Fortinet black logo

Administration Guide

Configuring HA options

Configuring HA options

To configure HA options go to System Settings > HA. Use the Cluster Settings pane to configure FortiManager units to create an HA cluster or change cluster configuration.

To configure a cluster, set the Operation Mode of the primary unit to Primary and the modes of the backup units to Secondary. Then add the IP addresses and serial numbers of each backup unit to primary unit peer list. The IP address and serial number of the primary unit must be added to each backup unit's HA configuration. The primary unit and all backup units must have the same Cluster ID and Group Password.

You can connect to the primary unit GUI to work with FortiManager. Using configuration synchronization, you can configure and work with the cluster in the same way as you would work with a standalone FortiManager unit.

Configure the following settings:

Cluster Status

Monitor FortiManager HA status. See Monitoring HA status.

SN

The serial number of the device.

Mode

The high availability mode, either Primary or Secondary.

IP

The IP address of the device.

Enable

Shows if the peer is currently enabled.

Module Data Synchronized

Module data synchronized in bytes.

Pending Module Data

Pending module data in bytes.

Cluster Settings

Operation Mode

Select Primary to configure the FortiManager unit to be the primary unit in a cluster.

Select Secondary to configure the FortiManager unit to be a backup unit in a cluster.

Select Standalone to stop operating in HA mode.

Peer IP

Select the peer IP version from the dropdown list, either IPv4 or IPv6. Then, type the IP address of another FortiManager unit in the cluster. For the primary unit you can add up to four Peer IP addresses for up to four backup units. For a backup unit you can only add the IP address of the primary unit.

Type the IP address of another FortiManager unit in the cluster. For the primary unit you can add up to four Peer IP addresses for up to four backup units. For a backup unit you can only add the IP address of the primary unit.

Peer SN

Type the serial number of the FortiManager unit corresponding to the entered IP address.

Cluster ID

A number between 1 and 64 that identifies the HA cluster. All members of the HA cluster must have the same cluster ID. If you have more than one FortiManager HA cluster on the same network, each HA cluster must have a different cluster ID. The FortiManager GUI browser window title changes to include the cluster ID when FortiManager unit is operating in HA mode.

Group Password

A password for the HA cluster. All members of the HA cluster must have the same password.

If you have more than one FortiManager HA cluster on the same network, each HA cluster must have a different password. The maximum password length is 19 characters.

File Quota

Enter the file quota, from 2048 to 20480 MB (default: 4096 MB).

You cannot configure the file quota for backup units.

Heart Beat Interval

The time the primary unit waits between sending heartbeat packets, in seconds. The heartbeat interval is also the amount of time that backup units waits before expecting to receive a heartbeat packet from the primary unit.

The default heartbeat interval is 5 seconds. The heartbeat interval range is 1 to 255 seconds. You cannot configure the heartbeat interval on the backup units.

Failover Threshold

The number of heartbeat intervals that one of the cluster units waits to receive HA heartbeat packets from other cluster units before assuming that the other cluster units have failed. The default failover threshold is 3. The failover threshold range is 1 to 255. You cannot configure the failover threshold of the backup units.

In most cases you do not have to change the heartbeat interval or failover threshold. The default settings mean that if the a unit fails, the failure is detected after 3 x 5 or 15 seconds; resulting in a failure detection time of 15 seconds.

If the failure detection time is too short, the HA cluster may detect a failure when none has occurred. For example, if the primary unit is very busy it may not respond to HA heartbeat packets in time. In this situation, the backup unit may assume the primary unit has failed when the primary unit is actually just busy. Increase the failure detection time to prevent the backup unit from detecting a failure when none has occurred.

If the failure detection time is too long, administrators will be delayed in learning that the cluster has failed. In most cases, a relatively long failure detection time will not have a major effect on operations. But if the failure detection time is too long for your network conditions, then you can reduce the heartbeat interval or failover threshold.

Download Debug Log

Select to download the HA debug log file to the management computer.

Configuring HA options

To configure HA options go to System Settings > HA. Use the Cluster Settings pane to configure FortiManager units to create an HA cluster or change cluster configuration.

To configure a cluster, set the Operation Mode of the primary unit to Primary and the modes of the backup units to Secondary. Then add the IP addresses and serial numbers of each backup unit to primary unit peer list. The IP address and serial number of the primary unit must be added to each backup unit's HA configuration. The primary unit and all backup units must have the same Cluster ID and Group Password.

You can connect to the primary unit GUI to work with FortiManager. Using configuration synchronization, you can configure and work with the cluster in the same way as you would work with a standalone FortiManager unit.

Configure the following settings:

Cluster Status

Monitor FortiManager HA status. See Monitoring HA status.

SN

The serial number of the device.

Mode

The high availability mode, either Primary or Secondary.

IP

The IP address of the device.

Enable

Shows if the peer is currently enabled.

Module Data Synchronized

Module data synchronized in bytes.

Pending Module Data

Pending module data in bytes.

Cluster Settings

Operation Mode

Select Primary to configure the FortiManager unit to be the primary unit in a cluster.

Select Secondary to configure the FortiManager unit to be a backup unit in a cluster.

Select Standalone to stop operating in HA mode.

Peer IP

Select the peer IP version from the dropdown list, either IPv4 or IPv6. Then, type the IP address of another FortiManager unit in the cluster. For the primary unit you can add up to four Peer IP addresses for up to four backup units. For a backup unit you can only add the IP address of the primary unit.

Type the IP address of another FortiManager unit in the cluster. For the primary unit you can add up to four Peer IP addresses for up to four backup units. For a backup unit you can only add the IP address of the primary unit.

Peer SN

Type the serial number of the FortiManager unit corresponding to the entered IP address.

Cluster ID

A number between 1 and 64 that identifies the HA cluster. All members of the HA cluster must have the same cluster ID. If you have more than one FortiManager HA cluster on the same network, each HA cluster must have a different cluster ID. The FortiManager GUI browser window title changes to include the cluster ID when FortiManager unit is operating in HA mode.

Group Password

A password for the HA cluster. All members of the HA cluster must have the same password.

If you have more than one FortiManager HA cluster on the same network, each HA cluster must have a different password. The maximum password length is 19 characters.

File Quota

Enter the file quota, from 2048 to 20480 MB (default: 4096 MB).

You cannot configure the file quota for backup units.

Heart Beat Interval

The time the primary unit waits between sending heartbeat packets, in seconds. The heartbeat interval is also the amount of time that backup units waits before expecting to receive a heartbeat packet from the primary unit.

The default heartbeat interval is 5 seconds. The heartbeat interval range is 1 to 255 seconds. You cannot configure the heartbeat interval on the backup units.

Failover Threshold

The number of heartbeat intervals that one of the cluster units waits to receive HA heartbeat packets from other cluster units before assuming that the other cluster units have failed. The default failover threshold is 3. The failover threshold range is 1 to 255. You cannot configure the failover threshold of the backup units.

In most cases you do not have to change the heartbeat interval or failover threshold. The default settings mean that if the a unit fails, the failure is detected after 3 x 5 or 15 seconds; resulting in a failure detection time of 15 seconds.

If the failure detection time is too short, the HA cluster may detect a failure when none has occurred. For example, if the primary unit is very busy it may not respond to HA heartbeat packets in time. In this situation, the backup unit may assume the primary unit has failed when the primary unit is actually just busy. Increase the failure detection time to prevent the backup unit from detecting a failure when none has occurred.

If the failure detection time is too long, administrators will be delayed in learning that the cluster has failed. In most cases, a relatively long failure detection time will not have a major effect on operations. But if the failure detection time is too long for your network conditions, then you can reduce the heartbeat interval or failover threshold.

Download Debug Log

Select to download the HA debug log file to the management computer.