Fortinet black logo

FortiSandbox VM on Azure

Home FortiSandbox Public Cloud 4.2.0 FortiSandbox VM on Azure

Optional: Using HA-Cluster

4.2.0
4.4.0
4.2.1
4.2.0
4.0.0
3.2.0
3.1.0
3.0.0
Copy Link
Copy Doc ID 3310655d-b5e7-11ec-9fd1-fa163e15d75b:85215
Download PDF

Optional: Using HA-Cluster

You can set up multiple FortiSandbox Azure instances in a load-balancing HA (high availability) cluster.

From version 3.2.0, FortiSandbox Azure supports the same custom VMs running on an HA cluster.

Before setting up HA cluster in Azure, ensure you know how HA clustering works in FortiSandbox. For information on FortiSandbox HA clusters, see the FortiSandbox Administration Guide.

Configuring an HA cluster

Create the primary (formerly master) node first, then create the secondary (formerly primary slave) and worker (formerly slave or regular slave) nodes.

If you are using HA-Cluster without failover, the secondary node is optional.

Ensure the HA-Cluster meets the following requirements:

  • Use the same scan environment on all nodes. For example, install the same set of Windows VMs on each node so that the same scan profiles can be used and controlled by the primary node.
  • Run the same firmware build on all nodes.
  • Set up a dedicated network interface (such as port2) for each node for custom VMs.
  • Set up a dedicated network interface (such as port3) for each node for internal HA-Cluster communication.

The following are recommendations for the HA-Cluster:

  • Put interfaces on the same virtual network.
  • Use a static IP address in the same subnet for each network port.
  • Do not use the set admin-port command to set port1 or any other administrative port as the internal HA-Cluster communication port.

  • FortiSandbox reserved port2 for custom VM communication hardcoded

To create multiple FortiSandbox instances on Azure:
  1. Create at least thee network interfaces on Azure for each FortiSandbox Azure.

    The second network interface is for the custom VM.

    The third network interface is for HA communication.

  2. In Network security group, open these ports for HA communication.
    TCP 2015 0.0.0.0/0
TCP 2018 0.0.0.0/0
  3. On the Azure portal, add a secondary IP address on the primary node as an external HA-Cluster communication IP address.
    1. Go to the primary node's port1 network interface.
    2. Go to IP configurations and click Add.
    3. Add a secondary static Private IP address.
    4. Optional: you can add a new static Public IP address for external HA-Cluster communication.

      In a failover, this HA-Cluster IP address will be used on the new primary node.

To import Azure settings into the FortiSandbox HA-Cluster:
  1. Log into each node of the FortiSandbox GUI using the public IP address.
  2. Follow the instructions on Importing Azure settings into FortiSandbox to configure the Azure Config page for both the primary and secondary.
  3. Repeat for every node in the cluster.
To configure the HA cluster in FortiSandbox using CLI commands:

In this example, 10.20.0.22/24 is an HA external communication IP address. The secondary private IP address is on the primary node’s port1 network interface.

  1. Configure the primary node using these CLI commands:
    hc-settings -sc -tM -nMyHAPrimary -cClusterName -p123 -iport3
hc-settings -si -iport1 -a10.20.0.22/24
  2. Configure the secondary node:
    hc-settings -sc -tP -nMyPWorker -cClusterName -p123 -iport3
hc-worker -a -sPrimary_Port3_private_IP -p123
  3. Configure the first worker:
    hc-settings -sc -tR -nMyRWorker1 -cClusterName -p123 -iport3
hc-worker -a -sPrimary_Port3_private_IP -p123
  4. If needed, configure additional regular workers:
    hc-settings -sc -tR -nMyRWorker2 -cClusterName -p123 -iport3
hc-worker -a -sPrimary_Port3_private_IP -p123
To check the status of the HA cluster:
  1. On the primary node, enter this command to view the status of all units in the cluster.
    hc-status -l
To use a custom VM on an HA-Cluster:
  1. Install the Azure local custom VMs from the primary node onto each worker node using the FortiSandbox CLI command azure-vm-customized.

    All options must be the same when installing custom VMs on an HA-Cluster, including -vn[VM name].

    For example, on the primary node, install the custom VM from blob and set the VM name hawin10vm.

    azure-vm-customized -cn -f[blob container name] -b[VM_image_name.vhd] -vo[OS type] -vnhawin10vm

    On the secondary node, keep all options the same as the primary node.

    azure-vm-customized -cn -f[blob container name same as primary node] -b[VM_image_name.vhd same as primary node] -vo[OS type] -vnhawin10vm

    On the worker node, also keep all options the same as the primary node.

    azure-vm-customized -cn -f[blob container name same as primary node] -b[VM_image_name.vhd same as primary node] -vo[OS type] -vnhawin10vm
  2. In the FortiSandbox Azure GUI, go to Scan Policy and Object > VM Settings and change Clone # to 1 for each node.

    After all VM clones on all nodes are configured, you can change the Clone # to a higher number.

  3. In a new CLI window, check the VM clone initialization using the diagnose-debug vminit command.
  4. In the FortiSandbox GUI, go to the Dashboard to verify there is a green checkmark beside Windows VM.
  5. To associate file extensions to the custom VM, go to Scan Policy and Object > Scan Profile to the VM Association tab.

You can now submit scan jobs from the primary node. HA-Cluster supports VM Interaction on each node.

Previous
Next

Optional: Using HA-Cluster

You can set up multiple FortiSandbox Azure instances in a load-balancing HA (high availability) cluster.

From version 3.2.0, FortiSandbox Azure supports the same custom VMs running on an HA cluster.

Before setting up HA cluster in Azure, ensure you know how HA clustering works in FortiSandbox. For information on FortiSandbox HA clusters, see the FortiSandbox Administration Guide.

Configuring an HA cluster

Create the primary (formerly master) node first, then create the secondary (formerly primary slave) and worker (formerly slave or regular slave) nodes.

If you are using HA-Cluster without failover, the secondary node is optional.

Ensure the HA-Cluster meets the following requirements:

  • Use the same scan environment on all nodes. For example, install the same set of Windows VMs on each node so that the same scan profiles can be used and controlled by the primary node.
  • Run the same firmware build on all nodes.
  • Set up a dedicated network interface (such as port2) for each node for custom VMs.
  • Set up a dedicated network interface (such as port3) for each node for internal HA-Cluster communication.

The following are recommendations for the HA-Cluster:

  • Put interfaces on the same virtual network.
  • Use a static IP address in the same subnet for each network port.
  • Do not use the set admin-port command to set port1 or any other administrative port as the internal HA-Cluster communication port.

  • FortiSandbox reserved port2 for custom VM communication hardcoded

To create multiple FortiSandbox instances on Azure:
  1. Create at least thee network interfaces on Azure for each FortiSandbox Azure.

    The second network interface is for the custom VM.

    The third network interface is for HA communication.

  2. In Network security group, open these ports for HA communication.
    TCP 2015 0.0.0.0/0
TCP 2018 0.0.0.0/0
  3. On the Azure portal, add a secondary IP address on the primary node as an external HA-Cluster communication IP address.
    1. Go to the primary node's port1 network interface.
    2. Go to IP configurations and click Add.
    3. Add a secondary static Private IP address.
    4. Optional: you can add a new static Public IP address for external HA-Cluster communication.

      In a failover, this HA-Cluster IP address will be used on the new primary node.

To import Azure settings into the FortiSandbox HA-Cluster:
  1. Log into each node of the FortiSandbox GUI using the public IP address.
  2. Follow the instructions on Importing Azure settings into FortiSandbox to configure the Azure Config page for both the primary and secondary.
  3. Repeat for every node in the cluster.
To configure the HA cluster in FortiSandbox using CLI commands:

In this example, 10.20.0.22/24 is an HA external communication IP address. The secondary private IP address is on the primary node’s port1 network interface.

  1. Configure the primary node using these CLI commands:
    hc-settings -sc -tM -nMyHAPrimary -cClusterName -p123 -iport3
hc-settings -si -iport1 -a10.20.0.22/24
  2. Configure the secondary node:
    hc-settings -sc -tP -nMyPWorker -cClusterName -p123 -iport3
hc-worker -a -sPrimary_Port3_private_IP -p123
  3. Configure the first worker:
    hc-settings -sc -tR -nMyRWorker1 -cClusterName -p123 -iport3
hc-worker -a -sPrimary_Port3_private_IP -p123
  4. If needed, configure additional regular workers:
    hc-settings -sc -tR -nMyRWorker2 -cClusterName -p123 -iport3
hc-worker -a -sPrimary_Port3_private_IP -p123
To check the status of the HA cluster:
  1. On the primary node, enter this command to view the status of all units in the cluster.
    hc-status -l
To use a custom VM on an HA-Cluster:
  1. Install the Azure local custom VMs from the primary node onto each worker node using the FortiSandbox CLI command azure-vm-customized.

    All options must be the same when installing custom VMs on an HA-Cluster, including -vn[VM name].

    For example, on the primary node, install the custom VM from blob and set the VM name hawin10vm.

    azure-vm-customized -cn -f[blob container name] -b[VM_image_name.vhd] -vo[OS type] -vnhawin10vm

    On the secondary node, keep all options the same as the primary node.

    azure-vm-customized -cn -f[blob container name same as primary node] -b[VM_image_name.vhd same as primary node] -vo[OS type] -vnhawin10vm

    On the worker node, also keep all options the same as the primary node.

    azure-vm-customized -cn -f[blob container name same as primary node] -b[VM_image_name.vhd same as primary node] -vo[OS type] -vnhawin10vm
  2. In the FortiSandbox Azure GUI, go to Scan Policy and Object > VM Settings and change Clone # to 1 for each node.

    After all VM clones on all nodes are configured, you can change the Clone # to a higher number.

  3. In a new CLI window, check the VM clone initialization using the diagnose-debug vminit command.
  4. In the FortiSandbox GUI, go to the Dashboard to verify there is a green checkmark beside Windows VM.
  5. To associate file extensions to the custom VM, go to Scan Policy and Object > Scan Profile to the VM Association tab.

You can now submit scan jobs from the primary node. HA-Cluster supports VM Interaction on each node.

Previous
Next