Optional: Using HA-Cluster
You can set up multiple FortiSandbox instances in a load-balancing HA (high availability) cluster.
For information on using HA clusters, see the FortiSandbox Administration Guide.
Launching an HA-Cluster
To launch FortiSandbox instances on AWS:
- On the AWS Launch Instances page, launch FortiSandbox primary (formerly master) instances from the marketplace.
- On the Configure Instance Details page of the setup wizard, assign eth0 to the FortiSandbox firmware subnet of port1 (
10.0.0.x
). - First launch the secondary (formerly primary slave) instance and then launch the worker (formerly slave or regular slave) instances.
If you are using HA-Cluster without failover, the secondary node is optional.
-
Create two additional network interfaces under dedicated subnets for all HA-Cluster nodes.
- Create
private_subnet
(10.0.1.x) for custom VM. - Create
HA-Cluster_subnet
(10.0.2.x) for HA-Cluster communication.
- Create
- In Network security group, open the following ports for HA-Cluster communication:
TCP 2015 0.0.0.0/0
TCP 2018 0.0.0.0/0
-
On the AWS Console, add a secondary IP address on the primary node as an external HA-Cluster communication IP address.
- Select the primary node's port1 network interface.
- Go to Action > Manager IP Addresses and assign the new IP address.
- Optional: you can associate a new EIP address for external HA-Cluster communication.
In a failover, this HA-Cluster IP address will be used on the new primary node.
Do not use the
set admin-port
command to set the internal HA-Cluster communication port. - Attach network interfaces to all HA-Cluster nodes and reboot all nodes after attaching.
- Import AWS settings into FortiSandbox HA-Cluster.
- Log into each FortiSandbox HA-Cluster node using the EIP address.
- Configure the AWS Config page for the primary and worker nodes.
Configuring an HA-Cluster
If you are using HA-Cluster without failover, the secondary is optional.
Ensure the HA-Cluster meets the following requirements:
- Use the same scan environment on all nodes. For example, install the same set of Windows VMs on each node so that the same scan profiles can be used and controlled by the primary node.
- Run the same firmware build on all nodes.
- Set up a dedicated network interface (such as port2) for each node for custom VMs.
- Set up a dedicated network interface (such as port3) for each node for internal HA-Cluster communication.
In this example, 10.20.0.22/24
is an external HA-Cluster communication IP address. The secondary node's private IP
address is on the primary node’s port1 network interface.
To configure an HA-Cluster using FortiSandbox CLI commands:
- Configure the primary node:
hc-settings -sc -tM -nMyHAPrimary -cClusterName -p123 -iport3
hc-settings -si -iport1 -a10.20.0.22/242
- Configure the secondary node:
hc-settings -sc -tP -nMyPWorker -cClusterName -p123 -iport3
hc-worker -a -sPrimary_Port3_private_IP -p123
- Configure the first worker node:
hc-settings -sc -tR -nMyRWorker1 -cClusterName -p123 -iport3
hc-worker -a -sPrimary_Port3_private_IP -p123
- If necessary, configure consecutive worker nodes:
hc-settings -sc -tR -nMyRWorker2 -cClusterName -p123 -iport3
hc-worker -a -sPrimary_Port3_private_IP -p123
To check the status of the HA-Cluster:
On the primary node, use this CLI command to view the status of all units in the cluster.
hc-status -l
To use a custom VM on an HA-Cluster:
- Install the AWS local custom VMs from the primary node onto each worker node using the FortiSandbox CLI command
vm-customized
.All options must be the same when installing custom VMs on an HA-Cluster, including
-vn[VM name]
. - In the FortiSandbox AWS GUI, go to Scan Policy and Object > VM Settings and change Clone # to 1 for each node.
After all VM clones on all nodes are configured, you can change the Clone # to a higher number.
- In a new CLI window, check the VM clone initialization using the
diagnose-debug vminit
command. - In the FortiSandbox GUI, go to the Dashboard to verify there is a green checkmark beside Windows VM.
- To associate file extensions to the custom VM, go to Scan Policy > Scan Profile to the VM Association tab.
You can now submit scan jobs from the primary node. HA-Cluster supports VM Interaction on each node.