config system ha
Configure HA.
config system ha Description: Configure HA. set group-id {integer} set group-name {string} set mode [standalone|config-sync-only|...] set sync-packet-balance [enable|disable] set password {password} set key {password} set hbdev {user} set unicast-hb [enable|disable] set unicast-hb-peerip {ipv4-address} set unicast-hb-netmask {ipv4-netmask} set session-sync-dev {user} set route-ttl {integer} set route-wait {integer} set route-hold {integer} set multicast-ttl {integer} set encryption [enable|disable] set authentication [enable|disable] set hb-interval {integer} set hb-interval-in-milliseconds [100ms|10ms] set hb-lost-threshold {integer} set hello-holddown {integer} set gratuitous-arps [enable|disable] set arps {integer} set arps-interval {integer} set link-failed-signal [enable|disable] set uninterruptible-upgrade [enable|disable] set sequential-upgrade [enable|disable] set uninterruptible-primary-wait {integer} set primary-hold-before-reboot {integer} set ha-mgmt-status [enable|disable] config ha-mgmt-interfaces Description: Reserve interfaces to manage individual cluster units. edit <id> set interface {string} set dst {ipv4-classnet} set gateway {ipv4-address} set gateway6 {ipv6-address} next end set ha-uptime-diff-margin {integer} set unicast-status [enable|disable] set unicast-gateway {ipv4-address} config unicast-peers Description: Number of unicast peers. edit <id> set peer-ip {ipv4-address} next end set logical-sn [enable|disable] set weight {user} set cpu-threshold {user} set memory-threshold {user} set http-proxy-threshold {user} set ftp-proxy-threshold {user} set imap-proxy-threshold {user} set nntp-proxy-threshold {user} set pop3-proxy-threshold {user} set smtp-proxy-threshold {user} set override [enable|disable] set priority {integer} set override-wait-time {integer} set monitor {user} set pingserver-monitor-interface {user} set pingserver-failover-threshold {integer} set pingserver-secondary-force-reset [enable|disable] set pingserver-flip-timeout {integer} set vcluster-status [enable|disable] config vcluster Description: Virtual cluster table. edit <vcluster-id> set override [enable|disable] set priority {integer} set override-wait-time {integer} set monitor {user} set pingserver-monitor-interface {user} set pingserver-failover-threshold {integer} set pingserver-secondary-force-reset [enable|disable] set vdom <name1>, <name2>, ... next end set ha-direct [enable|disable] set ssd-failover [enable|disable] set memory-compatible-mode [enable|disable] set memory-based-failover [enable|disable] set memory-failover-threshold {integer} set memory-failover-monitor-period {integer} set memory-failover-sample-rate {integer} set memory-failover-flip-timeout {integer} set failover-hold-time {integer} end
config system ha
Parameter |
Description |
Type |
Size |
Default |
||||||||
---|---|---|---|---|---|---|---|---|---|---|---|---|
group-id |
HA group ID . Must be the same for all members. |
integer |
Minimum value: 0 Maximum value: 1023 |
0 |
||||||||
group-name |
Cluster group name. Must be the same for all members. |
string |
Maximum length: 32 |
|
||||||||
mode |
HA mode. Must be the same for all members. FGSP requires standalone. |
option |
- |
standalone |
||||||||
|
|
|||||||||||
sync-packet-balance |
Enable/disable HA packet distribution to multiple CPUs. |
option |
- |
disable |
||||||||
|
|
|||||||||||
password |
Cluster password. Must be the same for all members. |
password |
Not Specified |
|
||||||||
key |
Key. |
password |
Not Specified |
|
||||||||
hbdev |
Heartbeat interfaces. Must be the same for all members. |
user |
Not Specified |
|
||||||||
unicast-hb |
Enable/disable unicast heartbeat. |
option |
- |
disable |
||||||||
|
|
|||||||||||
unicast-hb-peerip |
Unicast heartbeat peer IP. |
ipv4-address |
Not Specified |
0.0.0.0 |
||||||||
unicast-hb-netmask |
Unicast heartbeat netmask. |
ipv4-netmask |
Not Specified |
0.0.0.0 |
||||||||
session-sync-dev |
Offload session-sync process to kernel and sync sessions using connected interface(s) directly. |
user |
Not Specified |
|
||||||||
route-ttl |
TTL for primary unit routes. Increase to maintain active routes during failover. |
integer |
Minimum value: 5 Maximum value: 3600 |
10 |
||||||||
route-wait |
Time to wait before sending new routes to the cluster. |
integer |
Minimum value: 0 Maximum value: 3600 |
0 |
||||||||
route-hold |
Time to wait between routing table updates to the cluster. |
integer |
Minimum value: 0 Maximum value: 3600 |
10 |
||||||||
multicast-ttl |
HA multicast TTL on primary. |
integer |
Minimum value: 5 Maximum value: 3600 |
600 |
||||||||
encryption |
Enable/disable heartbeat message encryption. |
option |
- |
disable |
||||||||
|
|
|||||||||||
authentication |
Enable/disable heartbeat message authentication. |
option |
- |
disable |
||||||||
|
|
|||||||||||
hb-interval |
Time between sending heartbeat packets. Increase to reduce false positives. |
integer |
Minimum value: 1 Maximum value: 20 |
2 |
||||||||
hb-interval-in-milliseconds |
Number of milliseconds for each heartbeat interval: 100ms or 10ms. |
option |
- |
100ms |
||||||||
|
|
|||||||||||
hb-lost-threshold |
Number of lost heartbeats to signal a failure. Increase to reduce false positives. |
integer |
Minimum value: 1 Maximum value: 60 |
20 |
||||||||
hello-holddown |
Time to wait before changing from hello to work state. |
integer |
Minimum value: 5 Maximum value: 300 |
20 |
||||||||
gratuitous-arps |
Enable/disable gratuitous ARPs. Disable if link-failed-signal enabled. |
option |
- |
enable |
||||||||
|
|
|||||||||||
arps |
Number of gratuitous ARPs. Lower to reduce traffic. Higher to reduce failover time. |
integer |
Minimum value: 1 Maximum value: 60 |
5 |
||||||||
arps-interval |
Time between gratuitous ARPs . Lower to reduce failover time. Higher to reduce traffic. |
integer |
Minimum value: 1 Maximum value: 20 |
8 |
||||||||
link-failed-signal |
Enable to shut down all interfaces for 1 sec after a failover. Use if gratuitous ARPs do not update network. |
option |
- |
disable |
||||||||
|
|
|||||||||||
uninterruptible-upgrade |
Enable to upgrade a cluster without blocking network traffic. |
option |
- |
enable |
||||||||
|
|
|||||||||||
sequential-upgrade |
Enable to upgrade secondaries one by one. |
option |
- |
enable |
||||||||
|
|
|||||||||||
uninterruptible-primary-wait |
Number of minutes the primary HA unit waits before the secondary HA unit is considered upgraded and the system is started before starting its own upgrade. |
integer |
Minimum value: 15 Maximum value: 300 |
30 |
||||||||
primary-hold-before-reboot |
Number of seconds the primary HA unit waits after the secondary HA unit upgraded and joined back HA then starts its own upgrade. |
integer |
Minimum value: 0 Maximum value: 600 |
0 |
||||||||
ha-mgmt-status |
Enable to reserve interfaces to manage individual cluster units. |
option |
- |
disable |
||||||||
|
|
|||||||||||
ha-uptime-diff-margin |
Normally you would only reduce this value for failover testing. |
integer |
Minimum value: 1 Maximum value: 65535 |
300 |
||||||||
unicast-status |
Enable/disable unicast connection. |
option |
- |
disable |
||||||||
|
|
|||||||||||
unicast-gateway |
Default route gateway for unicast interface. |
ipv4-address |
Not Specified |
0.0.0.0 |
||||||||
logical-sn |
Enable/disable usage of the logical serial number. |
option |
- |
disable |
||||||||
|
|
|||||||||||
weight |
Weight-round-robin weight for each cluster unit. Syntax <priority> <weight>. |
user |
Not Specified |
0 40 |
||||||||
cpu-threshold |
Dynamic weighted load balancing CPU usage weight and high and low thresholds. |
user |
Not Specified |
|
||||||||
memory-threshold |
Dynamic weighted load balancing memory usage weight and high and low thresholds. |
user |
Not Specified |
|
||||||||
http-proxy-threshold |
Dynamic weighted load balancing weight and high and low number of HTTP proxy sessions. |
user |
Not Specified |
|
||||||||
ftp-proxy-threshold |
Dynamic weighted load balancing weight and high and low number of FTP proxy sessions. |
user |
Not Specified |
|
||||||||
imap-proxy-threshold |
Dynamic weighted load balancing weight and high and low number of IMAP proxy sessions. |
user |
Not Specified |
|
||||||||
nntp-proxy-threshold |
Dynamic weighted load balancing weight and high and low number of NNTP proxy sessions. |
user |
Not Specified |
|
||||||||
pop3-proxy-threshold |
Dynamic weighted load balancing weight and high and low number of POP3 proxy sessions. |
user |
Not Specified |
|
||||||||
smtp-proxy-threshold |
Dynamic weighted load balancing weight and high and low number of SMTP proxy sessions. |
user |
Not Specified |
|
||||||||
override |
Enable and increase the priority of the unit that should always be primary (master). |
option |
- |
disable |
||||||||
|
|
|||||||||||
priority |
Increase the priority to select the primary unit. |
integer |
Minimum value: 0 Maximum value: 255 |
128 |
||||||||
override-wait-time |
Delay negotiating if override is enabled. Reduces how often the cluster negotiates. |
integer |
Minimum value: 0 Maximum value: 3600 |
0 |
||||||||
monitor |
Interfaces to check for port monitoring (or link failure). |
user |
Not Specified |
|
||||||||
pingserver-monitor-interface |
Interfaces to check for remote IP monitoring. |
user |
Not Specified |
|
||||||||
pingserver-failover-threshold |
Remote IP monitoring failover threshold. |
integer |
Minimum value: 0 Maximum value: 50 |
0 |
||||||||
pingserver-secondary-force-reset |
Enable to force the cluster to negotiate after a remote IP monitoring failover. |
option |
- |
enable |
||||||||
|
|
|||||||||||
pingserver-flip-timeout |
Time to wait in minutes before renegotiating after a remote IP monitoring failover. |
integer |
Minimum value: 6 Maximum value: 2147483647 |
60 |
||||||||
vcluster-status |
Enable/disable virtual cluster for virtual clustering. |
option |
- |
disable |
||||||||
|
|
|||||||||||
ha-direct |
Enable/disable using ha-mgmt interface for syslog, remote authentication (RADIUS), FortiAnalyzer, FortiSandbox. |
option |
- |
disable |
||||||||
|
|
|||||||||||
ssd-failover |
Enable/disable automatic HA failover on SSD disk failure. |
option |
- |
disable |
||||||||
|
|
|||||||||||
memory-compatible-mode |
Enable/disable memory compatible mode. |
option |
- |
disable |
||||||||
|
|
|||||||||||
memory-based-failover |
Enable/disable memory based failover. |
option |
- |
disable |
||||||||
|
|
|||||||||||
memory-failover-threshold |
Memory usage threshold to trigger memory based failover (0 means using conserve mode threshold in system.global). |
integer |
Minimum value: 0 Maximum value: 95 |
0 |
||||||||
memory-failover-monitor-period |
Duration of high memory usage before memory based failover is triggered in seconds. |
integer |
Minimum value: 1 Maximum value: 300 |
60 |
||||||||
memory-failover-sample-rate |
Rate at which memory usage is sampled in order to measure memory usage in seconds. |
integer |
Minimum value: 1 Maximum value: 60 |
1 |
||||||||
memory-failover-flip-timeout |
Time to wait between subsequent memory based failovers in minutes. |
integer |
Minimum value: 6 Maximum value: 2147483647 |
6 |
||||||||
failover-hold-time |
Time to wait before failover , to avoid flip. |
integer |
Minimum value: 0 Maximum value: 300 |
0 |
config ha-mgmt-interfaces
Parameter |
Description |
Type |
Size |
Default |
---|---|---|---|---|
id |
Table ID. |
integer |
Minimum value: 0 Maximum value: 4294967295 |
0 |
interface |
Interface to reserve for HA management. |
string |
Maximum length: 15 |
|
dst |
Default route destination for reserved HA management interface. |
ipv4-classnet |
Not Specified |
0.0.0.0 0.0.0.0 |
gateway |
Default route gateway for reserved HA management interface. |
ipv4-address |
Not Specified |
0.0.0.0 |
gateway6 |
Default IPv6 gateway for reserved HA management interface. |
ipv6-address |
Not Specified |
:: |
config unicast-peers
Parameter |
Description |
Type |
Size |
Default |
---|---|---|---|---|
id |
Table ID. |
integer |
Minimum value: 0 Maximum value: 4294967295 |
0 |
peer-ip |
Unicast peer IP. |
ipv4-address |
Not Specified |
0.0.0.0 |
config vcluster
Parameter |
Description |
Type |
Size |
Default |
||||||
---|---|---|---|---|---|---|---|---|---|---|
vcluster-id |
ID. |
integer |
Minimum value: 1 Maximum value: 30 |
1 |
||||||
override |
Enable and increase the priority of the unit that should always be primary (master). |
option |
- |
disable |
||||||
|
|
|||||||||
priority |
Increase the priority to select the primary unit. |
integer |
Minimum value: 0 Maximum value: 255 |
128 |
||||||
override-wait-time |
Delay negotiating if override is enabled. Reduces how often the cluster negotiates. |
integer |
Minimum value: 0 Maximum value: 3600 |
0 |
||||||
monitor |
Interfaces to check for port monitoring (or link failure). |
user |
Not Specified |
|
||||||
pingserver-monitor-interface |
Interfaces to check for remote IP monitoring. |
user |
Not Specified |
|
||||||
pingserver-failover-threshold |
Remote IP monitoring failover threshold. |
integer |
Minimum value: 0 Maximum value: 50 |
0 |
||||||
pingserver-secondary-force-reset |
Enable to force the cluster to negotiate after a remote IP monitoring failover. |
option |
- |
enable |
||||||
|
|
|||||||||
vdom |
Virtual domain(s) in the virtual cluster. Virtual domain name. |
string |
Maximum length: 79 |
|