Fortinet white logo
Fortinet docs logo DOCUMENT LIBRARY
Fortinet white logo
Fortinet docs logo DOCUMENT LIBRARY
Products Best Practices Hardware Guides Products A-Z
Summary
By Solution
By 4D Pillars
By Cloud
Secure Networking
Unified SASE
Security Operations
Secure SD-WAN
Secure Access Service Edge (SASE)
ZTNA
LAN Edge
Identity and Access Management
Next Generation Firewall
Public Cloud
Private Cloud
FortiCloud
Secure Networking
  • Hybrid Mesh Firewall
  • NOC Management
  • LAN
  • WAN
    • More >>
    Unified SASE
  • Single Vendor SASE
  • Cloud Network Security
  • Secure Endpoint Connectivity
  • Web Application / API Protection
    • More >>
    Security Operations
  • Security Operations Automation
  • Identity
  • Early Detection & Prevention
    • More >>
    Secure Networking
  • Hybrid Mesh Firewall
  • NOC Management
  • LAN
  • WAN
  • Communication & Surveillance
    • Unified SASE
  • Single Vendor SASE
  • Secure Endpoint Connectivity
  • Cloud Network Security
  • Cloud-Native Security
  • Web Application / API Protection
    • Security Operations
  • Security Operations Automation
  • Endpoint
  • Data Protection
  • Identity
  • Email
  • Early Detection & Prevention
  • Expert Services
  • Edge Firewall
  • Orchestration & management
  • SD Branch
  • Application Delivery
  • Single Vendor SASE
  • Secure Endpoint Connectivity
  • Secure Private Access
  • Thin Edge
  • Identity
  • Application Gateway
  • Enterprise Asset Management
  • Endpoint Agent
  • Agentless Security Posture
  • Identity
  • Wireless
  • Switching
  • Identity
  • Privilege Acccess Management
  • Next Generation Firewall
  • Orchestration & management
  • Expert Services
  • All
  • All
  • Account Management
  • SAAS Management
  • SAAS Application Security
  • Managed Services
  • Platform as a service (PAAS)
  • Other SAAS Services
    • 4D Resources
    Solution Hubs
  • 4D Pillars
  • Cloud
  • Popular Solutions

    • Administration Guide

    Home FortiSandbox 4.2.1 Administration Guide
    4.2.1
    5.0.0
    4.4.6
    4.4.5
    4.4.4
    4.4.3
    4.4.2
    4.4.1
    4.4.0
    4.2.7
    4.2.6
    4.2.5
    4.2.4
    4.2.3
    4.2.2
    4.2.1
    4.2.0
    4.0.5
    4.0.4
    4.0.3
    4.0.2
    4.0.1
    4.0.0
    3.2.4
    3.2.3
    3.2.2
    3.2.1
    3.2.0
    3.1.5
    3.1.4
    3.1.3
    3.1.2
    3.1.1
    3.1.0
    3.0.7
    3.0.6

    HA-Cluster

    HA-Cluster

    A single FortiSandbox device can scan a limited number of files in a given time period. To handle heavier loads, you can use multiple FortiSandbox devices in a load-balancing high availability (HA) cluster.

    There are three types of nodes in a cluster: primary, secondary, and worker.

    Primary

    The primary node (Unit 1 in the diagram) manages the cluster, distributes jobs and gathers the results, and interacts with clients. It can also perform normal file scans. All scan-related configuration should be done on the primary node and they will be broadcasted from the primary node to the other nodes. Any scan-related configuration that has been set on a worker node will be overwritten.

    On the primary node, users can:

    • Change a worker node's role (secondary and worker)
    • Configure a worker node's network settings
    • Upgrade worker nodes
    • View VM status page of worker nodes
    • Configure FortiGuard settings of worker nodes
    • Configure VM images of worker nodes, such as setting clone numbers of each VM image
    • Configure a ping server to frequently check unit's network condition and downgrade itself as a secondary node when necessary to trigger a failover

    Although all FortiSandbox models can work as a primary node, we recommend using a more powerful model.

    When the primary and secondary nodes are using a FortiSandbox VM model, you have the option of deploying without VM Clones. See, Deploying primary and secondary nodes without VM Clones.

    Secondary

    The secondary node (Unit 2 in the diagram) is for HA support and normal file scans. It monitors the primary node's condition and, if the primary fails, the secondary will assume the role of primary. The former primary will then become a secondary when it is back up.

    To support failover, ensure both the primary and secondary nodes are configured correctly:

    • Both the primary and secondary nodes must be the same model.
    • Both nodes must have the same network interface configuration, including:
      • The same subnet for port1.
      • The same subnet for port2.
      • The same subnet for port3.
      • The same routing table.

    The secondary node is not required to set up a HA-Cluster but is recommended.

    When the primary and secondary nodes are using a FortiSandbox VM model, you have the option of deploying without VM Clones. See, Deploying primary and secondary nodes without VM Clones.

    Worker

    The worker nodes (Units 3–5 in the diagram) perform normal file scans and report results back to the primary and secondary nodes. They can also store detailed job information. Workers should have their own network settings and VM image settings.

    Workers can be any FortiSandbox model including FortiSandbox VM. Workers in a cluster do not need to be the same model.

    The total number of worker nodes, including the secondary node, cannot exceed 100.

    For heavy job loads, use more powerful FortiSandbox models.

    Deploying primary and secondary nodes without VM Clones

    When the primary and secondary node are using a FortiSandbox VM00 model, you have the option of deploying without VM Clones (i.e. dispatcher). That VM00 deployment dedicates its full VM resources for HA support, receiving incoming files and distribution of files to the worker nodes. There is no scan performed on the VM00. On this type of VM00 deployment, only the FortiCare Premium Support subscription is necessary as all the scans are performed on the worker nodes.

    Previous
    Next

    HA-Cluster

    HA-Cluster

    A single FortiSandbox device can scan a limited number of files in a given time period. To handle heavier loads, you can use multiple FortiSandbox devices in a load-balancing high availability (HA) cluster.

    There are three types of nodes in a cluster: primary, secondary, and worker.

    Primary

    The primary node (Unit 1 in the diagram) manages the cluster, distributes jobs and gathers the results, and interacts with clients. It can also perform normal file scans. All scan-related configuration should be done on the primary node and they will be broadcasted from the primary node to the other nodes. Any scan-related configuration that has been set on a worker node will be overwritten.

    On the primary node, users can:

    • Change a worker node's role (secondary and worker)
    • Configure a worker node's network settings
    • Upgrade worker nodes
    • View VM status page of worker nodes
    • Configure FortiGuard settings of worker nodes
    • Configure VM images of worker nodes, such as setting clone numbers of each VM image
    • Configure a ping server to frequently check unit's network condition and downgrade itself as a secondary node when necessary to trigger a failover

    Although all FortiSandbox models can work as a primary node, we recommend using a more powerful model.

    When the primary and secondary nodes are using a FortiSandbox VM model, you have the option of deploying without VM Clones. See, Deploying primary and secondary nodes without VM Clones.

    Secondary

    The secondary node (Unit 2 in the diagram) is for HA support and normal file scans. It monitors the primary node's condition and, if the primary fails, the secondary will assume the role of primary. The former primary will then become a secondary when it is back up.

    To support failover, ensure both the primary and secondary nodes are configured correctly:

    • Both the primary and secondary nodes must be the same model.
    • Both nodes must have the same network interface configuration, including:
      • The same subnet for port1.
      • The same subnet for port2.
      • The same subnet for port3.
      • The same routing table.

    The secondary node is not required to set up a HA-Cluster but is recommended.

    When the primary and secondary nodes are using a FortiSandbox VM model, you have the option of deploying without VM Clones. See, Deploying primary and secondary nodes without VM Clones.

    Worker

    The worker nodes (Units 3–5 in the diagram) perform normal file scans and report results back to the primary and secondary nodes. They can also store detailed job information. Workers should have their own network settings and VM image settings.

    Workers can be any FortiSandbox model including FortiSandbox VM. Workers in a cluster do not need to be the same model.

    The total number of worker nodes, including the secondary node, cannot exceed 100.

    For heavy job loads, use more powerful FortiSandbox models.

    Deploying primary and secondary nodes without VM Clones

    When the primary and secondary node are using a FortiSandbox VM00 model, you have the option of deploying without VM Clones (i.e. dispatcher). That VM00 deployment dedicates its full VM resources for HA support, receiving incoming files and distribution of files to the worker nodes. There is no scan performed on the VM00. On this type of VM00 deployment, only the FortiCare Premium Support subscription is necessary as all the scans are performed on the worker nodes.

    Previous
    Next