Configuring HA settings specifically for active-passive and standard active-active modes
In addition to the basic settings, you can set the following configurations as desired for active-passive HA group and standard active-active HA group. For Load-balancing algorithm and HA Health Check, you only need to configure them on the primary node because they can be synchronized to all the members in the HA group.
Settings |
active-passive HA |
standard active-active HA |
---|---|---|
HA Static Route | Yes | Yes |
HA Policy Route | Yes | Yes |
load-balancing algorithm | No | Yes |
HA Health Check | No | Yes |
HA Static Route and Policy Route
Unlike the Static Route and Policy Route in System > Network > Route which are synchronized to all the HA members, the configurations in HA Static Route or HA Policy route are applied only to this specific member.
This is useful when you want to set a next-hop gateway that is used only for this member and not shared by the HA group. The Reserved Management Interface is typically used together with this feature.
The parameters in this feature are the same with the ones in Static Route and Policy Route in System > Network > Route, so we will not elaborate on the parameter descriptions here. For detailed information on the parameters, refer to Adding a gateway and Creating a policy route
Only one default route (the static route with destination as 0.0.0.0/0) is allowed on FortiWeb appliance. For example, if you have configured a default route in System > Network > Route, then it's not allowed to configure another default route in HA route settings. |
Load-balancing algorithm
you might want to change the load-balancing algorithm for a standard active-active HA group. You can change the algorithm by configuring set schedule {ip | leastconnection | round-robin}
in CLI command config system ha
. For details, see the FortiWeb CLI Reference:
https://docs.fortinet.com/product/fortiweb/
Note:FortiWeb's Configuring a protection profile for inline topologies is not supported in a standard Active-Active HA deployment when the algorithm By connections or Round-robin is used for the load-balancing.
HA Health Check
Server policy health check is only available if the operation mode is Reverse Proxy, and the HA mode is Standard Active-Active.
To check whether the server policies are running properly on the HA group, you can configure server policy heath check. The configurations are synchronized to all members in the group. The system sends an HTTP or HTTPS request, and waits for a response that matches the values required by the health check rule. A timeout indicates that the connection between the HA group member and the back-end server is not available. The system then generates event logs.
You should first enable the HA Health Check option on the HA tab in System > High Availability > Settings, then configure a health check on the HA Health Check tab.
FortiWeb only supports checking the health of server policies in the root administrative domain.
To configure an HA Health Check
- Go to System > High Availability > Settings > HA Health Check.
To access this part of the web UI, your administrator’s account access profile must have Read and Write permission to items in the System Configuration category. For details, see Permissions. - Click Create New to create a health check.
- Configure these settings:
- And—FortiWeb considers the server policy to be responsive when it passes all the tests in the list.
- Or—FortiWeb considers the server policy to be responsive when it passes at least one of the tests in the list.
- Click OK.
- In the rule list, do one of the following:
Server policy | Select the server policy for which you want to run health check. |
HTTPS | Enable to use the HTTPS protocol for the health check connections with the back-end server. The systems uses HTTP protocol if this option is disabled. |
Client Certificate | If HTTPS is enabled, you can select a Client Certificate for the connection. This is optional. The Client Certificate is imported in Server Objects > Certificates > Local. |
Relationship |
|
- To add a rule, click Create New.
- To modify a rule, select it and click Edit.
URL Path |
Type the URL that the HTTP or HTTPS request uses to verify the responsiveness of the server (for example, If the web server successfully returns this URL, and its content matches your expression in Matched Content, it is considered to be responsive. The maximum length is 127 characters. |
Interval |
Type the number of seconds between each server health check. Valid values are 1 to 300. Default value is 10. |
Timeout |
Type the maximum number of seconds that can pass after the server health check. If the web server exceeds this limit, it will indicate a failed health check. Valid values are 1 to 30. Default value is 3. |
Retry Times |
Type the number of times, if any, that FortiWeb retries a server health check after failure. If the web server fails the server health check this number of times consecutively, it is considered to be unresponsive. Valid values are 1 to 10. Default value is 3. |
Method |
Specify whether the health check uses the HEAD, GET, or POST method. |
Match Type |
Available only if Configuring HA settings specifically for active-passive and standard active-active modes is HTTP or HTTPS. |
Matched Content |
Enter one of the following values:
This value prevents the test from falsely indicating that the server is available when it has actually replied with an error page, such as the one produced by Tomcat when a JSP application is not available. To create and test a regular expression, click the >> (test) icon. This opens a Regular Expression Validator window where you can fine-tune the expression. For details, see Regular expression syntax Available only if Match Type is All or Matched Content. |
Response Code |
Enter the response code that you require the server to return in order to confirm its availability. Available only if Match Type is All or Response Code. |