Optional: Using HA-Cluster
You can set up multiple FortiSandbox instances in a load-balancing HA (High Availability) cluster. For information about using HA clusters, see the FortiSandbox Administration Guide.
Launching an HA-Cluster
To launch FortiSandbox instances on OCI:
-
On the OCI Launch Instances page, launch FortiSandbox primary instances and other cluster member instances from the OCI marketplace first.
-
Edit the Attached VNICs settings. Assign Network interface 1 to the FortiSandbox firmware subnet of port1 (for example,
10.0.1.x
). Add two additional network interfaces under the dedicated subnets for all HA-Cluster nodes.-
Create Network interface 2, cluster inter-communication for HA-Cluster communication.
-
Create Network interface 3, local Windows clone communication for custom VM.
-
Repeat the above steps with all other cluster FortiSandbox members.
-
-
Edit the Security List in OCI VNC, and open the following ports for HA-Cluster communication:
In cluster mode, FortiSandbox uses TCP ports 2015 and 2018 for cluster internal communication. TCP 443 is used to access the dashboard of the work node from the primary node. If the unit works as a Collector to receive threat information from other units, it uses TCP port 2443.
-
TCP 2015 (Source: port2 subnet, Example:10.0.3.0/24)
-
TCP 2018 (Source: port2 subnet, Example:10.0.3.0/24)
-
TCP 443 (Source: port2 subnet, Example:10.0.3.0/24)
-
To configure API Access users on OCI:
-
In OCI, go to Identity & Security > Users, click Create User, and select IAM User. Enter the Name and Description, then click Create.
-
Go to the IAM User you just created and click Add User to Group, the select and add the user to the Administrators group
Adding the user to the Administrators group is important for the FortiSandbox HA cluster feature to work correctly, as it requires permissions to perform certain actions in OCI.)
-
Go to IAM User just created previously, and go to the API Keys tab.
-
Click Add API Key, and select Generate API Key Pair.
-
Click Download Private Key. Keep this private key file in safe place, you will need it later when setting up FortiSandbox HA cluster.
-
Click Add.
-
-
Go to the IAM User you created and click View Configuration file.
-
Use the copy link to copy Configuration File content and paste it into a text file.
-
Save the file and change the file extension from .txt to .key (for example,
my_iam_user_access_key.key
). Keep this file in a secure location. You need it later to set up the FortiSandbox HA cluster along with the private key file you previously downloaded.
-
Configuring the OCI config settings
To configure the OCI config settings:
-
Log in to the primary OCI FortiSandbox instance.
-
Go to System > OCI Config and click the Configuration Wizard button.
-
In the Configuration File option, upload the configuration file you saved previously (
xxx.key
). In the Private Key option, upload the private key file you saved previously (xxx.pem
). -
Click Connection Test to verify that the connection to OCI is working with the current configuration. If successful, a pop-up message saying OCI is accessible with current config will appear.
-
Click Submit to save the configuration and connect to OCI.
-
Repeat the steps above on all OCI FortiSandbox cluster member instances.
To configure an HA-Cluster with the CLI:
Configure the primary node:
hc-settings -sc -tM –n<PrimaryNodeName> -c<ClusterName> -p <AuthenticationCode> -iport2
hc-settings -si -iport1 –a<FailoverIP/netmask>
Example:
hc-settings -sc -tM -nMyPrimaryNode -cMyCluster -p123456 -iport2
hc-settings -si -iport1 -a10.0.1.9/24
Configure the secondary node:
hc-settings -sc -tP -n<SecondaryNodeName> -c<ClusterName> -p<AuthenticationCode> -iport2
hc-worker -a –s<PrimaryNodePort2PrivateIP> -p<AuthenticationCode>
Example:
hc-settings -sc -tP -nMySecondaryNode -cMyCluster -p123456 -iport2
hc-worker -a -s10.0.3.10 -p123456
Configure the first worker node:
hc-settings -sc -tR -n<WorkerNodeName1> -c<ClusterName> -p<AuthenticationCode> -iport2
hc-worker -a –s<PrimaryNodePort2PrivateIP> -p<AuthenticationCode>
Example:
hc-settings -sc -tR -nWorkerNode1 -cMyCluster -p123456 -iport2
hc-worker -a -s10.0.3.10 -p123456
If necessary, configure consecutive worker nodes:
hc-settings -sc -tR -n<WorkerNodeName2> -c<ClusterName> -p<AuthenticationCode> -iport2
hc-worker -a –s<PrimaryNodePort2PrivateIP> -p<AuthenticationCode>
Example:
hc-settings -sc -tR -nWorkerNode2 -cMyCluster -p123456 -iport2
hc-worker -a -s10.0.3.10 -p123456
To check the status of the HA-Cluster:
On the primary node, use the following CLI command to view the status of all units in the cluster.
hc-status -l
To use a custom VM on an HA-Cluster:
-
Install the local custom VMs on the primary node as well as each worker node using the FortiSandbox CLI command:
vm-customized
. -
In the FortiSandbox GUI, go to Scan Policy and Object > VM Settings and change Clone # to 1 for each node. After all VM clones on all nodes are configured, you can change the Clone # to a higher number.
-
In a new CLI window, check the VM clone initialization using the command:
diagnose-debug vminit
. -
In the FortiSandbox GUI, go to the Dashboard to verify there is a green checkmark beside Windows VM.
-
To associate file extensions to the custom VM, go to Scan Policy > Scan Profile to the VM Association tab.
You can now submit scan jobs from the primary node. HA-Cluster supports VM Interaction on each node.