Fortinet white logo
Fortinet white logo

Administration Guide

Configuring HA settings specifically for high volume active-active mode

Configuring HA settings specifically for high volume active-active mode

In addition to the basic settings, you need to specify the HA members and set traffic distributions for the high volume active-active mode. You only need to set the following configurations on the primary node. They can be automatically synchronized to all the HA members. For how to find the primary node, see this topic.

Allocating nodes

After the basic settings are done, all the members with the same group ID should join in the HA group. In the Available Nodes list on the Node Allocation page, all the HA members are listed.

Perform the following steps to allocate nodes to the HA group.

  1. Go to System > High Availability > Settings.
    To access this part of the web UI, your administrator's account access profile must have Read and Write permission to items in the System Configurationcategory. For details, see Permissions.
  2. Select the Node Allocation tab.
  3. In the Available Nodes list, select one or more members which you want to add in the cluster, then click the right arrow to move them to the Cluster Members list.
  4. Click Apply.

The selected nodes are allocated to the HA group.

Creating traffic distribution

The domain name of your application is paired with one or more IP addresses. These IP addresses are called Virtual IPs in FortiWeb. When your users visit your application, the destination of these requests are these virtual IP addresses. If you have deployed a FortiWeb HA cluster in your network, these requests will arrive first at FortiWeb cluster for threat detection, then be forwarded to the back-end servers. The traffic distribution controls which FortiWeb appliances in the cluster process the traffic destined to certain virtual IPs.

To configure the traffic distribution, you must have already created virtual IPs in Network > Virtual IP. See Configuring virtual IP.

Perform the following steps to map the virtual IPs to the FortiWeb appliances in a HA cluster:

  1. Go to System > High Availability > Settings.
    To access this part of the web UI, your administrator's account access profile must have Read and Write permission to items in the System Configurationcategory. For details, see Permissions.
  2. Select the Traffic Distribution tab.
  3. Enter a name for the traffic distribution.
  4. Click the VIP list field. The Select Entries pane will appear at the right side of the window.
  5. Click one or more VIPs that you want to assign to a cluster member. The selected VIPs will appear in the VIP list field.
  6. In the Add HA member field, drag the cluster members from the right to the left. Only the appliance ranks the first will be the active node to receive traffic destined to the selected VIP(s). When the active node is down, the appliance lists the next will take over the traffic. You can select the appliance and drag it to change its rank.

The cluster mode is much more flexible than the active-active and active-passive mode. With different combinations of the VIP and the appliance, you can form more complicated HA topologies.

Example 1

If there are four VIPs and four appliances, you can set two appliances as active nodes, each of them receiving traffic destined to two VIPs, while the other appliances acting as backups.

The configures can be as follows. In this example, node ID 1 and node ID 3 are the active nodes to process traffic, while Node ID 2 and Node ID 4 are their back-ups.

Traffic distribution 1:

Traffic distribution 2:

Example 2

If there are four VIPs and four appliances, you can set all the four nodes as active one, each receiving traffic destined to one VIP.

The configures can be as follows. In this example, each appliance acts as active node to process traffic to an unique VIP. If one node fails, other nodes will take over the traffic by order or the traffic distribution list.

Traffic distribution 1:

Traffic distribution 2:

Traffic distribution 3:

Traffic distribution 4:

Configuring HA settings specifically for high volume active-active mode

Configuring HA settings specifically for high volume active-active mode

In addition to the basic settings, you need to specify the HA members and set traffic distributions for the high volume active-active mode. You only need to set the following configurations on the primary node. They can be automatically synchronized to all the HA members. For how to find the primary node, see this topic.

Allocating nodes

After the basic settings are done, all the members with the same group ID should join in the HA group. In the Available Nodes list on the Node Allocation page, all the HA members are listed.

Perform the following steps to allocate nodes to the HA group.

  1. Go to System > High Availability > Settings.
    To access this part of the web UI, your administrator's account access profile must have Read and Write permission to items in the System Configurationcategory. For details, see Permissions.
  2. Select the Node Allocation tab.
  3. In the Available Nodes list, select one or more members which you want to add in the cluster, then click the right arrow to move them to the Cluster Members list.
  4. Click Apply.

The selected nodes are allocated to the HA group.

Creating traffic distribution

The domain name of your application is paired with one or more IP addresses. These IP addresses are called Virtual IPs in FortiWeb. When your users visit your application, the destination of these requests are these virtual IP addresses. If you have deployed a FortiWeb HA cluster in your network, these requests will arrive first at FortiWeb cluster for threat detection, then be forwarded to the back-end servers. The traffic distribution controls which FortiWeb appliances in the cluster process the traffic destined to certain virtual IPs.

To configure the traffic distribution, you must have already created virtual IPs in Network > Virtual IP. See Configuring virtual IP.

Perform the following steps to map the virtual IPs to the FortiWeb appliances in a HA cluster:

  1. Go to System > High Availability > Settings.
    To access this part of the web UI, your administrator's account access profile must have Read and Write permission to items in the System Configurationcategory. For details, see Permissions.
  2. Select the Traffic Distribution tab.
  3. Enter a name for the traffic distribution.
  4. Click the VIP list field. The Select Entries pane will appear at the right side of the window.
  5. Click one or more VIPs that you want to assign to a cluster member. The selected VIPs will appear in the VIP list field.
  6. In the Add HA member field, drag the cluster members from the right to the left. Only the appliance ranks the first will be the active node to receive traffic destined to the selected VIP(s). When the active node is down, the appliance lists the next will take over the traffic. You can select the appliance and drag it to change its rank.

The cluster mode is much more flexible than the active-active and active-passive mode. With different combinations of the VIP and the appliance, you can form more complicated HA topologies.

Example 1

If there are four VIPs and four appliances, you can set two appliances as active nodes, each of them receiving traffic destined to two VIPs, while the other appliances acting as backups.

The configures can be as follows. In this example, node ID 1 and node ID 3 are the active nodes to process traffic, while Node ID 2 and Node ID 4 are their back-ups.

Traffic distribution 1:

Traffic distribution 2:

Example 2

If there are four VIPs and four appliances, you can set all the four nodes as active one, each receiving traffic destined to one VIP.

The configures can be as follows. In this example, each appliance acts as active node to process traffic to an unique VIP. If one node fails, other nodes will take over the traffic by order or the traffic distribution list.

Traffic distribution 1:

Traffic distribution 2:

Traffic distribution 3:

Traffic distribution 4: