Fortinet Document Library

Version:

Version:

Version:

Version:

Version:


Table of Contents

Administration Guide

Main HA-Cluster CLI commands

The table below lists the CLI commands to administer your HA-Cluster.

hc-settings

Configure the unit as a HA-Cluster mode unit. Set or unset cluster failover IP set.

hc-status -l

List the status of HA-Cluster units.

hc-worker

-a to add that worker or secondary unit to the cluster.

-r to remove that worker or secondary unit from the cluster.

-u to update that worker or secondary unit information.

hc-primary -s<10-100>

Turn on file scan on the primary node with 10% to 100% processing capacity.

hc-primary -r<serial number>

Remove the worker or secondary unit with the specified serial number from the primary node.

After removing a worker or secondary node, use hc-status -l on the primary node to verify that the worker or secondary node has been removed.

Setting primary node processing capacity

Primary node requires enough dedicated processing power for job distribution and cluster management. We recommend that for every 5 VM clones on the worker nodes, 1 VM should be removed from the Master.

Example:

You are using two FSA3KE units to setup a cluster. One FortiSandbox works as Primary node and the other works as the Worker node.

The Worker node operates 56 VM clones, so the Primary node should remove 11 clones from its processing capacity. In this example, the Primary node should be running 45 (56 – 11) VM clones.

The CLI command c-master -s80 will take the Primary node to 80% of its VM processing power, which is 45 clones. This means that even if you configure the Primary node to run 56 clones, at any moment, no more than 45 clones can be running.

Example configuration

This example shows the steps for setting up an HA-Cluster using three FortiSandbox units.

Step 1 - Prepare the hardware:

Prepare the following hardware:

  • Eleven cables for network connections.
  • Four 1/10 Gbps switches.
  • Three FortiSandbox units with proper power connections (units A, B, and C). In this example, unit A is the primary node, unit B is the secondary node, and unit C is the worker node.
note icon

Put the primary and secondary nodes on different power circuits.

Step 2 - Prepare the subnets:

Prepare four subnets for your cluster (customize as needed):

  • Switch A: 192.168.1.0/24: For system management.
    • Gateway address: 192.168.1.1
    • External management IP address: 192.168.1.99
  • Switch B: 192.168.2.0/24: For internal cluster communications.
  • Switch C: 192.168.3.0/24: For the outgoing port (port 3) on each unit.
    • Gateway address: 192.168.3.1
  • Switch D: 192.168.4.0/24: For the file submission port (port 4) on the primary and secondary unit.
Step 3 - Setup the physical connections:
  1. Connect port 1 of each FortiSandbox device to Switch A.
  2. Connect port 2 of each FortiSandbox device to Switch B.
  3. Connect port 3 of each FortiSandbox device to Switch C.
  4. Connect port 4 of the primary and secondary FortiSandbox device to Switch D.
Step 4 - Configure the primary:
  1. Power on the device (Unit A), and log into the CLI (see CLI overview).
  2. Configure the port IP addresses and gateway address with the following commands:
  3. set port1-ip 192.168.1.99/24

    set port2-ip 192.168.2.99/24

    set port3-ip 192.168.3.99/24

    set port4-ip 192.168.4.99/24

    set default-gw 192.168.1.1

  4. Configure the device as the primary node and its cluster failover IP for port1 with the following commands:
  5. hc-settings -sc -tM -nPrimaryA -cTestHCsystem -ppassw0rd -iport2

    hc-settings -si -iport1 -a192.168.1.98/24

    hc-settings -si –iport4 -a192.168.4.98/24

    For information about CLI commands, see the FortiSandbox CLI Reference Guide on the Fortinet Document Library.

  6. Review the cluster status with the following command:
  7. hc-status -l

    Other ports on the device can be used for file inputs.

Step 5 - Configure the secondary:
  1. Power on the device (Unit B), and log into the CLI.
  2. Configure the port IP addresses and gateway address with the following commands:
  3. set port1-ip 192.168.1.100/24

    set port2-ip 192.168.2.100/24

    set port3-ip 192.168.3.100/24

    set port4-ip 192.168.4.100/24

    set default-gw 192.168.1.1

  4. Configure the device as the secondary node with the following commands:
  5. hc-settings -sc -tP -nSecondaryB -cTestHCsystem -ppassw0rd -iport2

    hc-settings -l

    hc-worker -a -s192.168.2.99 -ppassw0rd

  6. Review the cluster status with the following command:
  7. hc-status -l

Step 6 - Configure the worker:
  1. Power on the device (Unit C), and log into the CLI.
  2. Configure the port IP addresses and gateway address with the following commands:
  3. set port1-ip 192.168.1.101/24

    set port2-ip 192.168.2.101/24

    set port3-ip 192.168.3.101/24

    set default-gw 192.168.1.1

  4. Configure the device as a worker node with the following commands:
  5. hc-settings -sc -tR -cTestHCsystem -ppassw0rd -nWorkerC -iport2

    hc-settings -l

    hc-worker -a -s192.168.2.99 -ppassw0rd

  6. Review the cluster status with the following command:
  7. hc-status -l

Step 7 - Configure client devices to send files to FortiSandbox port4 failover IP:
  1. Configure client devices to use unit A port4’s failover IP to submit files so that during failover, the new primary node (unit B) port4 will take over that IP.

    In FortiGate, enable FortiSandbox and connect it to the port4's failover IP.

  2. If you enable adapters such as ICAP, BCC, or MTA on the primary port4’s failover IP, in adapter’s client configuration, you must specify primary port4’s failover IP to make adapter clients send traffic to FortiSandbox HA cluster. The following examples are for BCC and ICAP settings.

Step 8 - Configure the following settings on each unit:
  • In Scan Policy and Object > VM Settings, set each unit's clone number.
  • Configure Network settings such as default gateway, static route, and system DNS.
  • In Scan Policy and Object > General Settings set port3 gateway and DNS server.

Scan related settings, such as the scan profile, should be set on primary unit only; they will be synchronized to the worker node. For details, see Primary's role and worker's role.

Scan input related settings should be set on primary node only as only primary node receives input files.

note icon

If you use the GUI to change a role from worker to standalone, you must remove the worker from the primary using the CLI command hc-primary -r<serial number>; then use hc-status -l to verify that the worker unit has been removed.

Main HA-Cluster CLI commands

The table below lists the CLI commands to administer your HA-Cluster.

hc-settings

Configure the unit as a HA-Cluster mode unit. Set or unset cluster failover IP set.

hc-status -l

List the status of HA-Cluster units.

hc-worker

-a to add that worker or secondary unit to the cluster.

-r to remove that worker or secondary unit from the cluster.

-u to update that worker or secondary unit information.

hc-primary -s<10-100>

Turn on file scan on the primary node with 10% to 100% processing capacity.

hc-primary -r<serial number>

Remove the worker or secondary unit with the specified serial number from the primary node.

After removing a worker or secondary node, use hc-status -l on the primary node to verify that the worker or secondary node has been removed.

Setting primary node processing capacity

Primary node requires enough dedicated processing power for job distribution and cluster management. We recommend that for every 5 VM clones on the worker nodes, 1 VM should be removed from the Master.

Example:

You are using two FSA3KE units to setup a cluster. One FortiSandbox works as Primary node and the other works as the Worker node.

The Worker node operates 56 VM clones, so the Primary node should remove 11 clones from its processing capacity. In this example, the Primary node should be running 45 (56 – 11) VM clones.

The CLI command c-master -s80 will take the Primary node to 80% of its VM processing power, which is 45 clones. This means that even if you configure the Primary node to run 56 clones, at any moment, no more than 45 clones can be running.

Example configuration

This example shows the steps for setting up an HA-Cluster using three FortiSandbox units.

Step 1 - Prepare the hardware:

Prepare the following hardware:

  • Eleven cables for network connections.
  • Four 1/10 Gbps switches.
  • Three FortiSandbox units with proper power connections (units A, B, and C). In this example, unit A is the primary node, unit B is the secondary node, and unit C is the worker node.
note icon

Put the primary and secondary nodes on different power circuits.

Step 2 - Prepare the subnets:

Prepare four subnets for your cluster (customize as needed):

  • Switch A: 192.168.1.0/24: For system management.
    • Gateway address: 192.168.1.1
    • External management IP address: 192.168.1.99
  • Switch B: 192.168.2.0/24: For internal cluster communications.
  • Switch C: 192.168.3.0/24: For the outgoing port (port 3) on each unit.
    • Gateway address: 192.168.3.1
  • Switch D: 192.168.4.0/24: For the file submission port (port 4) on the primary and secondary unit.
Step 3 - Setup the physical connections:
  1. Connect port 1 of each FortiSandbox device to Switch A.
  2. Connect port 2 of each FortiSandbox device to Switch B.
  3. Connect port 3 of each FortiSandbox device to Switch C.
  4. Connect port 4 of the primary and secondary FortiSandbox device to Switch D.
Step 4 - Configure the primary:
  1. Power on the device (Unit A), and log into the CLI (see CLI overview).
  2. Configure the port IP addresses and gateway address with the following commands:
  3. set port1-ip 192.168.1.99/24

    set port2-ip 192.168.2.99/24

    set port3-ip 192.168.3.99/24

    set port4-ip 192.168.4.99/24

    set default-gw 192.168.1.1

  4. Configure the device as the primary node and its cluster failover IP for port1 with the following commands:
  5. hc-settings -sc -tM -nPrimaryA -cTestHCsystem -ppassw0rd -iport2

    hc-settings -si -iport1 -a192.168.1.98/24

    hc-settings -si –iport4 -a192.168.4.98/24

    For information about CLI commands, see the FortiSandbox CLI Reference Guide on the Fortinet Document Library.

  6. Review the cluster status with the following command:
  7. hc-status -l

    Other ports on the device can be used for file inputs.

Step 5 - Configure the secondary:
  1. Power on the device (Unit B), and log into the CLI.
  2. Configure the port IP addresses and gateway address with the following commands:
  3. set port1-ip 192.168.1.100/24

    set port2-ip 192.168.2.100/24

    set port3-ip 192.168.3.100/24

    set port4-ip 192.168.4.100/24

    set default-gw 192.168.1.1

  4. Configure the device as the secondary node with the following commands:
  5. hc-settings -sc -tP -nSecondaryB -cTestHCsystem -ppassw0rd -iport2

    hc-settings -l

    hc-worker -a -s192.168.2.99 -ppassw0rd

  6. Review the cluster status with the following command:
  7. hc-status -l

Step 6 - Configure the worker:
  1. Power on the device (Unit C), and log into the CLI.
  2. Configure the port IP addresses and gateway address with the following commands:
  3. set port1-ip 192.168.1.101/24

    set port2-ip 192.168.2.101/24

    set port3-ip 192.168.3.101/24

    set default-gw 192.168.1.1

  4. Configure the device as a worker node with the following commands:
  5. hc-settings -sc -tR -cTestHCsystem -ppassw0rd -nWorkerC -iport2

    hc-settings -l

    hc-worker -a -s192.168.2.99 -ppassw0rd

  6. Review the cluster status with the following command:
  7. hc-status -l

Step 7 - Configure client devices to send files to FortiSandbox port4 failover IP:
  1. Configure client devices to use unit A port4’s failover IP to submit files so that during failover, the new primary node (unit B) port4 will take over that IP.

    In FortiGate, enable FortiSandbox and connect it to the port4's failover IP.

  2. If you enable adapters such as ICAP, BCC, or MTA on the primary port4’s failover IP, in adapter’s client configuration, you must specify primary port4’s failover IP to make adapter clients send traffic to FortiSandbox HA cluster. The following examples are for BCC and ICAP settings.

Step 8 - Configure the following settings on each unit:
  • In Scan Policy and Object > VM Settings, set each unit's clone number.
  • Configure Network settings such as default gateway, static route, and system DNS.
  • In Scan Policy and Object > General Settings set port3 gateway and DNS server.

Scan related settings, such as the scan profile, should be set on primary unit only; they will be synchronized to the worker node. For details, see Primary's role and worker's role.

Scan input related settings should be set on primary node only as only primary node receives input files.

note icon

If you use the GUI to change a role from worker to standalone, you must remove the worker from the primary using the CLI command hc-primary -r<serial number>; then use hc-status -l to verify that the worker unit has been removed.