if role {primary | secondary} is primary.

See also the HA mode details and examples in the FortiMail Administration Guide.

add-to-bridge {enable | disable}

Enable to include the network interface in the bridge.

This setting is available only if operation-mode {gateway | server | transparent} is transparent, and if there is no virtual-ip <vip_ipv4/mask> already on the network interface.

check-interval <seconds_int>

Enter the amount of time in seconds between each try.

check-timeout <seconds_int>

Enter the amount of time in seconds to wait for a response when service monitoring tries to connect.

cluster-id <name_str>

Enter the name of the HA cluster to identify its log messages when multiple clusters send their logs to the same FortiAnalyzer unit.

comment "<comment_str>"

Enter a comment or description.

group <group_name>

Select which HA group to join.

This setting is available only if type {group | member} is group.

hb-base-port <port_int>

Enter the first of multiple port numbers (see required TCP/UDP open port numbers in the FortiMail Administration Guide) that will be used for:

• heartbeat signals
• synchronization control
• data synchronization
• configuration synchronization

Note:In addition to a lost heartbeat, other unresponsive network services and hardware failure can also be used to trigger failover. See config service and the HA heartbeat and synchronization details in the FortiMail Administration Guide.

hb-lost-threshold <seconds_int>

Enter the amount of time, in seconds, that a primary unit can be unresponsive until HA detects a failure and performs the action in action-on-failure {off | become-secondary | restore-role}.

Caution: If you have service level agreements (SLA), then you may be required to keep this time short. If the failure detection time is too long, email delivery could be delayed or fail until HA detects the failure. This reduces service uptime.

Tip: To determine the best heartbeat threshold, monitor your FortiMail unit's performance. Examine how long each high system resource usage lasts. Configure a threshold that is longer than most peak usage. This gives the secondary unit enough time to accurately confirm unresponsiveness, and avoid unnecessary failovers. (Heartbeat responses may be slow during peak load.) To monitor performance, you can use the dashboard in the GUI, system ha, or the CLI:

diagnose sys top delay 1 lines 10

heartbeat-status {enable | disable}

Enable if this network interface will listen for HA heartbeat and synchronization communications.

Note: You must enable this option on at least one of the heartbeat interfaces that you defined for the unit in ip <interface_ipv4mask> and/or ipv6 <interface_ipv6mask> . Otherwise HA will detect a failure.

Note:Don't disconnect the heartbeat link once HA is enabled. If the heartbeat is accidentally interrupted for active-passive HA mode, such as when a network cable is temporarily disconnected, the secondary unit will assume that the primary unit has failed, and become the new primary unit. If no failure has actually occurred, both FortiMail units will be operating as primary units at the same time. This can cause an IP address conflict. In active-active HA, this can disrupt configuration synchronization.

Tip: For better heartbeat reliability, create two heartbeat links: a primary and a secondary. Directly link the pair of heartbeat ports with an Ethernet crossover cable, or connect them through a dedicated local switch that is not connected to your overall network. This ensures enough bandwidth and low latency for the synchronization and heartbeat. If the heartbeat is interrupted, then a failover may occur. See the HA heartbeat and synchronization details in the FortiMail Administration Guide.

hostname <hostname_str>

Enter the hostname of the network interface that will listen for the heartbeat and synchronization.

Alternatively, to define a heartbeat interface, instead use ipv6 <interface_ipv6mask> or ip <interface_ipv4mask>.

Note: You must also bring up and then enable heartbeat-status {enable | disable} on the interface. If it is disabled, but the hostname is configured here, then HA will detect that the heartbeat link has failed.

Tip: Use a hostname to define the heartbeat interface (not an IP address) in environments where IP addresses change often, such as with VMs and containers.

Heartbeat hostnames might not be the same as the SMTP relay/proxy hostname (hostname <host_str> in mail settings) and virtual hostname for active-passive HA (virtual-hostname <hostname_str>).

ip <interface_ipv4mask>

Enter the IP address of the network interface that will listen for the heartbeat and synchronization.

Alternatively, to define a heartbeat interface, instead use ipv6 <interface_ipv6mask> or hostname <hostname_str>.

Note: You must also bring up and then enable heartbeat-status {enable | disable} on the interface. If it is disabled, but the IP address is configured here, then HA will detect that the heartbeat link has failed.

ipv6 <interface_ipv6mask>

Enter the IP address of the network interface that will listen for the heartbeat and synchronization.

Alternatively, to define a heartbeat interface, instead use ip <interface_ipv4mask> or hostname <hostname_str>.

Note: You must also bring up and then enable heartbeat-status {enable | disable} on the interface. If it is disabled, but the IP address is configured here, then HA will detect that the heartbeat link has failed.

mail-data-sync {enable | disable}

Enable if the HA cluster does not store its mail data on a NAS server, and you need to use HA communications to synchronize its system quarantine, per-recipient quarantines, email archives, email users’ preferences, and (server mode only) mailboxes.

This setting applies only if mode {active-active | active-passive} is active-passive.

Tip: You can manually initiate a data synchronization whenever significant changes occur (exec ha sync command config-sync-start).

mailqueue-data-sync {enable | disable}

Enable if you want to synchronize the mail queue with FortiMail units in the HA cluster.

This setting applies only if mode {active-active | active-passive} is active-passive.

Caution: If the primary unit experiences a hardware failure and you cannot restart it, and if this option is disabled, MTA queue directory data could be lost.

Note: If you enable this option, it can reduce performance, and is not guaranteed to prevent data loss. Mail queue directories are very dynamic. Many email could be added to the queue between each sync.

If you disable this option, data loss might not occur, either. After a failover, when the unit rejoins the cluster, a separate synchronization mechanism occurs. This often restores the mail queue. For details, see HA synchronization details in the FortiMail Administration Guide.

mode {active-active | active-passive}

Select the HA operating mode, either:

• active-active — All FortiMail units in the HA cluster process email. This increases throughput when more units join. However if any of the units fail, there may be data loss.
• active-passive — Only the primary FortiMail unit processes email, while other units stand by and keep in sync. This avoids data loss if any of the units fail. However there is no increased throughput when more units join.

See also the HA mode details and examples in the FortiMail Administration Guide.

password "<password_str>"

Enter a password for this HA cluster.

Before FortiMail units in the HA cluster synchronize with each other, they verify that they have the same password. This prevents them from accidentally synchronizing with the wrong cluster. Therefore you must enter the same HA password on all of them.

port <port-number_int>

Enter the listening port number of the service on the primary unit and (active-active HA only) secondary. See also required TCP/UDP open port numbers in the FortiMail Administration Guide.

port-monitor {enable | disable}

Enable to monitor the network interface for failure. If it fails, a failover occurs. Also configure settings in:

config service

edit local-ports

primary-backup {enable | disable}

If mode {active-active | active-passive} is active-active, then there can be many secondary units. If role {primary | secondary} is secondary, and you want the unit to become the new primary when a failure is detected, enable this setting.

Note: Usually you should have a primary backup. Otherwise configuration synchronization will be interrupted upon failure. See HA heartbeat and synchronization details in the Administration Guide.

remote-services-as-heartbeat {enable | disable}

Enable to avoid the action in action-on-failure {off | become-secondary | restore-role} if the heartbeat links (see heartbeat-status {enable | disable}) temporarily fail, but service monitoring detects that the primary unit is still available.

Also configure settings in:

config service

edit remote-smtp

edit remote-http

edit remote-imap

edit remote-pop

retries <retries_int>

Enter the number of consecutive unsuccessful tries that indicates a failure.

role {primary | secondary}

Select the role of the FortiMail unit in the HA group.

Each FortiMail unit's role in the HA cluster is not synchronized because this distinguishes the primary and secondary units.

Effects of the role vary by mode {active-active | active-passive}.

state {enable | disable}

Enable or disable this FortiMail unit to operate as part of an HA cluster.

status {enable | disable}

Enable or disable service monitoring.

Note: This setting does not exist for network interfaces. Instead use port-monitor {enable | disable}.

type {group | member}

Select the type of HA deployment, either:

• member — Multiple FortiMail units work together in one HA pair or cluster.
• group — Multiple HA clusters work together in an HA group.

For example, if you have one data center to protect, you only need one cluster. However if you have two data centers for geographic redundancy, then you can join the clusters together to form an HA group.

Depending on your throughput or failover requirements, with group HA, you can mix the HA modes. Each cluster in an HA group has its own HA mode. At the HA group level, there is also an HA mode that defines throughput or failover amongst the clusters.

virtual-ip <vip_ipv4/mask>

Enter a virtual IP address and netmask that the primary unit will have on this network interface. Upon failure detection, the secondary will become the new primary and start to use the virtual IP address.

For gateway mode and server mode deployments, DNS records should be configured to point to the virtual IP address, not physical IP addresses.See also system interface, and the HA mode details and examples in the FortiMail Administration Guide.

This setting is available only if mode {active-active | active-passive} is active-passive.

virtual-ip6 <vip_ipv6mask>

Enter the virtual IPv6 address and netmask for this interface.

This setting is available only if mode {active-active | active-passive} is active-passive.