Fortinet black logo

Administration Guide

HA-Cluster pre-requisites

Copy Link
Copy Doc ID 8b8f8f3b-5202-11ec-bdf2-fa163e15d75b:522775
Download PDF

HA-Cluster pre-requisites

  • Primary and secondary units are the same model and configuration. We recommend using FortiSandbox 2000E or higher hardware or FortiSandbox VM with SSD drives as primary and secondary nodes in a cluster with multiple worker nodes.

    The worker unit can be a different model and have a different set of Windows VM from the primary or secondary units.

  • HA-Cluster requires all nodes to have port1 to be accessible. Nodes use that port to communicate with each other.

    Port1 is the admin port by default. Other available ports can also be used as the admin port.

  • Port3 on all nodes should be connected to the Internet separately.
  • All nodes should be on the same firmware build.
  • Each node should have a dedicated network port for internal cluster communication.

    Internal cluster communication is encrypted and includes:

    • Job dispatch
    • Job result reply
    • Setting synchronization
    • Cluster topology broadcasting
    Caution

    The system time must be synched on all nodes in the HA cluster. This prevents out-of-sync job results, logs and statistics. It will also prevent the secondary device from becoming the primary device during reboot.

    We recommend that these ports be connected to the same switch and have IP addresses in the same subnet. If the job load is heavy, we recommend using the 10G fiber port as the internal communication port.

    Note

    Port1 and any other administrative port set through the CLI command set admin-port are not recommended to be used as the internal communication port.

HA-Cluster pre-requisites

  • Primary and secondary units are the same model and configuration. We recommend using FortiSandbox 2000E or higher hardware or FortiSandbox VM with SSD drives as primary and secondary nodes in a cluster with multiple worker nodes.

    The worker unit can be a different model and have a different set of Windows VM from the primary or secondary units.

  • HA-Cluster requires all nodes to have port1 to be accessible. Nodes use that port to communicate with each other.

    Port1 is the admin port by default. Other available ports can also be used as the admin port.

  • Port3 on all nodes should be connected to the Internet separately.
  • All nodes should be on the same firmware build.
  • Each node should have a dedicated network port for internal cluster communication.

    Internal cluster communication is encrypted and includes:

    • Job dispatch
    • Job result reply
    • Setting synchronization
    • Cluster topology broadcasting
    Caution

    The system time must be synched on all nodes in the HA cluster. This prevents out-of-sync job results, logs and statistics. It will also prevent the secondary device from becoming the primary device during reboot.

    We recommend that these ports be connected to the same switch and have IP addresses in the same subnet. If the job load is heavy, we recommend using the 10G fiber port as the internal communication port.

    Note

    Port1 and any other administrative port set through the CLI command set admin-port are not recommended to be used as the internal communication port.