Fortinet black logo

Best Practices

Home FortiSandbox 4.4.0 Best Practices

Setting up a FortiSandbox VM00 as Primary node for high availability

4.4.0
4.4.0
4.2.0
4.0.0
3.2.0
3.1.0
3.0.0
Copy Link
Copy Doc ID 337cd289-2003-11ee-8e6d-fa163e15d75b:330135
Download PDF

Setting up a FortiSandbox VM00 as Primary node for high availability

A popular FortiSandbox HA-cluster deployment is based on using FortiSandbox VM00 as a Primary node and one or more FortiSandbox appliances or virtual machines as Worker nodes. A second FortiSandbox VM00 as a Secondary node is highly recommended to make Sandboxing services fault tolerant and configuration simpler.

To set up and operate a healthy and scalable cluster with VM00:
  1. H/W Requirements of Primary and Secondary nodes:

    • Minimum configuration: Set up the with minimum of: 4 vCPU, 8 GB RAM and 200 GB SSD drive.
    • Recommended configuration: 16 vCPU, 32 GB RAM and 1 TB SSD drive.
  2. Network Setup:

    • Make sure that network topology, routing and DNS settings of Primary and Secondary nodes are the same.
    • Configure a cluster level failover IP on all ports to provide Sandboxing accessibility (admin-port, api-port, ICAP and MTA/BCC ports).
    • Enable Promiscuous mode in the hypervisor settings (if applicable) to ensure correct operation of failover IP.
  3. Configurations on Primary and Secondary nodes;

    • Do not install Windows VMs on these nodes. If these nodes already have them installed, set VM clone number to zero (0)
  4. Licenses:

    • Make sure to acquire a FortiCare Premium Support Only subscription for the Primary and Secondary nodes configured without any VM Clones. And, make sure to acquire a Sandbox Threat Intelligence subscription for all worker nodes.
    • Additional licenses (such as Windows, Office and Custom VM) are only required on nodes with VM Clones configured (i.e. Worker nodes).
Previous
Next

Setting up a FortiSandbox VM00 as Primary node for high availability

A popular FortiSandbox HA-cluster deployment is based on using FortiSandbox VM00 as a Primary node and one or more FortiSandbox appliances or virtual machines as Worker nodes. A second FortiSandbox VM00 as a Secondary node is highly recommended to make Sandboxing services fault tolerant and configuration simpler.

To set up and operate a healthy and scalable cluster with VM00:
  1. H/W Requirements of Primary and Secondary nodes:

    • Minimum configuration: Set up the with minimum of: 4 vCPU, 8 GB RAM and 200 GB SSD drive.
    • Recommended configuration: 16 vCPU, 32 GB RAM and 1 TB SSD drive.
  2. Network Setup:

    • Make sure that network topology, routing and DNS settings of Primary and Secondary nodes are the same.
    • Configure a cluster level failover IP on all ports to provide Sandboxing accessibility (admin-port, api-port, ICAP and MTA/BCC ports).
    • Enable Promiscuous mode in the hypervisor settings (if applicable) to ensure correct operation of failover IP.
  3. Configurations on Primary and Secondary nodes;

    • Do not install Windows VMs on these nodes. If these nodes already have them installed, set VM clone number to zero (0)
  4. Licenses:

    • Make sure to acquire a FortiCare Premium Support Only subscription for the Primary and Secondary nodes configured without any VM Clones. And, make sure to acquire a Sandbox Threat Intelligence subscription for all worker nodes.
    • Additional licenses (such as Windows, Office and Custom VM) are only required on nodes with VM Clones configured (i.e. Worker nodes).
Previous
Next