Fortinet white logo
Fortinet white logo

Administration Guide

Replicating the configuration without FortiWeb HA (external HA)

Replicating the configuration without FortiWeb HA (external HA)

Configuration synchronization provides the ability to duplicate the configuration from another FortiWeb appliance without using FortiWeb high availability (HA). The synchronization is unilateral push; it is not a bilateral synchronization. It adds any missing items, and overwrites any items that are identically named, but does not delete unique items on the target FortiWeb, nor does it pull items from the target to the initiating FortiWeb.

Replicating the configuration can be useful in some scenarios where you cannot use, or do not want, FortiWeb HA:

  • External active-active HA (load balancing) could be provided by the firewall, the router, or an HTTP-aware load balancer such as FortiADC.
  • External active-passive HA (failover) could be provided by a specialized failover device, instead of the FortiWebs themselves, for network load distribution, latency, and performance optimization reasons. The failover device must monitor for live routes.
  • Multiple identical non-HAFortiWeb appliances in physically distant locations with the same network scheme might be required to have the same (maybe with a few extra different) server policies, and therefore management could be simplified by configuring one FortiWeb and then replicating that to the others.

In such cases, you may be able to save time and preserve your existing network topology by synchronizing a FortiWeb appliance’s configuration with another FortiWeb. This way, you do not need to individually configure each one, and do not need to use FortiWeb HA.

This is an example of a configuration synchronization network topology:

Configuration synchronization is not a complete replacement for HA. Each synchronized FortiWeb does not keep any heartbeat link (no failover will occur and availability will not be increased) nor does it load balance with the other. Additionally, configuration synchronization will not delete items on the target FortiWeb if the item’s name is different. Also it will not import items that exist on the target, but not on your local FortiWeb.

If you require such features, either use FortiWeb HA instead, or augment configuration synchronization with an external HA/load balancing device such as FortiADC.

Like HA, due to hardware-based differences in valid settings, configuration synchronization requires that both FortiWeb appliances be of the same model. You cannot, for example, synchronize a FortiWeb-VM and FortiWeb 1000D.

You can configure which port number the appliance uses to synchronize its configuration. For details, see Config-Sync.

Synchronize each time you change the configuration, and are ready to propagate the changes. Unlike FortiWeb HA, configuration synchronization is not automatic and continuous. Changes will only be pushed when you manually initiate it.

To replicate the configuration from another FortiWeb

Back up your system before changing the operation mode (see Backup & restore). Synchronizing the configuration overwrites the existing configuration, and cannot be undone without restoring the configuration from a backup.

  1. Go to System > Config > Config-Synchronization.
  2. To access this part of the web UI, your administrator's account access profile must have Read and Write permission to items in the Network Configuration category. For details, see Permissions.

  3. For Peer FortiWeb IP, enter the IP address of the target FortiWeb appliance that you want to receive configuration items from your local FortiWeb appliance.
  4. For Peer FortiWeb Port, enter the port number that the target FortiWeb appliance uses to listen for configuration synchronization. The default port is 995.
  5. For Peer FortiWeb 'admin' user password, enter the password of the administrator account named admin on the other FortiWeb appliance.
  6. For Synchronization Type, select one of the following options:
  7. Full

    For all compatible operation modes except WCCP, synchronizes all configuration except:

    • System > Admin > Administrator (config system admin)
    • System > Admin > Profiles (config system admin accprofile)
    • System > Config > Config Synchronization (config system conf-sync)
    • System > Config > HA (config system ha)
    • System > Config > SNMP (config system snmp sysinfo/community/user)
    • System > Maintenance > Backup & Restore > FTP Backup (config system backup)

    When the operation mode is WCCP, synchronizes all configuration except:

    • System > Admin > Administrator (config system admin)
    • System > Admin > Profiles (config system admin accprofile)
    • System > Config > Config Synchronization (config system conf-sync)
    • System > Config > HA (config system ha)
    • System > Network > Interface (config system interface)
    • System > Config > WCCP Client (config system wccp)
    • System > Config > SNMP (config system snmp sysinfo/community/user)
    • System > Maintenance > Backup & Restore > FTP backup (config system backup)
    • System > Network > Route > Static Route (config router static)
    • System > Network > Route > Policy Route (config router policy)

    Note: This option is not available if the FortiWeb appliance is operating in Reverse Proxy mode. For details, see Supported features in each operation mode.

    Partial

    Synchronizes all configurations except:

    • System > Network > Interface (config system interface)
    • System > Network > Fail-open (config system fail-open)
    • System > Network > DNS (config system dns)
    • System > Network > V-zone (config system v-zone)
    • System > Config > Config Synchronization (config system conf-sync)
    • System > Admin (config system admin/accprofile/settings/admin-certificate local/ca)
    • System > Config > FDS Proxy (config system fds proxy override/schedule)
    • System > Config > HA (config system ha)
    • System > Config > HSM (config system hsm)
    • System > Config > SNMP (config system snmp sysinfo/community/user)
    • System > Config > RAID (config system raid)
    • System > Firewall (config system firwall address/service/firewall-policy/snat-policy)
    • System > Config > FortiSandbox > FortiSandbox-Statistics (config system fortisandbox-statistics)
    • System > Config > WCCP Client (config system wccp)
    • System > Network > Route > Policy Route (config router policy)
    • System > Network > Route > Static Route (config router static )
    • System > Maintenance > Backup & Restore > FTP Backup (config system backup)
    • User > PKI User (config user pki user)
    • User > User Group > Admin Group (config user admin-usergrp)
    • Server Objects > Service (config server-policy service custom/predefined)
    • Server Objects > Server > Virtual Server (config server-policy vserver)
    • Server Objects > Server > Server Pool (config server-policy server-pool)
    • Server Objects > Server > Health Check (config server-policy helth)
    • Policy > Server Policy (config server-policy policy)
    • System > Certificate (config system certificate)
    • config system global
    • config system console
    • config system ip-detection
    • config system network-option
    • config system fips-cc
    • config system tcpdump
    • config router setting
    • config system antivirus

    For a detailed list of settings that are excluded from a partial synchronization, including CLI-only settings, see the FortiWeb CLI Reference:https://docs.fortinet.com/product/fortiweb/

    To test the connection settings, click Test. Results appear in a pop-up window. If the test connection to the target FortiWeb succeeds, this message should appear:

    Service is available...

    If the following message appears:

    Service isn't available...

    verify that:

  • the other FortiWeb is the same model
  • the other FortiWeb is configured to listen on your indicated configuration sync port number (see Config-Sync)
  • the other FortiWeb’s admin account password matches
  • firewalls and routers between the two FortiWebs allow the connection
  • Optionally, enable Auto-Sync. This feature allows you to automatically synchronize the configurations hourly, daily, or weekly. Select one of the following:
  • Every—Use the hour and minute drop-down menus to select the interval at which the configurations are synchronized. For example, selecting 5 for hour and 0 for minute will synchronize the configurations every five hours.

    Daily—Use the hour and minute drop-down menus to select the time (24-hour clock) at which the configurations are synchronized. For example, Selecting 10 for hour and 30 for minute will synchronize the configurations every day at 10:30.

    Weekly—Use the day, hour, and minute drop-down menus to select the day and time of day at which the configurations are synchronized. For example, selecting Sunday for day, 5 for hour, and 15 for minute will synchronize the configurations every Sunday at 5:15.

  • Click Push config.
  • A dialog appears, warning you that all policies and profiles with identical names will be overwritten on the other FortiWeb, and asking if you want to continue.

  • Click Yes.
  • The FortiWeb appliance sends its configuration to the other, which synchronizes any identically-named policies and settings. Time required varies by the size of the configuration and the speed of the network connection. When complete, this message should appear:

    Config. synchronized successfully.

    See also

    Replicating the configuration without FortiWeb HA (external HA)

    Replicating the configuration without FortiWeb HA (external HA)

    Configuration synchronization provides the ability to duplicate the configuration from another FortiWeb appliance without using FortiWeb high availability (HA). The synchronization is unilateral push; it is not a bilateral synchronization. It adds any missing items, and overwrites any items that are identically named, but does not delete unique items on the target FortiWeb, nor does it pull items from the target to the initiating FortiWeb.

    Replicating the configuration can be useful in some scenarios where you cannot use, or do not want, FortiWeb HA:

    • External active-active HA (load balancing) could be provided by the firewall, the router, or an HTTP-aware load balancer such as FortiADC.
    • External active-passive HA (failover) could be provided by a specialized failover device, instead of the FortiWebs themselves, for network load distribution, latency, and performance optimization reasons. The failover device must monitor for live routes.
    • Multiple identical non-HAFortiWeb appliances in physically distant locations with the same network scheme might be required to have the same (maybe with a few extra different) server policies, and therefore management could be simplified by configuring one FortiWeb and then replicating that to the others.

    In such cases, you may be able to save time and preserve your existing network topology by synchronizing a FortiWeb appliance’s configuration with another FortiWeb. This way, you do not need to individually configure each one, and do not need to use FortiWeb HA.

    This is an example of a configuration synchronization network topology:

    Configuration synchronization is not a complete replacement for HA. Each synchronized FortiWeb does not keep any heartbeat link (no failover will occur and availability will not be increased) nor does it load balance with the other. Additionally, configuration synchronization will not delete items on the target FortiWeb if the item’s name is different. Also it will not import items that exist on the target, but not on your local FortiWeb.

    If you require such features, either use FortiWeb HA instead, or augment configuration synchronization with an external HA/load balancing device such as FortiADC.

    Like HA, due to hardware-based differences in valid settings, configuration synchronization requires that both FortiWeb appliances be of the same model. You cannot, for example, synchronize a FortiWeb-VM and FortiWeb 1000D.

    You can configure which port number the appliance uses to synchronize its configuration. For details, see Config-Sync.

    Synchronize each time you change the configuration, and are ready to propagate the changes. Unlike FortiWeb HA, configuration synchronization is not automatic and continuous. Changes will only be pushed when you manually initiate it.

    To replicate the configuration from another FortiWeb

    Back up your system before changing the operation mode (see Backup & restore). Synchronizing the configuration overwrites the existing configuration, and cannot be undone without restoring the configuration from a backup.

    1. Go to System > Config > Config-Synchronization.
    2. To access this part of the web UI, your administrator's account access profile must have Read and Write permission to items in the Network Configuration category. For details, see Permissions.

    3. For Peer FortiWeb IP, enter the IP address of the target FortiWeb appliance that you want to receive configuration items from your local FortiWeb appliance.
    4. For Peer FortiWeb Port, enter the port number that the target FortiWeb appliance uses to listen for configuration synchronization. The default port is 995.
    5. For Peer FortiWeb 'admin' user password, enter the password of the administrator account named admin on the other FortiWeb appliance.
    6. For Synchronization Type, select one of the following options:
    7. Full

      For all compatible operation modes except WCCP, synchronizes all configuration except:

      • System > Admin > Administrator (config system admin)
      • System > Admin > Profiles (config system admin accprofile)
      • System > Config > Config Synchronization (config system conf-sync)
      • System > Config > HA (config system ha)
      • System > Config > SNMP (config system snmp sysinfo/community/user)
      • System > Maintenance > Backup & Restore > FTP Backup (config system backup)

      When the operation mode is WCCP, synchronizes all configuration except:

      • System > Admin > Administrator (config system admin)
      • System > Admin > Profiles (config system admin accprofile)
      • System > Config > Config Synchronization (config system conf-sync)
      • System > Config > HA (config system ha)
      • System > Network > Interface (config system interface)
      • System > Config > WCCP Client (config system wccp)
      • System > Config > SNMP (config system snmp sysinfo/community/user)
      • System > Maintenance > Backup & Restore > FTP backup (config system backup)
      • System > Network > Route > Static Route (config router static)
      • System > Network > Route > Policy Route (config router policy)

      Note: This option is not available if the FortiWeb appliance is operating in Reverse Proxy mode. For details, see Supported features in each operation mode.

      Partial

      Synchronizes all configurations except:

      • System > Network > Interface (config system interface)
      • System > Network > Fail-open (config system fail-open)
      • System > Network > DNS (config system dns)
      • System > Network > V-zone (config system v-zone)
      • System > Config > Config Synchronization (config system conf-sync)
      • System > Admin (config system admin/accprofile/settings/admin-certificate local/ca)
      • System > Config > FDS Proxy (config system fds proxy override/schedule)
      • System > Config > HA (config system ha)
      • System > Config > HSM (config system hsm)
      • System > Config > SNMP (config system snmp sysinfo/community/user)
      • System > Config > RAID (config system raid)
      • System > Firewall (config system firwall address/service/firewall-policy/snat-policy)
      • System > Config > FortiSandbox > FortiSandbox-Statistics (config system fortisandbox-statistics)
      • System > Config > WCCP Client (config system wccp)
      • System > Network > Route > Policy Route (config router policy)
      • System > Network > Route > Static Route (config router static )
      • System > Maintenance > Backup & Restore > FTP Backup (config system backup)
      • User > PKI User (config user pki user)
      • User > User Group > Admin Group (config user admin-usergrp)
      • Server Objects > Service (config server-policy service custom/predefined)
      • Server Objects > Server > Virtual Server (config server-policy vserver)
      • Server Objects > Server > Server Pool (config server-policy server-pool)
      • Server Objects > Server > Health Check (config server-policy helth)
      • Policy > Server Policy (config server-policy policy)
      • System > Certificate (config system certificate)
      • config system global
      • config system console
      • config system ip-detection
      • config system network-option
      • config system fips-cc
      • config system tcpdump
      • config router setting
      • config system antivirus

      For a detailed list of settings that are excluded from a partial synchronization, including CLI-only settings, see the FortiWeb CLI Reference:https://docs.fortinet.com/product/fortiweb/

      To test the connection settings, click Test. Results appear in a pop-up window. If the test connection to the target FortiWeb succeeds, this message should appear:

      Service is available...

      If the following message appears:

      Service isn't available...

      verify that:

    • the other FortiWeb is the same model
    • the other FortiWeb is configured to listen on your indicated configuration sync port number (see Config-Sync)
    • the other FortiWeb’s admin account password matches
    • firewalls and routers between the two FortiWebs allow the connection
  • Optionally, enable Auto-Sync. This feature allows you to automatically synchronize the configurations hourly, daily, or weekly. Select one of the following:
  • Every—Use the hour and minute drop-down menus to select the interval at which the configurations are synchronized. For example, selecting 5 for hour and 0 for minute will synchronize the configurations every five hours.

    Daily—Use the hour and minute drop-down menus to select the time (24-hour clock) at which the configurations are synchronized. For example, Selecting 10 for hour and 30 for minute will synchronize the configurations every day at 10:30.

    Weekly—Use the day, hour, and minute drop-down menus to select the day and time of day at which the configurations are synchronized. For example, selecting Sunday for day, 5 for hour, and 15 for minute will synchronize the configurations every Sunday at 5:15.

  • Click Push config.
  • A dialog appears, warning you that all policies and profiles with identical names will be overwritten on the other FortiWeb, and asking if you want to continue.

  • Click Yes.
  • The FortiWeb appliance sends its configuration to the other, which synchronizes any identically-named policies and settings. Time required varies by the size of the configuration and the speed of the network connection. When complete, this message should appear:

    Config. synchronized successfully.

    See also