Fortinet white logo
Fortinet white logo

CLI Reference

ha

ha

Use the config system ha command to enable and configure FortiManager high availability (HA). FortiManager HA provides a solution for a key requirement of critical enterprise management and networking components: enhanced reliability.

A FortiManager HA cluster consists of up five FortiManager units of the same FortiManager model. One of the FortiManager units in the cluster operates as a primary unit and the other one to four units operate as backup units. All of the units are visible on the network. The primary unit and the backup units can be at the same location. FortiManager HA also supports geographic redundancy so the primary unit and backup units can be in different locations attached to different networks as long as communication is possible between them (for example over the Internet, over a WAN, or through a private network).

Administrators connect to the primary unit GUI or CLI to perform FortiManager operations. The primary unit also interacts with managed FortiGate devices, and FortiSwitch devices. Managed devices connect with the primary unit for configuration backup and restore. If FortiManager is being used to distribute firmware updates and FortiGuard updates to managed devices, the managed devices can connect to the primary unit or one of the backup units.

If the primary FortiManager unit fails you must manually configure one of the backup units to become the primary unit. The new primary unit will have the same IPv4 addresses as it did when it was the backup unit. For the managed devices to automatically start using the new primary unit, you should add all of the FortiManager units in the cluster to the managed devices.

For more information, see the FortiManager Administration Guide.

Syntax

config system ha

set clusterid <clusert_ID_int>

set file-quota <integer>

set hb-interval <integer>

set hb-lost-threshold <integer>

set local-cert <string>

set mode {master | slave | standalone}

set password <passwd>

config peer

edit <peer_id_int>

set ip <peer_ipv4_address>

set ip6 <peer_ipv6_address>

set serial-number <string>

set status {enable | disable}

end

end

Variable

Description

clusterid <clusert_ID_int>

A number that identifies the HA cluster (1 - 64, default = 1).

All members of the HA cluster must have the same cluster ID. If you have more than one FortiManager HA cluster on the same network, each HA cluster must have a different ID.

file-quota <integer>

Set the HA file quota, in megabytes (2048 - 20480, default = 4096).

hb-interval <integer>

The time that a cluster unit waits between sending heartbeat packets, in seconds (1 - 255, default = 5).

The heartbeat interval is also the amount of time that a cluster unit waits before expecting to receive a heartbeat packet from the other cluster unit.

hb-lost-threshold <integer>

The number of heartbeat intervals that one of the cluster units waits to receive HA heartbeat packets from other cluster units before assuming that the other cluster units have failed (1 - 255, default = 3).

In most cases you do not have to change the heartbeat interval or failover threshold. The default settings mean that if the a unit fails, the failure is detected after 3 x 5 or 15 seconds; resulting in a failure detection time of 15 seconds.

If the failure detection time is too short the HA cluster may detect a failure when none has occurred. For example, if the primary unit is very busy it may not respond to HA heartbeat packets in time. In this situation, the backup unit may assume that the primary unit has failed when the primary unit is actually just busy. Increase the failure detection time to prevent the backup unit from detecting a failure when none has occurred.

If the failure detection time is too long, administrators will be delayed in learning that the cluster has failed. In most cases, a relatively long failure detection time will not have a major effect on operations. But if the failure detection time is too long for your network conditions, then you can reduce the heartbeat interval or failover threshold.

local-cert <string>

Set the local HA certificate.

mode {master | slave | standalone}

The HA mode (default = standalone ).

Select master to configure the FortiManager unit to be the primary unit in a cluster. Select slave to configure the FortiManager unit to be a backup unit in a cluster. Select standalone to stop operating in HA mode.

password <passwd>

A group password for the HA cluster. All members of the HA cluster must have the same group password. If you have more than one FortiManager HA cluster on the same network, each HA cluster must have a different password (character limit: 19).

peer

Add peers to the HA configuration of the FortiManager unit.

For the primary unit, add all of the backup units as peers, up to a maximum of four.

For a backup unit, only add the primary unit as a peer.

Variables for config peer subcommand:

<peer_id_int>

Add a peer and add the peer’s IPv4 or IPv6 address and serial number.

ip <peer_ipv4_address>

Enter the IPv4 address of the peer FortiManager unit.

ip6 <peer_ipv6_address>

Enter the IPv6 address of the peer FortiManager unit.

serial-number <string>

Enter the serial number of the peer FortiManager unit.

status {enable | disable}

Enter the status of the peer FortiManager unit (default = enable).

General FortiManager HA configuration steps

The following steps assume that you are starting with four FortiManager units running the same firmware build and are set to the factory default configuration. The primary unit and the first backup unit are connected to the same network. The second and third backup units are connected to a remote network and communicate with the primary unit over the Internet.

  1. Enter the following command to configure the primary unit for HA operation.

    config system ha

    set mode master

    set password <password_str>

    set clusterid 10

    config peer

    edit 1

    set ip <peer_ip_ipv4>

    set serial-number <peer_serial_str>

    next

    edit 2

    set ip <peer_ip_ipv4>

    set serial-number <peer_serial_str>

    next

    edit 3

    set ip <peer_ip_ipv4>

    set serial-number <peer_serial_str>

    next

    end

    This command configures the FortiManager unit to operate as the primary unit, adds a password, sets the clusterid to 10, and accepts defaults for the other HA settings. This command also adds the three backup units to the primary unit as peers.

  2. Enter the following command to configure the backup units for HA operation.

    config system ha

    set mode slave

    set password <password_str>

    set clusterid 10

    config peer

    edit 1

    set ip <peer_ip_ipv4>

    set serial-number <peer_serial_str>

    next

    end

    This command configures the FortiManager unit to operate as a backup unit, adds the same password, and clusterid as the primary unit, and accepts defaults for the other HA settings. This command also adds the primary unit to the backup unit as a peer.

  3. Repeat step 2 to configure each backup unit.

ha

ha

Use the config system ha command to enable and configure FortiManager high availability (HA). FortiManager HA provides a solution for a key requirement of critical enterprise management and networking components: enhanced reliability.

A FortiManager HA cluster consists of up five FortiManager units of the same FortiManager model. One of the FortiManager units in the cluster operates as a primary unit and the other one to four units operate as backup units. All of the units are visible on the network. The primary unit and the backup units can be at the same location. FortiManager HA also supports geographic redundancy so the primary unit and backup units can be in different locations attached to different networks as long as communication is possible between them (for example over the Internet, over a WAN, or through a private network).

Administrators connect to the primary unit GUI or CLI to perform FortiManager operations. The primary unit also interacts with managed FortiGate devices, and FortiSwitch devices. Managed devices connect with the primary unit for configuration backup and restore. If FortiManager is being used to distribute firmware updates and FortiGuard updates to managed devices, the managed devices can connect to the primary unit or one of the backup units.

If the primary FortiManager unit fails you must manually configure one of the backup units to become the primary unit. The new primary unit will have the same IPv4 addresses as it did when it was the backup unit. For the managed devices to automatically start using the new primary unit, you should add all of the FortiManager units in the cluster to the managed devices.

For more information, see the FortiManager Administration Guide.

Syntax

config system ha

set clusterid <clusert_ID_int>

set file-quota <integer>

set hb-interval <integer>

set hb-lost-threshold <integer>

set local-cert <string>

set mode {master | slave | standalone}

set password <passwd>

config peer

edit <peer_id_int>

set ip <peer_ipv4_address>

set ip6 <peer_ipv6_address>

set serial-number <string>

set status {enable | disable}

end

end

Variable

Description

clusterid <clusert_ID_int>

A number that identifies the HA cluster (1 - 64, default = 1).

All members of the HA cluster must have the same cluster ID. If you have more than one FortiManager HA cluster on the same network, each HA cluster must have a different ID.

file-quota <integer>

Set the HA file quota, in megabytes (2048 - 20480, default = 4096).

hb-interval <integer>

The time that a cluster unit waits between sending heartbeat packets, in seconds (1 - 255, default = 5).

The heartbeat interval is also the amount of time that a cluster unit waits before expecting to receive a heartbeat packet from the other cluster unit.

hb-lost-threshold <integer>

The number of heartbeat intervals that one of the cluster units waits to receive HA heartbeat packets from other cluster units before assuming that the other cluster units have failed (1 - 255, default = 3).

In most cases you do not have to change the heartbeat interval or failover threshold. The default settings mean that if the a unit fails, the failure is detected after 3 x 5 or 15 seconds; resulting in a failure detection time of 15 seconds.

If the failure detection time is too short the HA cluster may detect a failure when none has occurred. For example, if the primary unit is very busy it may not respond to HA heartbeat packets in time. In this situation, the backup unit may assume that the primary unit has failed when the primary unit is actually just busy. Increase the failure detection time to prevent the backup unit from detecting a failure when none has occurred.

If the failure detection time is too long, administrators will be delayed in learning that the cluster has failed. In most cases, a relatively long failure detection time will not have a major effect on operations. But if the failure detection time is too long for your network conditions, then you can reduce the heartbeat interval or failover threshold.

local-cert <string>

Set the local HA certificate.

mode {master | slave | standalone}

The HA mode (default = standalone ).

Select master to configure the FortiManager unit to be the primary unit in a cluster. Select slave to configure the FortiManager unit to be a backup unit in a cluster. Select standalone to stop operating in HA mode.

password <passwd>

A group password for the HA cluster. All members of the HA cluster must have the same group password. If you have more than one FortiManager HA cluster on the same network, each HA cluster must have a different password (character limit: 19).

peer

Add peers to the HA configuration of the FortiManager unit.

For the primary unit, add all of the backup units as peers, up to a maximum of four.

For a backup unit, only add the primary unit as a peer.

Variables for config peer subcommand:

<peer_id_int>

Add a peer and add the peer’s IPv4 or IPv6 address and serial number.

ip <peer_ipv4_address>

Enter the IPv4 address of the peer FortiManager unit.

ip6 <peer_ipv6_address>

Enter the IPv6 address of the peer FortiManager unit.

serial-number <string>

Enter the serial number of the peer FortiManager unit.

status {enable | disable}

Enter the status of the peer FortiManager unit (default = enable).

General FortiManager HA configuration steps

The following steps assume that you are starting with four FortiManager units running the same firmware build and are set to the factory default configuration. The primary unit and the first backup unit are connected to the same network. The second and third backup units are connected to a remote network and communicate with the primary unit over the Internet.

  1. Enter the following command to configure the primary unit for HA operation.

    config system ha

    set mode master

    set password <password_str>

    set clusterid 10

    config peer

    edit 1

    set ip <peer_ip_ipv4>

    set serial-number <peer_serial_str>

    next

    edit 2

    set ip <peer_ip_ipv4>

    set serial-number <peer_serial_str>

    next

    edit 3

    set ip <peer_ip_ipv4>

    set serial-number <peer_serial_str>

    next

    end

    This command configures the FortiManager unit to operate as the primary unit, adds a password, sets the clusterid to 10, and accepts defaults for the other HA settings. This command also adds the three backup units to the primary unit as peers.

  2. Enter the following command to configure the backup units for HA operation.

    config system ha

    set mode slave

    set password <password_str>

    set clusterid 10

    config peer

    edit 1

    set ip <peer_ip_ipv4>

    set serial-number <peer_serial_str>

    next

    end

    This command configures the FortiManager unit to operate as a backup unit, adds the same password, and clusterid as the primary unit, and accepts defaults for the other HA settings. This command also adds the primary unit to the backup unit as a peer.

  3. Repeat step 2 to configure each backup unit.