Configuring High Availability
Requirements for Successful HA Implementation
-
Make sure your FortiSIEM License has HA enabled.
-
All Supervisor nodes must have the same hardware resources (CPU, memory, disk)
-
All appliances (Supervisors and Workers) must have the same version of firmware.
-
Make sure load balancer DNS name or Supervisor DNS names (if Load balancer is not used) are resolvable
-
Supervisor should not be the only ClickHouse Keeper node. We recommend 3 Keeper nodes and preferably, Supervisor is not one of them.
Add Primary Follower
This section describes how to install and configure a Follower Supervisor node for the Primary Site.
Installation
Note that you need a High Availability License to add a Follower.
Follow the appropriate Installation Guide, available at the FortiSIEM Doc Library here. During the installation process, select 5 Supervisor Follower at the Config Target window and complete the installation.
Configuration
Note that the Primary Follower node will be added to the end of linked list of currently configured Supervisors. For example, if you currently have only one Supervisor node, then the new Follower node will follow the currently installed Supervisor (which is the Leader). If you currently have one Supervisor and one Follower node, e.g. Leader -> Follower1, then the new Follower node will follow the last Follower node, e.g. Leader -> Follower1 -> Follower2.
When you add a Follower node via the GUI, FortiSIEM will automatically detect the last Follower node and configure the new node to follow the last Follower node, which can be considered its Leader. The new Follower node needs to get the Profile database and SVN-Lite configuration from the Leader via rsync (using SSH keys).
Before you begin to add the Follower node, please obtain its UUID and SSH public key using the information described. See Collecting UUID and SSH Public Key for the steps to acquire this.
To add a Follower node, take the following steps.
-
Login to GUI and navigate to ADMIN > License > Nodes.
-
On the Add Node window, in the Mode drop-down list, select Primary Follower. FortiSIEM will automatically detect the Leader for this new node. The Leader node configuration fields appear in the left column, and the Follower node configuration fields appear in the right column.
-
Under the Follower column, enter the following information.
-
In the Host Name field, enter the host name of the Follower node.
-
In the IP Address field, enter the IP of the Follower node.
-
In the SSH Public Key field, enter/paste the SSH Public Key of the Follower node that you obtained earlier.
-
-
For the SSH Private Key Path, enter the following into the field:
/opt/phoenix/bin/.ssh/id_rsa
-
For Replication Frequency, select a value indicating how frequently Profile database and SVN-lite files will be rsynced by the Follower node. The default 10 minutes is adequate for most operations.
-
Click Save.
At this point, the Primary Follower is being linked to the Primary Leader. The progress will be displayed in the GUI.
When completed, the message "Supervisor Added Successfully" will appear.
The Follower node will be added in the ADMIN > License > Nodes page.
-
If you are running ClickHouse or a Local disk setup, then you need to set up storage for the Primary Follower. In these cases, the Primary Follower local disk setup should be identical to that of the Primary Leader. Take the following steps:
-
Login to GUI and navigate to ADMIN > Setup > Storage.
-
Click Online and add a storage.
-
Click Test, then Deploy.
-
-
If you have NFS Archive setup, then you need to set up NFS Archive on the Primary Follower. The setup should be identical to that of the Primary Leader. Take the following steps:
-
Login to GUI and navigate to ADMIN > Setup > Storage.
-
Click Archive, choose NFS and add the mount point.
-
Click Test, then Deploy.
-
-
If you are running real-time Archive with HDFS, and have added Workers after the real-time Archive has been configured, then you will need to perform a Test and Deploy for HDFS Archive again from the GUI. This will enable
HDFSMgr
to know about the newly added Workers.If you have set up real-time to HDFS, then you need to take the following steps to let HDFSMgr know about the Primary Follower.
-
Login to GUI.
-
Navigate to ADMIN > Setup > Storage.
-
Click Archive, and choose HDFS.
-
Click Test, then Deploy.
-
Configure Load Balancer
-
First set up an external Load Balancer in front of the Active-Active Supervisors. See External Load Balancer Configuration for a sample FortiWeb Load Balancer configuration.
-
Login to GUI and navigate to ADMIN > Settings > Cluster Config > Supervisors and add Load Balancer Host Name or IP.
Collecting UUID and SSH Public Key
-
For the UUID, obtain the Hardware ID value through an SSH session by running the following command on FortiSIEM.
/opt/phoenix/bin/phLicenseTool --show
For example:
-
Enter/paste the Hardward ID into the UUID field for FortiSIEM.
-
Under Configuration and Profile Replication, generate the SSH Public Key and SSH Private Key Path by entering the following in your SSH session from FortiSIEM:
su – admin
ssh-keygen -t rsa -b 4096
Leave the file location as default, and press enter at the passphrase prompt.
The output will appear similar to the following:
Generating public/private rsa key pair. Enter file in which to save the key (/opt/phoenix/bin/.ssh/id_rsa): Created directory '/opt/phoenix/bin/.ssh'. Enter passphrase (empty for no passphrase): Enter same passphrase again: Your identification has been saved in /opt/phoenix/bin/.ssh/id_rsa. Your public key has been saved in /opt/phoenix/bin/.ssh/id_rsa.pub. The key fingerprint is: a9:43:88:d1:ed:b0:99:b5:bb:e7:6d:55:44:dd:3e:48 admin@site1.fsmtesting.com The key's randomart image is: +--[ RSA 4096]----+ | ....| | . . E. o|
-
For the SSH Public Key, enter the following command, and copy all of the output.
cat /opt/phoenix/bin/.ssh/id_rsa.pub
-
Exit the admin user in the SSH session by entering the following command.
exit