HA
NOTE: The HA clustering members must be the same hardware model running the same software version. The seat license does not have to be identical.
FortiProxy high availability (HA) provides a system management solution that synchronizes configuration changes among the clustering members. You can fine-tune the performance of the HA cluster to change how a cluster forms and shares information among clustering members.
The HA heartbeat keeps cluster units communicating with each other. The heartbeat consists of hello packets that are sent at regular intervals by the heartbeat interface of all cluster units. These hello packets describe the state of the cluster unit and are used by other cluster units to keep all the units synchronized.
HA heartbeat packets are non-TCP packets that use Ethertype values 0x8890, 0x8891, and 0x8893. The default time interval between HA heartbeats is 200 ms.
Your FortiProxy device can be configured as a standalone unit or you can configure two FortiProxy devices in the Active-Passive mode for failover protection. In active-passive mode, the FortiProxy shares available seats among the HA cluster (hardware and VM) by default. The primary FortiProxy unit automatically claims all license entitlements from all members in the HA cluster (hardware or VM). When a member joins the cluster, its associated entitlements are added to the primary unit. When a member leaves the cluster, its associated entitlements are removed from the primary unit. When the primary unit goes down, the secondary device with the highest priority becomes the primary and assumes all the license entitlements.
NOTE: If you are using vSwitches:
-
In Config-Sync mode, you need to select the promiscuous mode and accept MAC address changes on the VLANs or port groups of the heartbeat vSwitch. For the data interface's vSwitch, you can use the default vSwitch setting.
-
In Active-Passive mode, you need to select the promiscuous mode and accept MAC address changes on the VLANs or port groups of the heartbeat vSwitch. For the data interface's vSwitch, the security setting must be the same as the heartbeat vSwitch.
To configure an HA cluster or to view the cluster member list in the GUI:
- Select System > HA.
- Configure the following settings and then click OK:
Mode
Select the mode from the drop-down menu.
Standalone—This option disables HA mode. No further configuration options are available.
Config-Sync
Active-Passive—Select this option for the root of a security fabric group for license sharing.
Device priority
You can set a different device priority for each cluster member to control the order in which cluster units become the primary unit (HA primary) when the primary unit fails. The device with the highest device priority becomes the primary unit. The default value is 128.
Cluster Settings
Group name
Enter a name to identify the cluster. Must be the same for all members for authentication and membership identification.
Password
Select Change to enter a password to identify the HA cluster. The maximum password length is 15 characters. The password must be the same for all cluster FortiProxy units before the FortiProxy units can form the HA cluster.
When the cluster is operating, you can add a password, if required. Two clusters on the same network must have different passwords.
Monitor interfaces
Select the specific ports to monitor.
If a monitored interface fails or is disconnected from its network, the interface leaves the cluster and a link failover occurs. The link failover causes the cluster to reroute the traffic being processed by that interface to the same interface of another cluster that still has a connection to the network. This other cluster becomes the new primary unit.
Heartbeat Interfaces
Select to enable or disable the HA heartbeat communication for each interface in the cluster and then set the heartbeat interface priority.
The heartbeat interface with the highest priority processes all heartbeat traffic. You must select at least one heartbeat interface. If the interface functioning as the heartbeat fails, the heartbeat is transferred to another interface configured as a heartbeat interface. If heartbeat communication is interrupted, the cluster stops processing traffic. Priority ranges from 0 to 512.
Select + enter another management interface.
Management Interface Reservation
Enable or disable the management interface reservation.
You can provide direct management access to individual cluster units by reserving a management interface as part of the HA configuration. After this management interface is reserved, you can configure a different IP address, administrative access, and other interface settings for this interface for each cluster unit.
You can also specify static routing settings for this interface. Then by connecting this interface of each cluster unit to your network, you can manage each cluster unit separately from a different IP address.
Refer to HA cluster out-of-band management for detailed instructions about configuring a management interface for an HA cluster.
Interface
Select the management interface.
Gateway
Enter the IPv4 address for the remote gateway.
IPv6 gateway
Enter the IPv6 address for the remote gateway.
Destination subnet
Enter the destination subnet.
Unicast Heartbeat
Enable the unicast HA heartbeat in virtual machine (VM) environments that do not support broadcast communication.
By default, the device notifies peers by multicasting which allows all devices sharing the same group credentials (name and password) in the LAN to join the HA group automatically.
Unicast Heartbeat Peer IP
Enter the IP address of the HA heartbeat interface of the other FortiProxy VM in the HA cluster.
To configure an HA cluster in the CLI:
config system ha
set group-name {string}
set password {password}
set mode [standalone|config-sync-only|...]
set hbdev <INTERFACE_NAME> <PRIORITY>
set override enable
set priority <PRIORITY>
set unicast-hb enable
set unicast-hb-peerip <PEER_IP>
end
|
Parameter |
Description |
Type |
Size |
Default |
||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
group-name |
Cluster group name. Must be the same for all members for authentication and membership identification. |
string |
Maximum length: 32 |
|
||||||||
|
password |
Cluster password. Must be the same for all members for authentication and membership identification. |
password |
Not Specified |
|
||||||||
|
mode |
HA mode. Must be the same for all members. FGSP requires standalone. |
option |
- |
standalone |
||||||||
|
|
|
|||||||||||
|
hbdev |
Heartbeat interfaces. HA devices notify and identify each other through heart beat. The heartbeat interface must be the same for all members. You can also specify multiple interfaces:
|
user |
Not Specified |
|
||||||||
|
(Optional) override |
Enable and increase the priority of the unit that should always be primary. When disabled (default), the active (primary) unit is automatically determined based on its uptime etc. |
option |
- |
disable |
||||||||
|
(Optional) priority |
Increase the priority of the unit to make it the primary unit . |
integer |
Minimum value: 0 Maximum value: 255 |
128 |
||||||||
|
(Optional) unicast-hb |
Enable the unicast HA heartbeat in virtual machine (VM) environments that do not support broadcast communication. By default, the device notifies peers by multicasting which allows all devices sharing the same group credentials (name and password) in the LAN to join the HA group automatically. |
|
|
|
||||||||
|
(Optional) unicast-hb-peerip |
Unicast heartbeat peer IP, which is the IP address of the HA heartbeat interface of the other FortiProxy VM in the HA cluster. |
ipv4-address |
Not Specified |
0.0.0.0 |
||||||||
Refer to the config system ha topic in the CLI guide for more details about other available configurations for HA setup.
To view HA cluster information in the CLI:
-
Run the
get system ha statuscommand to see the synchronization status of the HA cluster. For synchronized HA peers, the status should bein-syncinConfiguration Status. -
Run the
diag system ha statuscommand to see the license serial number of connected peer devices.
HA multiple unicast peers
You can configure up to eight unicast Config-Sync HA clusters. Unicast configuration synchronization is supported on layer 3, allowing peers to be synchronized in cloud environments that do not support layer-2 networking. Configuring a unicast gateway allows peers to be in different subnets.
For example:
config system ha
set mode config-sync-only
set hbdev "port1" 50
set override enable
set unicast-status enable
set unicast-gateway 10.0.0.1
config unicast-peers
edit 1
set peer-ip 192.168.76.13
next
.........
end
end
Note:
-
Use the
set unicast-hb enablecommand for a one-to-one unicast Active-Passive HA cluster or Config-Sync HA cluster. -
Use the set unicast-status,
set unicast-gateway, andconfig unicast-peerscommands for multiple peers in a Config-Sync HA cluster.
Cache Collaboration
When deployed in a cluster, depending on the deployed architecture, requests for the same URL might have hit each cache device and been cached separately on each. Methods are available to mitigate this through load balancing with FortiADC or WCCP.
FortiProxy has the Cache Collaboration feature, where the storage of all devices within the FortiProxy HA Cluster is accessible as a shared entity. This feature allows content cached by one device to be shared by other FortiProxy devices within the cluster, significantly increasing the cache rate.
CLI syntax
config wanopt cache-service
set prefer-senario {balance | prefer-speed | prefer-cache} // Default is balance.
set collaboration {enable | disable} // Default is disable.
set device-id <name>
set acceptable-connections {any | peers} // Default is any.
end