Fortinet white logo
Fortinet docs logo DOCUMENT LIBRARY
Fortinet white logo
Fortinet docs logo DOCUMENT LIBRARY
Products Best Practices Hardware Guides Products A-Z
Summary
By Solution
By 4D Pillars
By Cloud
Secure Networking
Unified SASE
Security Operations
Secure SD-WAN
Secure Access Service Edge (SASE)
ZTNA
LAN Edge
Identity and Access Management
Next Generation Firewall
Public Cloud
Private Cloud
FortiCloud
Secure Networking
  • Hybrid Mesh Firewall
  • NOC Management
  • LAN
  • WAN
    • More >>
    Unified SASE
  • Single Vendor SASE
  • Cloud Network Security
  • Secure Endpoint Connectivity
  • Web Application / API Protection
    • More >>
    Security Operations
  • Security Operations Automation
  • Identity
  • Early Detection & Prevention
    • More >>
    Secure Networking
  • Hybrid Mesh Firewall
  • NOC Management
  • LAN
  • WAN
  • Communication & Surveillance
    • Unified SASE
  • Single Vendor SASE
  • Secure Endpoint Connectivity
  • Cloud Network Security
  • Cloud-Native Security
  • Web Application / API Protection
    • Security Operations
  • Security Operations Automation
  • Endpoint
  • Data Protection
  • Identity
  • Email
  • Early Detection & Prevention
  • Expert Services
  • Edge Firewall
  • Orchestration & management
  • SD Branch
  • Application Delivery
  • Single Vendor SASE
  • Secure Endpoint Connectivity
  • Secure Private Access
  • Thin Edge
  • Identity
  • Application Gateway
  • Enterprise Asset Management
  • Endpoint Agent
  • Agentless Security Posture
  • Identity
  • Wireless
  • Switching
  • Identity
  • Privilege Acccess Management
  • Next Generation Firewall
  • Orchestration & management
  • Expert Services
  • All
  • All
  • Account Management
  • SAAS Management
  • SAAS Application Security
  • Managed Services
  • Platform as a service (PAAS)
  • Other SAAS Services
    • 4D Resources
    Solution Hubs
  • 4D Pillars
  • Cloud
  • Popular Solutions

    • Administration Guide

    Home FortiSandbox 3.1.2 Administration Guide
    3.1.2
    5.0.0
    4.4.6
    4.4.5
    4.4.4
    4.4.3
    4.4.2
    4.4.1
    4.4.0
    4.2.7
    4.2.6
    4.2.5
    4.2.4
    4.2.3
    4.2.2
    4.2.1
    4.2.0
    4.0.5
    4.0.4
    4.0.3
    4.0.2
    4.0.1
    4.0.0
    3.2.4
    3.2.3
    3.2.2
    3.2.1
    3.2.0
    3.1.5
    3.1.4
    3.1.3
    3.1.2
    3.1.1
    3.1.0
    3.0.7
    3.0.6

    Main HA-Cluster CLI commands

    Main HA-Cluster CLI commands

    In the master and primary slave node, you must enable interface port1 so that they can communicate with each other.

    hc-settings

    Configure the unit as a HA-Cluster mode unit. Configure cluster failover IP set.

    hc-status -l

    List the status of HA-Cluster units.

    hc-slave

    -a to add that slave unit to the cluster.

    -r to remove that slave unit from the cluster.

    -u to update that slave unit information.

    hc-master -s<10-100>

    Turn on file scan on the master node with 10% to 100% processing capacity.

    hc-master -r<slave serial number>

    Remove the slave unit with the specified serial number from the master node.

    After removing a slave node, use hc-status -l on the master node to verify that the slave unit has been removed.

    Example configuration

    This example shows the steps for setting up an HA-Cluster using three FortiSandbox 3000D units.

    Step 1 - Prepare the hardware:

    The following hardware will be required:

    • Nine cables for network connections.
    • Three 1/10 Gbps switches.
    • Three FortiSandbox 3000D units with proper power connections (units A, B, and C).
    note icon

    Put the master and primary slaves on different power circuits.
    Step 2 - Prepare the subnets:

    Prepare three subnets for your cluster (customize as needed):

    • Switch A: 192.168.1.0/24: For system management.
      • Gateway address: 192.168.1.1
      • External management IP address: 192.168.1.99
    • Switch B: 192.168.2.0/24: For internal cluster communications.
    • Switch C: 192.168.3.0/24: For the outgoing port (port 3) on each unit.
      • Gateway address: 192.168.3.1
    Step 3 - Setup the physical connections:
    1. Connect port 1 of each FortiSandbox device to Switch A.
    2. Connect port 2 of each FortiSandbox device to Switch B.
    3. Connect port 3 of each FortiSandbox device to Switch C.
    Step 4 - Configure the master:
    1. Power on the device (Unit A), and log into the CLI (See Connecting to the Command Line Interface)
    2. Configure the port IP addresses and gateway address with the following commands:

      3. set port1-ip 192.168.1.99/24

      set port2-ip 192.168.2.99/24

      set port3-ip 192.168.3.99/24

    3. Configure the device as the master node and its cluster failover IP for Port1 with the following commands:

      4. hc-settings -sc -tM -nMasterA -cTestHCsystem -ppassw0rd -iport2

      hc-settings -si -iport1 -a192.168.1.98/24

      See the FortiSandbox CLI Reference Guide available on the Fortinet Document Library for more information about the CLI commands.

    4. Review the cluster status with the following command:

      5. hc-status -l

      Other ports on the device can be used for file inputs.

    Step 5 - Configure the primary slave:
    1. Power on the device (Unit B), and log into the CLI.
    2. Configure the port IP addresses and gateway address with the following commands:

      3. set port1-ip 192.168.1.100/24

      set port2-ip 192.168.2.100/24

      set port3-ip 192.168.3.100/24

    3. Configure the device as the primary slave node with the following commands:

      4. hc-settings -s -tP -nPslaveB -cTestHCsystem -ppassw0rd -iport2

      hc-settings -l

      hc-slave -a -s192.168.2.99 -ppassw0rd

    4. Review the cluster status with the following command:

      5. hc-status -l

    Step 6 - Configure the regular slave:
    1. Power on the device (Unit C), and log into the CLI.
    2. Configure the port IP addresses and gateway address with the following commands:

      3. set port1-ip 192.168.1.101/24

      set port2-ip 192.168.2.101/24

      set port3-ip 192.168.3.101/24

    3. Configure the device as a slave node with the following commands:

      4. hc-settings -s -tR -cTestHCsystem -ppassw0rd -nSlaveC -iport2

      hc-settings -l

      hc-slave -a -s192.168.2.99 -ppassw0rd

    4. Review the cluster status with the following command:

      5. hc-status -l

    Step 7 - Configure other settings:

    VM Image settings and network settings, such as default gateway, static route, and DNS servers etc., should be configured on each unit individually. Scan related settings, such as the scan profile, should be set on master unit only; they will be synchronized to the slave node. For more details, refer to Master's role and slave's role.

    Step 8 - Finish:

    The HA-Cluster can now be treated like a single, extremely powerful standalone FortiSandbox unit.

    In this example, files are submitted to, and reports and logs are available over IP address 192.168.1.99.

    tooltip icon

    FortiSandbox 3500D is configured as a cluster system, with blade 1 configured as the master node, blade 2 as the primary slave node, and the other blades as regular slave nodes.
    note icon

    If you use the GUI to change a role from slave to standalone, you must remove the slave from the master using the CLI command hc-master -r<slave serial number>; then use hc-status -l to verify that the slave unit has been removed.
    Previous
    Next

    Main HA-Cluster CLI commands

    Main HA-Cluster CLI commands

    In the master and primary slave node, you must enable interface port1 so that they can communicate with each other.

    hc-settings

    Configure the unit as a HA-Cluster mode unit. Configure cluster failover IP set.

    hc-status -l

    List the status of HA-Cluster units.

    hc-slave

    -a to add that slave unit to the cluster.

    -r to remove that slave unit from the cluster.

    -u to update that slave unit information.

    hc-master -s<10-100>

    Turn on file scan on the master node with 10% to 100% processing capacity.

    hc-master -r<slave serial number>

    Remove the slave unit with the specified serial number from the master node.

    After removing a slave node, use hc-status -l on the master node to verify that the slave unit has been removed.

    Example configuration

    This example shows the steps for setting up an HA-Cluster using three FortiSandbox 3000D units.

    Step 1 - Prepare the hardware:

    The following hardware will be required:

    • Nine cables for network connections.
    • Three 1/10 Gbps switches.
    • Three FortiSandbox 3000D units with proper power connections (units A, B, and C).
    note icon

    Put the master and primary slaves on different power circuits.
    Step 2 - Prepare the subnets:

    Prepare three subnets for your cluster (customize as needed):

    • Switch A: 192.168.1.0/24: For system management.
      • Gateway address: 192.168.1.1
      • External management IP address: 192.168.1.99
    • Switch B: 192.168.2.0/24: For internal cluster communications.
    • Switch C: 192.168.3.0/24: For the outgoing port (port 3) on each unit.
      • Gateway address: 192.168.3.1
    Step 3 - Setup the physical connections:
    1. Connect port 1 of each FortiSandbox device to Switch A.
    2. Connect port 2 of each FortiSandbox device to Switch B.
    3. Connect port 3 of each FortiSandbox device to Switch C.
    Step 4 - Configure the master:
    1. Power on the device (Unit A), and log into the CLI (See Connecting to the Command Line Interface)
    2. Configure the port IP addresses and gateway address with the following commands:

      3. set port1-ip 192.168.1.99/24

      set port2-ip 192.168.2.99/24

      set port3-ip 192.168.3.99/24

    3. Configure the device as the master node and its cluster failover IP for Port1 with the following commands:

      4. hc-settings -sc -tM -nMasterA -cTestHCsystem -ppassw0rd -iport2

      hc-settings -si -iport1 -a192.168.1.98/24

      See the FortiSandbox CLI Reference Guide available on the Fortinet Document Library for more information about the CLI commands.

    4. Review the cluster status with the following command:

      5. hc-status -l

      Other ports on the device can be used for file inputs.

    Step 5 - Configure the primary slave:
    1. Power on the device (Unit B), and log into the CLI.
    2. Configure the port IP addresses and gateway address with the following commands:

      3. set port1-ip 192.168.1.100/24

      set port2-ip 192.168.2.100/24

      set port3-ip 192.168.3.100/24

    3. Configure the device as the primary slave node with the following commands:

      4. hc-settings -s -tP -nPslaveB -cTestHCsystem -ppassw0rd -iport2

      hc-settings -l

      hc-slave -a -s192.168.2.99 -ppassw0rd

    4. Review the cluster status with the following command:

      5. hc-status -l

    Step 6 - Configure the regular slave:
    1. Power on the device (Unit C), and log into the CLI.
    2. Configure the port IP addresses and gateway address with the following commands:

      3. set port1-ip 192.168.1.101/24

      set port2-ip 192.168.2.101/24

      set port3-ip 192.168.3.101/24

    3. Configure the device as a slave node with the following commands:

      4. hc-settings -s -tR -cTestHCsystem -ppassw0rd -nSlaveC -iport2

      hc-settings -l

      hc-slave -a -s192.168.2.99 -ppassw0rd

    4. Review the cluster status with the following command:

      5. hc-status -l

    Step 7 - Configure other settings:

    VM Image settings and network settings, such as default gateway, static route, and DNS servers etc., should be configured on each unit individually. Scan related settings, such as the scan profile, should be set on master unit only; they will be synchronized to the slave node. For more details, refer to Master's role and slave's role.

    Step 8 - Finish:

    The HA-Cluster can now be treated like a single, extremely powerful standalone FortiSandbox unit.

    In this example, files are submitted to, and reports and logs are available over IP address 192.168.1.99.

    tooltip icon

    FortiSandbox 3500D is configured as a cluster system, with blade 1 configured as the master node, blade 2 as the primary slave node, and the other blades as regular slave nodes.
    note icon

    If you use the GUI to change a role from slave to standalone, you must remove the slave from the master using the CLI command hc-master -r<slave serial number>; then use hc-status -l to verify that the slave unit has been removed.
    Previous
    Next