Fortinet Document Library

Version:

Version:


Table of Contents

Administration Guide

Download PDF
Copy Link

Using a shared IP address (Layer 2)

Network infrastructure

  • Configure all network devices to send traps to both the primary and secondary FortiNAC server IP addresses.
  • Configure RADIUS servers to use both the primary and secondary addresses.
  • If you are setting up FortiNAC as the RADIUS server for a device in a high availability environment, you must use the actual IP address of the primary control server, not the Shared IP address. Set up the secondary control server as a secondary RADIUS server using its actual IP address. Regardless of the environment, you may also want to set up your actual RADIUS server to be used in the event that none of your FortiNAC appliances can be reached. This would allow users to access the network, but they would not be controlled by FortiNAC.

  • If the primary and secondary servers are running on the same subnet and use a shared IP address, make sure that the Persistent Agent and all other features use the shared IP or host name. Refer to the Help on Persistent Agent Properties.
  • In a high availability configuration changes to the database on the primary server are replicated immediately to the secondary server. If the latency is too long and/or the bandwidth between redundant servers is not sufficient, the secondary may not have all of the database changes made on the primary when a failover occurs. It is impossible to predetermine the network requirement due to the fact that it will vary based on product usage and load. The follow formula can be used to calculate your specific network bandwidth requirements.

The starting latency and bandwidth recommendations are as follows:

  • latency between remote data nodes must not exceed 20 milliseconds
  • bandwidth of the network link must be a minimum of 4.8 Mbps

Your usage of the product will impact the network requirements. Fortinet recommends using the "Database Replication Error" event and the corresponding alarm action to notify administrators when an error occurs. There are two possible caused, first there was a momentary network outage that caused the failure. If the event happens continuously then network speed of the must be increased.

Appliance configuration

  • Make sure all appliances have a license key that includes high availability and that all appliances have matching licenses.
  • Use the Configuration Wizard to configure each of the appliances. Refer to the Appliance Installation Guide that comes with the appliances for information on using the Configuration Wizard.
  • Establish the address to use as the Shared IP address (optional) and the IP addresses for the primary and secondary appliances. This enables communication with the other appliances in the high availability configuration.
  • Go to the Administration - High Availability tab and configure IP addresses and communication between appliances. See Primary and secondary configuration.
  • Apply the configuration to restart your appliances. This replicates the database on the secondary and copies any necessary files. Portal pages are copied every 10 minutes.

    If you are using DHCP Management in a high availability environment, the ports to which the DHCP Interfaces connect must be added to the System DHCP Port group. Refer to Help on Modifying a Group. In the event of a failover, it is important that these fields be setup correctly or DHCP monitoring will not run.

  • Ensure that the DHCP plugins on both the primary and secondary are configured.

Using a shared IP address (Layer 2)

Network infrastructure

  • Configure all network devices to send traps to both the primary and secondary FortiNAC server IP addresses.
  • Configure RADIUS servers to use both the primary and secondary addresses.
  • If you are setting up FortiNAC as the RADIUS server for a device in a high availability environment, you must use the actual IP address of the primary control server, not the Shared IP address. Set up the secondary control server as a secondary RADIUS server using its actual IP address. Regardless of the environment, you may also want to set up your actual RADIUS server to be used in the event that none of your FortiNAC appliances can be reached. This would allow users to access the network, but they would not be controlled by FortiNAC.

  • If the primary and secondary servers are running on the same subnet and use a shared IP address, make sure that the Persistent Agent and all other features use the shared IP or host name. Refer to the Help on Persistent Agent Properties.
  • In a high availability configuration changes to the database on the primary server are replicated immediately to the secondary server. If the latency is too long and/or the bandwidth between redundant servers is not sufficient, the secondary may not have all of the database changes made on the primary when a failover occurs. It is impossible to predetermine the network requirement due to the fact that it will vary based on product usage and load. The follow formula can be used to calculate your specific network bandwidth requirements.

The starting latency and bandwidth recommendations are as follows:

  • latency between remote data nodes must not exceed 20 milliseconds
  • bandwidth of the network link must be a minimum of 4.8 Mbps

Your usage of the product will impact the network requirements. Fortinet recommends using the "Database Replication Error" event and the corresponding alarm action to notify administrators when an error occurs. There are two possible caused, first there was a momentary network outage that caused the failure. If the event happens continuously then network speed of the must be increased.

Appliance configuration

  • Make sure all appliances have a license key that includes high availability and that all appliances have matching licenses.
  • Use the Configuration Wizard to configure each of the appliances. Refer to the Appliance Installation Guide that comes with the appliances for information on using the Configuration Wizard.
  • Establish the address to use as the Shared IP address (optional) and the IP addresses for the primary and secondary appliances. This enables communication with the other appliances in the high availability configuration.
  • Go to the Administration - High Availability tab and configure IP addresses and communication between appliances. See Primary and secondary configuration.
  • Apply the configuration to restart your appliances. This replicates the database on the secondary and copies any necessary files. Portal pages are copied every 10 minutes.

    If you are using DHCP Management in a high availability environment, the ports to which the DHCP Interfaces connect must be added to the System DHCP Port group. Refer to Help on Modifying a Group. In the event of a failover, it is important that these fields be setup correctly or DHCP monitoring will not run.

  • Ensure that the DHCP plugins on both the primary and secondary are configured.