Primary and worker roles
On the primary node, all functionality is available based on your licenses and contracts. This includes accepting files from different input sources, sending alert emails, and generating malware packages. Scan profiles should also be configured on the primary node and will be synchronized to other nodes.
The following table below lists the features and its synchronization settings.
- Failover – the related settings are synchronized from primary to secondary during failover.
- Realtime – the related settings are synchronized as soon as changes are applied.
- Realtime* – the related settings are synchronized in realtime only if configured.
|
Feature |
Secondary |
Worker |
|
|---|---|---|---|
|
Dashboard > Status |
|
|
|
|
|
Widget settings |
Failover |
|
|
|
NTP Server settings |
Failover |
|
|
Security Fabric |
|
|
|
|
|
Device, including FortiClient |
Failover |
|
|
|
Adapter |
Failover |
|
|
|
Network Share, including network share scans |
Failover |
|
|
|
Quarantine |
Failover |
|
|
|
Sniffer |
Failover |
|
|
|
FortiNDR |
Realtime |
Realtime |
|
HA-Cluster |
|
|
|
|
|
Health Check |
Failover |
|
|
Scan Job |
|
|
|
|
|
Overridden job verdicts |
Realtime |
Realtime |
|
Scan Policy and Object |
|
|
|
|
|
Scan Profile > Pre-Filter |
Realtime |
Realtime |
|
|
Scan Profile > Advanced |
Realtime |
Realtime |
|
|
General > Allow VMs outbound port3 |
Realtime* |
Realtime* |
|
|
General > Upload |
Failover |
|
|
|
General > Job Archive |
Failover |
|
|
|
General > Password/Clean up schedule settings |
Realtime |
Realtime |
|
|
Job Queue Priority |
Realtime |
Realtime |
|
|
Allowlist/Blocklist |
Realtime |
Realtime |
|
|
YARA Rules |
Realtime |
Realtime |
|
|
Web Category |
Realtime |
Realtime |
|
|
Customized Rating |
Realtime |
Realtime |
|
|
Global Network settings |
Failover |
|
|
|
Threat Intelligence > Generation Settings |
Failover |
|
|
System |
|
|
|
|
|
Administrators |
Failover/Realtime* |
Realtime* |
|
|
Device Groups |
Failover/Realtime* |
Realtime* |
|
|
Certificates |
Failover/Realtime* |
Realtime* |
|
|
LDAP Servers and RADIUS Servers |
Failover/Realtime* |
Realtime* |
|
|
Network settings (DNS) |
Realtime* |
Realtime* |
|
|
Mail Server, including Scheduled Report Configuration |
Failover |
|
|
|
SNMP |
Failover/Realtime* |
Realtime* |
|
|
FortiGuard |
Realtime* |
Realtime* |
|
|
Login Disclaimer |
Realtime* |
Realtime* |
|
|
System Recovery |
Failover/Realtime* |
Realtime* |
|
|
Settings |
Failover |
|
|
|
Admin Profiles Failover |
Realtime* |
Realtime* |
|
Log & Report |
|
|
|
|
|
Log Servers |
Realtime* |
Realtime* |
|
|
Local Log |
Realtime* |
Realtime* |
|
CLI only configuration |
|
|
|
|
|
AI Mode |
Realtime |
Realtime |
|
|
Device Low-Encryption |
Failover |
|
|
|
Device Authorization |
Failover |
|
|
|
File size limit configuration |
Realtime |
Realtime |
|
|
FortiMail expired timeout |
Failover |
|
|
|
Network settings (proxy and routing tables) |
Realtime* |
Realtime* |
|
|
HA Cluster settings (encryption) |
Realtime |
Realtime |
|
|
OFTPD conserve mode |
Failover |
|
|
|
Primary node scan power |
Failover |
|
|
|
Prescan configuration |
Realtime |
Realtime |
|
|
Remote authentication timeout |
Failover |
|
|
|
TLS version |
Realtime |
Realtime |
|
|
Sandboxing embedded URL |
Realtime |
Realtime |
|
|
FortiMail Url Recheck |
Realtime |
Realtime |
|
Although you can assign different VM types to each node in a cluster, we recommend all nodes share the same VM types. VM types are collected from all nodes and are displayed in the primary node’s Scan Profile > VM Association page where VM associations can be configured and synchronized for the entire cluster. If an association for a VM type is missing on the worker node, the sandbox scan cannot be completed. For example, if you associate WIN10X64VM to scan all executable files when configuring the Scan Profile on the Primary node, but do not enable WIN10X64VM on a Worker node, all executable files distributed to that worker are not scanned by VM. |