Fortinet black logo

FortiSandbox VM on AWS

Home FortiSandbox Public Cloud 4.0.0 FortiSandbox VM on AWS

Optional: Using HA-Cluster

4.0.0
4.4.0
4.2.3
4.2.1
4.2.0
4.0.0
3.2.0
3.1.0
3.0.0
Copy Link
Copy Doc ID 8e94bfda-ac4e-11eb-b70b-00505692583a:212982
Download PDF

Optional: Using HA-Cluster

You can set up multiple FortiSandbox instances in a load-balancing HA (high availability) cluster.

For information on using HA clusters, see the FortiSandbox Administration Guide.

Launching an HA-Cluster

To launch FortiSandbox instances on AWS:
  1. On the AWS Launch Instances page, launch FortiSandbox primary (formerly master) instances from the marketplace.
  2. On the Configure Instance Details page of the setup wizard, assign eth0 to the FortiSandbox firmware subnet of port1 (10.0.0.x).
  3. First launch the secondary (formerly primary slave) instance and then launch the worker (formerly slave or regular slave) instances.

    If you are using HA-Cluster without failover, the secondary node is optional.

  4. Create two additional network interfaces under dedicated subnets for all HA-Cluster nodes.
    1. Create private_subnet (10.0.1.x) for custom VM.
    2. Create HA-Cluster_subnet (10.0.2.x) for HA-Cluster communication.
  5. In Network security group, open the following ports for HA-Cluster communication:
    • TCP 2015 0.0.0.0/0
    • TCP 2018 0.0.0.0/0
  6. On the AWS Console, add a secondary IP address on the primary node as an external HA-Cluster communication IP address.
    1. Select the primary node's port1 network interface.
    2. Go to Action > Manager IP Addresses and assign the new IP address.
    3. Optional: you can associate a new EIP address for external HA-Cluster communication.

      In a failover, this HA-Cluster IP address will be used on the new primary node.

    Tooltip

    Do not use the set admin-port command to set the internal HA-Cluster communication port.
  7. Attach network interfaces to all HA-Cluster nodes and reboot all nodes after attaching.
  8. Import AWS settings into FortiSandbox HA-Cluster.
    1. Log into each FortiSandbox HA-Cluster node using the EIP address.
    2. Configure the AWS Config page for the primary and worker nodes.

Configuring an HA-Cluster

If you are using HA-Cluster without failover, the secondary is optional.

Ensure the HA-Cluster meets the following requirements:

  • Use the same scan environment on all nodes. For example, install the same set of Windows VMs on each node so that the same scan profiles can be used and controlled by the primary node.
  • Run the same firmware build on all nodes.
  • Set up a dedicated network interface (such as port2) for each node for custom VMs.
  • Set up a dedicated network interface (such as port3) for each node for internal HA-Cluster communication.

In this example, 10.20.0.22/24 is an external HA-Cluster communication IP address. The secondary node's private IP address is on the primary node’s port1 network interface.

To configure an HA-Cluster using FortiSandbox CLI commands:
  1. Configure the primary node:
    • hc-settings -sc -tM -nMyHAPrimary -cClusterName -p123 -iport3
    • hc-settings -si -iport1 -a10.20.0.22/242
  2. Configure the secondary node:
    • hc-settings -sc -tP -nMyPWorker -cClusterName -p123 -iport3
    • hc-worker -a -sPrimary_Port3_private_IP -p123
  3. Configure the first worker node:
    • hc-settings -sc -tR -nMyRWorker1 -cClusterName -p123 -iport3
    • hc-worker -a -sPrimary_Port3_private_IP -p123
  4. If necessary, configure consecutive worker nodes:
    • hc-settings -sc -tR -nMyRWorker2 -cClusterName -p123 -iport3
    • hc-worker -a -sPrimary_Port3_private_IP -p123
To check the status of the HA-Cluster:

On the primary node, use this CLI command to view the status of all units in the cluster.

hc-status -l

To use a custom VM on an HA-Cluster:
  1. Install the AWS local custom VMs from the primary node onto each worker node using the FortiSandbox CLI command vm-customized.

    All options must be the same when installing custom VMs on an HA-Cluster, including -vn[VM name].

  2. In the FortiSandbox AWS GUI, go to Scan Policy and Object > VM Settings and change Clone # to 1 for each node.

    After all VM clones on all nodes are configured, you can change the Clone # to a higher number.

  3. In a new CLI window, check the VM clone initialization using the diagnose-debug vminit command.
  4. In the FortiSandbox GUI, go to the Dashboard to verify there is a green checkmark beside Windows VM.
  5. To associate file extensions to the custom VM, go to Scan Policy > Scan Profile to the VM Association tab.

You can now submit scan jobs from the primary node. HA-Cluster supports VM Interaction on each node.

Previous
Next

Optional: Using HA-Cluster

You can set up multiple FortiSandbox instances in a load-balancing HA (high availability) cluster.

For information on using HA clusters, see the FortiSandbox Administration Guide.

Launching an HA-Cluster

To launch FortiSandbox instances on AWS:
  1. On the AWS Launch Instances page, launch FortiSandbox primary (formerly master) instances from the marketplace.
  2. On the Configure Instance Details page of the setup wizard, assign eth0 to the FortiSandbox firmware subnet of port1 (10.0.0.x).
  3. First launch the secondary (formerly primary slave) instance and then launch the worker (formerly slave or regular slave) instances.

    If you are using HA-Cluster without failover, the secondary node is optional.

  4. Create two additional network interfaces under dedicated subnets for all HA-Cluster nodes.
    1. Create private_subnet (10.0.1.x) for custom VM.
    2. Create HA-Cluster_subnet (10.0.2.x) for HA-Cluster communication.
  5. In Network security group, open the following ports for HA-Cluster communication:
    • TCP 2015 0.0.0.0/0
    • TCP 2018 0.0.0.0/0
  6. On the AWS Console, add a secondary IP address on the primary node as an external HA-Cluster communication IP address.
    1. Select the primary node's port1 network interface.
    2. Go to Action > Manager IP Addresses and assign the new IP address.
    3. Optional: you can associate a new EIP address for external HA-Cluster communication.

      In a failover, this HA-Cluster IP address will be used on the new primary node.

    Tooltip

    Do not use the set admin-port command to set the internal HA-Cluster communication port.
  7. Attach network interfaces to all HA-Cluster nodes and reboot all nodes after attaching.
  8. Import AWS settings into FortiSandbox HA-Cluster.
    1. Log into each FortiSandbox HA-Cluster node using the EIP address.
    2. Configure the AWS Config page for the primary and worker nodes.

Configuring an HA-Cluster

If you are using HA-Cluster without failover, the secondary is optional.

Ensure the HA-Cluster meets the following requirements:

  • Use the same scan environment on all nodes. For example, install the same set of Windows VMs on each node so that the same scan profiles can be used and controlled by the primary node.
  • Run the same firmware build on all nodes.
  • Set up a dedicated network interface (such as port2) for each node for custom VMs.
  • Set up a dedicated network interface (such as port3) for each node for internal HA-Cluster communication.

In this example, 10.20.0.22/24 is an external HA-Cluster communication IP address. The secondary node's private IP address is on the primary node’s port1 network interface.

To configure an HA-Cluster using FortiSandbox CLI commands:
  1. Configure the primary node:
    • hc-settings -sc -tM -nMyHAPrimary -cClusterName -p123 -iport3
    • hc-settings -si -iport1 -a10.20.0.22/242
  2. Configure the secondary node:
    • hc-settings -sc -tP -nMyPWorker -cClusterName -p123 -iport3
    • hc-worker -a -sPrimary_Port3_private_IP -p123
  3. Configure the first worker node:
    • hc-settings -sc -tR -nMyRWorker1 -cClusterName -p123 -iport3
    • hc-worker -a -sPrimary_Port3_private_IP -p123
  4. If necessary, configure consecutive worker nodes:
    • hc-settings -sc -tR -nMyRWorker2 -cClusterName -p123 -iport3
    • hc-worker -a -sPrimary_Port3_private_IP -p123
To check the status of the HA-Cluster:

On the primary node, use this CLI command to view the status of all units in the cluster.

hc-status -l

To use a custom VM on an HA-Cluster:
  1. Install the AWS local custom VMs from the primary node onto each worker node using the FortiSandbox CLI command vm-customized.

    All options must be the same when installing custom VMs on an HA-Cluster, including -vn[VM name].

  2. In the FortiSandbox AWS GUI, go to Scan Policy and Object > VM Settings and change Clone # to 1 for each node.

    After all VM clones on all nodes are configured, you can change the Clone # to a higher number.

  3. In a new CLI window, check the VM clone initialization using the diagnose-debug vminit command.
  4. In the FortiSandbox GUI, go to the Dashboard to verify there is a green checkmark beside Windows VM.
  5. To associate file extensions to the custom VM, go to Scan Policy > Scan Profile to the VM Association tab.

You can now submit scan jobs from the primary node. HA-Cluster supports VM Interaction on each node.

Previous
Next