HA virtual cluster setup
Virtual clustering provides failover protection between two instances of one or more VDOMs operating on two FortiProxies that are in a virtual cluster. A standard virtual cluster consists of FortiProxies that are operating in active-passive HA mode with multiple VDOMs enabled.
Active-passive virtual clustering uses VDOM partitioning to send traffic for some VDOMs to the primary FortiProxy and traffic for other VDOMs to the secondary FortiProxies. Traffic distribution between FortiProxies can potentially improve throughput. If a failure occurs and only one FortiProxy continues to operate, all traffic fails over to that FortiProxy, similar to normal HA. If the failed FortiProxies rejoin the cluster, the configured traffic distribution is restored.
In an active-passive virtual cluster of two FortiProxies, the first and second FortiProxies share traffic processing according to the VDOM partitioning configuration. If you add a third or fourth FortiProxy, the first and second FortiProxies process all traffic and the other one or two FortiProxies operate in standby mode. If the first or second FortiProxy fails, one of the other FortiProxies becomes the new primary or secondary FortiProxy and begins processing traffic.
Separation of VDOM traffic
Virtual clustering creates a cluster between instances of each VDOM on the two FortiProxies in the virtual cluster. All traffic to and from a given VDOM is sent to one of the FortiProxies where it stays within its VDOM and is only processed by that VDOM. One FortiProxy is the primary FortiProxy for each VDOM and one FortiProxy is the secondary FortiProxy for each VDOM. The primary FortiProxy processes all traffic for its VDOMs; the secondary FortiProxy processes all traffic for its VDOMs.
Virtual clustering and heartbeat interfaces
The HA heartbeat provides the same HA services in a virtual clustering configuration as in a standard HA configuration. One set of HA heartbeat interfaces provides HA heartbeat services for all of the VDOMs in the cluster. You do not have to add a heartbeat interface for each VDOM.
Example
This example shows a virtual cluster configuration consisting of two FortiProxies. The virtual cluster has two VDOMs, Root and End_vdm.
The root VDOM can only be associated with virtual cluster 1. |
To set up an HA virtual cluster using the GUI:
- Make all the necessary connections as shown in the topology diagram.
- Log into one of the FortiProxies.
- Go to System > HA and set the following options:
Mode
Active-Passive
Device priority
128 or higher
Group name
Example_cluster
Heartbeat interfaces
ha1 and ha2
Except for the device priority, these settings must be the same on all FortiProxies in the cluster.
- Leave the remaining settings as their default values. They can be changed after the cluster is in operation.
- Click OK.
The FortiProxy negotiates to establish an HA cluster. Connectivity with the FortiProxy may be temporarily lost as the HA cluster negotiates and changes the MAC addresses of the FortiProxy's interfaces.
- Factory reset the other FortiProxy that will be in the cluster, configure GUI access, then repeat steps 1 to 5, omitting setting the device priority, to join the cluster.
- Go to System > Settings and enable Virtual Domains.
- Click Apply. You will be logged out of the FortiProxy.
- Log back into the FortiProxy, ensure that you are in the global VDOM, and go to System > VDOM.
- Create two new VDOMs, such as VD1 and VD2:
- Click Create New. The New Virtual Domain page opens.
- Enter a name for the VDOM in the Virtual Domain field, then click OK to create the VDOM.
- Repeat these steps to create a second new VDOM.
- Implement a virtual cluster by moving the new VDOMs to Virtual cluster 2:
- Go to System > HA.
- Enable VDOM Partitioning.
- Click on the Virtual cluster 2 field and select the new VDOMs.
- Click OK.
To set up an HA virtual cluster using the CLI:
- Make all the necessary connections as shown in the topology diagram.
- Set up a regular A-P cluster. See HA.
- Enable VDOMs:
config system global set vdom-mode multi-vdom end
You will be logged out of the FortiProxy.
- Create two VDOMs:
config vdom edit VD1 next edit VD2 next end
- Reconfigure the HA settings to be a virtual cluster:
config global config system ha set vcluster2 enable config secondary-vcluster set vdom "VD1" "VD2" end end end