HA virtual cluster setup
Virtual clustering is an extension of HA to allow multiple clusters to be formed between your HA members. In effect, each cluster consists of the same HA members, with the option to prioritize different members as the primary unit. Each cluster operates as its on active-passive HA cluster, with different virtual domains residing in the virtual cluster. The following custom settings can be configured per cluster:
config system ha
set vcluster-status enable
config vcluster
edit <id>
set override {enable | disable}
set priority <integer>
set vdom <vdom_1>, ... [vdom_n]
set monitor <interface_1>, ... [interface_n]
set pingserver-monitor-interface <interface_1>, ... [interface_n]
next
end
end
|
override {enable | disable} |
Enable/disable override and increase the priority of the unit that should always be the primary. |
|
priority <integer> |
Increase the priority to select the primary unit (0 - 255, default = 128). |
|
vdom <vdom_1>, ... [vdom_n] |
Set the virtual domains in the virtual cluster. |
|
monitor <interface_1>, ... [interface_n] |
Set the interfaces to check for port monitoring (or link failure). |
|
pingserver-monitor-interface <interface_1>, ... [interface_n] |
Set the interfaces to check for remote IP monitoring. |
Active-passive virtual clustering uses VDOM partitioning to send traffic for some VDOMs to the primary FortiProxy and traffic for other VDOMs to the secondary FortiProxies. Traffic distribution between FortiProxies can potentially improve throughput. If a failure occurs and only one FortiProxy continues to operate, all traffic fails over to that FortiProxy, similar to normal HA. If the failed FortiProxies rejoin the cluster, the configured traffic distribution is restored.
In an active-passive virtual cluster of two FortiProxies, the first and second FortiProxies share traffic processing according to the VDOM partitioning configuration. The following is an example of two virtual clusters, with each member acting as primary for different vclusters.
If you add a third or fourth FortiProxy, the first and second FortiProxies process all traffic and the other one or two FortiProxies operate in standby mode. If the first or second FortiProxy fails, one of the other FortiProxies becomes the new primary or secondary FortiProxy and begins processing traffic.
For better load balancing, it is recommended to have as many vclusters as there are HA members. This way, each HA member can be a primary unit for each cluster, thereby processing traffic while standing by for the other vcluster as secondary. The following is an example of four FortiProxies in a cluster, with four vclusters and four VDOMs. Each FortiProxy is the primary unit for a vcluster and actively processes traffic as the primary member.
Virtual clustering and heartbeat interfaces
The HA heartbeat provides the same HA services in a virtual clustering configuration as in a standard HA configuration. One set of HA heartbeat interfaces provides HA heartbeat services for all of the VDOMs in the cluster. You do not have to add a heartbeat interface for each VDOM.
Support up to 8 virtual clusters
FortiProxy supports up to 8 virtual clusters, which allows more VDOMs to be spread across different virtual clusters without overlapping. Each virtual cluster supports its own failover conditions. Prior to 7.4.0, only two virtual clusters were supported.
When configuring virtual clusters, the group-id is limited to a value from 0 to 7. If the HA group-id is greater than 7, use the command line first to change the group-id before enabling virtual clusters.
config system ha
set group-id <integer>
end
|
When upgrading from 7.2, old virtual clusters will be lost if the |
Basic configuration
This example shows a virtual cluster configuration consisting of two FortiProxies. The virtual cluster has two VDOMs, root and eng_vdm.
|
The root VDOM can only be associated with virtual cluster 1. |
To set up an HA virtual cluster using the GUI:
- Make all the necessary connections as shown in the topology diagram.
- Configure a regular A-P cluster:
- Log in to one of the FortiProxies.
- Go to System > HA and set the following options:
Mode
Active-Passive
Device priority
128 or higher
Group name
Example_cluster
Heartbeat interfaces
ha1 and ha2
Except for the device priority, these settings must be the same on all FortiProxies in the cluster.
- Leave the remaining settings as their default values. They can be changed after the cluster is in operation.
- Click OK.
The FortiProxy negotiates to establish an HA cluster. Connectivity with the FortiProxy may be temporarily lost as the HA cluster negotiates and changes the MAC addresses of the FortiGate's interfaces.
- Factory reset the other FortiProxy that will be in the cluster, configure GUI access, then repeat step 2 (omitting setting the device priority) to join the cluster.
- On the primary FortiProxy, go to System > Settings and enable Virtual Domains.
- Click Apply. You will be logged out of the FortiProxy.
- Log back in to the FortiProxy, and ensure that you are in the global VDOM.
- Create the eng_vdm VDOM:
- Go to System > VDOM and click Create New. The New Virtual Domain pane opens.
- Enter the name in the Virtual Domain field, then click OK.
- Implement a virtual cluster by moving the new VDOM to virtual cluster 2:
- Go to System > HA and enable VDOM Partitioning.
In the table, click Create New. The New Virtual Cluster pane opens.
Click the + and add the eng_vdm VDOM.
Click OK to save the virtual cluster.
- Click OK to save the HA configuration.
To set up an HA virtual cluster using the CLI:
- Make all the necessary connections as shown in the topology diagram.
- Configure a regular A-P cluster. See HA.
- Enable VDOMs:
config system global set vdom-mode multi-vdom endYou will be logged out of the FortiProxy.
- Create the eng_vdm VDOM:
config vdom edit eng_vdm next end - Reconfigure the HA settings to be a virtual cluster:
config system ha set vcluster-status enable config vcluster edit 1 set vdom root set override disable next edit 2 set vdom eng_vdm set override disable next end end
Configuration with 8 virtual clusters
In this example, there are 8 customers managed by an MSSP on an HA cluster, and each customer VDOM needs to failover independently of other customer VDOMs. Each customer is assigned to a different virtual cluster with its own virtual cluster configuration. This may include different monitored interfaces, ping servers, and priority for the primary and secondary cluster members. Each virtual cluster will fail over according to its own virtual cluster configuration.
This example assumes an A-P cluster and VDOMs have already been configured. See HA and VDOM for more information.
For each virtual cluster, this example assumes that unit 1 has an HA priority of 200, while unit 2 has an HA priority of 100. By default, unit 1 will be the primary cluster member of all the virtual clusters.
To configure multiple virtual clusters in the GUI:
- Go to System > HA and enable VDOM Partitioning.
- Create a virtual cluster:
- In the table, click Create New. The New Virtual Cluster pane opens.
- Set the Device priority to 200.
- Click the + and add the Virtual domains.
- Optionally, click the + and add the Monitor interfaces.
- Click OK.
- Repeat step 2 to create the remaining virtual clusters.
- Click OK to save the HA configuration. The HA page summary displays the multiple virtual clusters, each with a Primary and Secondary HA member.
- Edit the priority settings for the secondary members to be 100:
- Select the Secondary member in the table, and click Edit.
- Set the Priority to 100.
- Click OK.
- Repeat step 5 for the remaining secondary members.
To configure multiple virtual clusters in the CLI:
- Configure the primary FortiProxy:
config system ha set vcluster-status enable config vcluster edit 1 set override disable set priority 200 set vdom "vdom1" next edit 2 set override disable set priority 200 set vdom "vdom2" next ... edit 8 set override disable set priority 200 set vdom "vdom8" next end end - Configure the secondary FortiProxy:
config system ha set vcluster-status enable config vcluster edit 1 set override disable set priority 100 set vdom "vdom1" next edit 2 set override disable set priority 100 set vdom "vdom2" next ... edit 8 set override disable set priority 100 set vdom "vdom8" next end end