Fortinet white logo
Fortinet white logo

CLI Reference

config system ha

config system ha

Configure HA.

config system ha
    Description: Configure HA.
    set arps {integer}
    set arps-interval {integer}
    set authentication [enable|disable]
    set cpu-threshold {user}
    set encryption [enable|disable]
    set evpn-ttl {integer}
    set failover-hold-time {integer}
    set ftp-proxy-threshold {user}
    set gratuitous-arps [enable|disable]
    set group-id {integer}
    set group-name {string}
    set ha-direct [enable|disable]
    set ha-eth-type {string}
    config ha-mgmt-interfaces
        Description: Reserve interfaces to manage individual cluster units.
        edit <id>
            set interface {string}
            set dst {ipv4-classnet}
            set gateway {ipv4-address}
            set gateway6 {ipv6-address}
        next
    end
    set ha-mgmt-status [enable|disable]
    set ha-uptime-diff-margin {integer}
    set hb-interval {integer}
    set hb-interval-in-milliseconds [100ms|10ms]
    set hb-lost-threshold {integer}
    set hbdev {user}
    set hc-eth-type {string}
    set hello-holddown {integer}
    set http-proxy-threshold {user}
    set imap-proxy-threshold {user}
    set ipsec-phase2-proposal {option1}, {option2}, ...
    set key {password}
    set l2ep-eth-type {string}
    set link-failed-signal [enable|disable]
    set load-balance-all [enable|disable]
    set logical-sn [enable|disable]
    set memory-based-failover [enable|disable]
    set memory-compatible-mode [enable|disable]
    set memory-failover-flip-timeout {integer}
    set memory-failover-monitor-period {integer}
    set memory-failover-sample-rate {integer}
    set memory-failover-threshold {integer}
    set memory-threshold {user}
    set mode [standalone|a-a|...]
    set monitor {user}
    set multicast-ttl {integer}
    set nntp-proxy-threshold {user}
    set override [enable|disable]
    set override-wait-time {integer}
    set password {password}
    set pingserver-failover-threshold {integer}
    set pingserver-flip-timeout {integer}
    set pingserver-monitor-interface {user}
    set pingserver-secondary-force-reset [enable|disable]
    set pop3-proxy-threshold {user}
    set priority {integer}
    set route-hold {integer}
    set route-ttl {integer}
    set route-wait {integer}
    set schedule [none|leastconnection|...]
    set session-pickup [enable|disable]
    set session-pickup-connectionless [enable|disable]
    set session-pickup-delay [enable|disable]
    set session-pickup-expectation [enable|disable]
    set session-pickup-nat [enable|disable]
    set session-sync-dev {user}
    set smtp-proxy-threshold {user}
    set ssd-failover [enable|disable]
    set standalone-config-sync [enable|disable]
    set standalone-mgmt-vdom [enable|disable]
    set sync-config [enable|disable]
    set sync-packet-balance [enable|disable]
    set unicast-gateway {ipv4-address}
    set unicast-hb [enable|disable]
    set unicast-hb-netmask {ipv4-netmask}
    set unicast-hb-peerip {ipv4-address}
    config unicast-peers
        Description: Number of unicast peers.
        edit <id>
            set peer-ip {ipv4-address}
        next
    end
    set unicast-status [enable|disable]
    set uninterruptible-primary-wait {integer}
    set upgrade-mode [simultaneous|uninterruptible|...]
    config vcluster
        Description: Virtual cluster table.
        edit <vcluster-id>
            set override [enable|disable]
            set priority {integer}
            set override-wait-time {integer}
            set monitor {user}
            set pingserver-monitor-interface {user}
            set pingserver-failover-threshold {integer}
            set pingserver-secondary-force-reset [enable|disable]
            set pingserver-flip-timeout {integer}
            set vdom <name1>, <name2>, ...
        next
    end
    set vcluster-status [enable|disable]
    set weight {user}
end

config system ha

Parameter

Description

Type

Size

Default

arps

Number of gratuitous ARPs. Lower to reduce traffic. Higher to reduce failover time.

integer

Minimum value: 1 Maximum value: 60

5

arps-interval

Time between gratuitous ARPs . Lower to reduce failover time. Higher to reduce traffic.

integer

Minimum value: 1 Maximum value: 20

8

authentication

Enable/disable heartbeat message authentication.

option

-

disable

Option

Description

enable

Enable heartbeat message authentication.

disable

Disable heartbeat message authentication.

cpu-threshold

Dynamic weighted load balancing CPU usage weight and high and low thresholds.

user

Not Specified

encryption

Enable/disable heartbeat message encryption.

option

-

disable

Option

Description

enable

Enable heartbeat message encryption.

disable

Disable heartbeat message encryption.

evpn-ttl

HA EVPN FDB TTL on primary box.

integer

Minimum value: 5 Maximum value: 3600

60

failover-hold-time

Time to wait before failover , to avoid flip.

integer

Minimum value: 0 Maximum value: 300

0

ftp-proxy-threshold

Dynamic weighted load balancing weight and high and low number of FTP proxy sessions.

user

Not Specified

gratuitous-arps

Enable/disable gratuitous ARPs. Disable if link-failed-signal enabled.

option

-

enable

Option

Description

enable

Enable gratuitous ARPs.

disable

Disable gratuitous ARPs.

group-id

HA group ID . Must be the same for all members.

integer

Minimum value: 0 Maximum value: 1023

0

group-name

Cluster group name. Must be the same for all members.

string

Maximum length: 32

ha-direct

Enable/disable using ha-mgmt interface for syslog, remote authentication (RADIUS), FortiAnalyzer, FortiSandbox, sFlow, and Netflow.

option

-

disable

Option

Description

enable

Enable using ha-mgmt interface for syslog, remote authentication (RADIUS), FortiAnalyzer, FortiSandbox, sFlow, and Netflow.

disable

Disable using ha-mgmt interface for syslog, remote authentication (RADIUS), FortiAnalyzer, FortiSandbox, sFlow, and Netflow.

ha-eth-type

HA heartbeat packet Ethertype (4-digit hex).

string

Maximum length: 4

8890

ha-mgmt-status

Enable to reserve interfaces to manage individual cluster units.

option

-

disable

Option

Description

enable

Enable setting.

disable

Disable setting.

ha-uptime-diff-margin

Normally you would only reduce this value for failover testing.

integer

Minimum value: 1 Maximum value: 65535

300

hb-interval

Time between sending heartbeat packets. Increase to reduce false positives.

integer

Minimum value: 1 Maximum value: 20

2

hb-interval-in-milliseconds

Units of heartbeat interval time between sending heartbeat packets. Default is 100ms.

option

-

100ms

Option

Description

100ms

Each heartbeat interval is 100ms.

10ms

Each heartbeat interval is 10ms.

hb-lost-threshold

Number of lost heartbeats to signal a failure. Increase to reduce false positives.

integer

Minimum value: 1 Maximum value: 60

6 **

hbdev

Heartbeat interfaces. Must be the same for all members. Enter <interface> <priority> pairs to specify the priority of each heartbeat interface. Higher priority takes precedence.

user

Not Specified

hc-eth-type

Transparent mode HA heartbeat packet Ethertype (4-digit hex).

string

Maximum length: 4

8891

hello-holddown

Time to wait before changing from hello to work state.

integer

Minimum value: 5 Maximum value: 300

20

http-proxy-threshold

Dynamic weighted load balancing weight and high and low number of HTTP proxy sessions.

user

Not Specified

imap-proxy-threshold

Dynamic weighted load balancing weight and high and low number of IMAP proxy sessions.

user

Not Specified

ipsec-phase2-proposal

IPsec phase2 proposal.

option

-

Option

Description

aes128-sha1

aes128-sha1

aes128-sha256

aes128-sha256

aes128-sha384

aes128-sha384

aes128-sha512

aes128-sha512

aes192-sha1

aes192-sha1

aes192-sha256

aes192-sha256

aes192-sha384

aes192-sha384

aes192-sha512

aes192-sha512

aes256-sha1

aes256-sha1

aes256-sha256

aes256-sha256

aes256-sha384

aes256-sha384

aes256-sha512

aes256-sha512

aes128gcm

aes128gcm

aes256gcm

aes256gcm

chacha20poly1305

chacha20poly1305

key

Key.

password

Not Specified

l2ep-eth-type

Telnet session HA heartbeat packet Ethertype (4-digit hex).

string

Maximum length: 4

8893

link-failed-signal

Enable to shut down all interfaces for 1 sec after a failover. Use if gratuitous ARPs do not update network.

option

-

disable

Option

Description

enable

Enable setting.

disable

Disable setting.

load-balance-all

Enable to load balance TCP sessions. Disable to load balance proxy sessions only.

option

-

disable

Option

Description

enable

Enable load balance.

disable

Disable load balance.

logical-sn

Enable/disable usage of the logical serial number.

option

-

disable

Option

Description

enable

Enable usage of the logical serial number.

disable

Disable usage of the logical serial number.

memory-based-failover

Enable/disable memory based failover.

option

-

disable

Option

Description

enable

Enable setting.

disable

Disable setting.

memory-compatible-mode

Enable/disable memory compatible mode.

option

-

disable

Option

Description

enable

Enable setting.

disable

Disable setting.

memory-failover-flip-timeout

Time to wait between subsequent memory based failovers in minutes.

integer

Minimum value: 6 Maximum value: 2147483647

6

memory-failover-monitor-period

Duration of high memory usage before memory based failover is triggered in seconds.

integer

Minimum value: 1 Maximum value: 300

60

memory-failover-sample-rate

Rate at which memory usage is sampled in order to measure memory usage in seconds.

integer

Minimum value: 1 Maximum value: 60

1

memory-failover-threshold

Memory usage threshold to trigger memory based failover (0 means using conserve mode threshold in system.global).

integer

Minimum value: 0 Maximum value: 95

0

memory-threshold

Dynamic weighted load balancing memory usage weight and high and low thresholds.

user

Not Specified

mode

HA mode. Must be the same for all members. FGSP requires standalone.

option

-

standalone

Option

Description

standalone

Standalone mode.

a-a

Active-active mode.

a-p

Active-passive mode.

monitor

Interfaces to check for port monitoring (or link failure).

user

Not Specified

multicast-ttl

HA multicast TTL on primary.

integer

Minimum value: 5 Maximum value: 3600

600

nntp-proxy-threshold

Dynamic weighted load balancing weight and high and low number of NNTP proxy sessions.

user

Not Specified

override

Enable and increase the priority of the unit that should always be primary (master).

option

-

disable

Option

Description

enable

Enable setting.

disable

Disable setting.

override-wait-time

Delay negotiating if override is enabled. Reduces how often the cluster negotiates.

integer

Minimum value: 0 Maximum value: 3600

0

password

Cluster password. Must be the same for all members.

password

Not Specified

pingserver-failover-threshold

Remote IP monitoring failover threshold.

integer

Minimum value: 0 Maximum value: 50

0

pingserver-flip-timeout

Time to wait in minutes before renegotiating after a remote IP monitoring failover.

integer

Minimum value: 6 Maximum value: 2147483647

60

pingserver-monitor-interface

Interfaces to check for remote IP monitoring.

user

Not Specified

pingserver-secondary-force-reset

Enable to force the cluster to negotiate after a remote IP monitoring failover.

option

-

enable

Option

Description

enable

Enable force reset of secondary member after PING server failure.

disable

Disable force reset of secondary member after PING server failure.

pop3-proxy-threshold

Dynamic weighted load balancing weight and high and low number of POP3 proxy sessions.

user

Not Specified

priority

Increase the priority to select the primary unit.

integer

Minimum value: 0 Maximum value: 255

128

route-hold

Time to wait between routing table updates to the cluster.

integer

Minimum value: 0 Maximum value: 3600

10

route-ttl

TTL for primary unit routes. Increase to maintain active routes during failover.

integer

Minimum value: 5 Maximum value: 3600

10

route-wait

Time to wait before sending new routes to the cluster.

integer

Minimum value: 0 Maximum value: 3600

0

schedule

Type of A-A load balancing. Use none if you have external load balancers.

option

-

round-robin

Option

Description

none

None.

leastconnection

Least connection.

round-robin

Round robin.

weight-round-robin

Weight round robin.

random

Random.

ip

IP.

ipport

IP port.

session-pickup

Enable/disable session pickup. Enabling it can reduce session down time when fail over happens.

option

-

disable

Option

Description

enable

Enable session pickup.

disable

Disable session pickup.

session-pickup-connectionless

Enable/disable UDP and ICMP session sync.

option

-

disable

Option

Description

enable

Enable setting.

disable

Disable setting.

session-pickup-delay

Enable to sync sessions longer than 30 sec. Only longer lived sessions need to be synced.

option

-

disable

Option

Description

enable

Enable setting.

disable

Disable setting.

session-pickup-expectation

Enable/disable session helper expectation session sync for FGSP.

option

-

disable

Option

Description

enable

Enable setting.

disable

Disable setting.

session-pickup-nat

Enable/disable NAT session sync for FGSP.

option

-

disable

Option

Description

enable

Enable setting.

disable

Disable setting.

session-sync-dev

Offload session-sync process to kernel and sync sessions using connected interface(s) directly.

user

Not Specified

smtp-proxy-threshold

Dynamic weighted load balancing weight and high and low number of SMTP proxy sessions.

user

Not Specified

ssd-failover *

Enable/disable automatic HA failover on SSD disk failure.

option

-

disable

Option

Description

enable

Enable setting.

disable

Disable setting.

standalone-config-sync

Enable/disable FGSP configuration synchronization.

option

-

disable

Option

Description

enable

Enable setting.

disable

Disable setting.

standalone-mgmt-vdom

Enable/disable standalone management VDOM.

option

-

disable

Option

Description

enable

Enable setting.

disable

Disable setting.

sync-config

Enable/disable configuration synchronization.

option

-

enable

Option

Description

enable

Enable configuration synchronization.

disable

Disable configuration synchronization.

sync-packet-balance

Enable/disable HA packet distribution to multiple CPUs.

option

-

disable

Option

Description

enable

Enable HA packet distribution to multiple CPUs.

disable

Disable HA packet distribution to multiple CPUs.

unicast-gateway *

Default route gateway for unicast interface.

ipv4-address

Not Specified

0.0.0.0

unicast-hb *

Enable/disable unicast heartbeat.

option

-

disable

Option

Description

enable

Enable setting.

disable

Disable setting.

unicast-hb-netmask *

Unicast heartbeat netmask.

ipv4-netmask

Not Specified

0.0.0.0

unicast-hb-peerip *

Unicast heartbeat peer IP.

ipv4-address

Not Specified

0.0.0.0

unicast-status *

Enable/disable unicast connection.

option

-

disable

Option

Description

enable

Enable setting.

disable

Disable setting.

uninterruptible-primary-wait

Number of minutes the primary HA unit waits before the secondary HA unit is considered upgraded and the system is started before starting its own upgrade.

integer

Minimum value: 15 Maximum value: 300

30

upgrade-mode

The mode to upgrade a cluster.

option

-

uninterruptible

Option

Description

simultaneous

Upgrade all HA members at the same time.

uninterruptible

Upgrade HA cluster without blocking network traffic.

local-only

Upgrade local member only.

secondary-only

Upgrade secondary member only.

vcluster-status

Enable/disable virtual cluster for virtual clustering.

option

-

disable

Option

Description

enable

Enable setting.

disable

Disable setting.

weight

Weight-round-robin weight for each cluster unit. Syntax <priority> <weight>.

user

Not Specified

0 40

* This parameter may not exist in some models.

** Values may differ between models.

config ha-mgmt-interfaces

Parameter

Description

Type

Size

Default

id

Table ID.

integer

Minimum value: 0 Maximum value: 4294967295

0

interface

Interface to reserve for HA management.

string

Maximum length: 15

dst

Default route destination for reserved HA management interface.

ipv4-classnet

Not Specified

0.0.0.0 0.0.0.0

gateway

Default route gateway for reserved HA management interface.

ipv4-address

Not Specified

0.0.0.0

gateway6

Default IPv6 gateway for reserved HA management interface.

ipv6-address

Not Specified

::

config unicast-peers

Parameter

Description

Type

Size

Default

id

Table ID.

integer

Minimum value: 0 Maximum value: 4294967295

0

peer-ip

Unicast peer IP.

ipv4-address

Not Specified

0.0.0.0

config vcluster

Parameter

Description

Type

Size

Default

vcluster-id

ID.

integer

Minimum value: 1 Maximum value: 30

1

override

Enable and increase the priority of the unit that should always be primary (master).

option

-

disable

Option

Description

enable

Enable setting.

disable

Disable setting.

priority

Increase the priority to select the primary unit.

integer

Minimum value: 0 Maximum value: 255

128

override-wait-time

Delay negotiating if override is enabled. Reduces how often the cluster negotiates.

integer

Minimum value: 0 Maximum value: 3600

0

monitor

Interfaces to check for port monitoring (or link failure).

user

Not Specified

pingserver-monitor-interface

Interfaces to check for remote IP monitoring.

user

Not Specified

pingserver-failover-threshold

Remote IP monitoring failover threshold.

integer

Minimum value: 0 Maximum value: 50

0

pingserver-secondary-force-reset

Enable to force the cluster to negotiate after a remote IP monitoring failover.

option

-

enable

Option

Description

enable

Enable force reset of secondary member after PING server failure.

disable

Disable force reset of secondary member after PING server failure.

pingserver-flip-timeout

Time to wait in minutes before renegotiating after a remote IP monitoring failover.

integer

Minimum value: 6 Maximum value: 2147483647

60

vdom <name>

Virtual domain(s) in the virtual cluster.

Virtual domain name.

string

Maximum length: 79

config system ha

config system ha

Configure HA.

config system ha
    Description: Configure HA.
    set arps {integer}
    set arps-interval {integer}
    set authentication [enable|disable]
    set cpu-threshold {user}
    set encryption [enable|disable]
    set evpn-ttl {integer}
    set failover-hold-time {integer}
    set ftp-proxy-threshold {user}
    set gratuitous-arps [enable|disable]
    set group-id {integer}
    set group-name {string}
    set ha-direct [enable|disable]
    set ha-eth-type {string}
    config ha-mgmt-interfaces
        Description: Reserve interfaces to manage individual cluster units.
        edit <id>
            set interface {string}
            set dst {ipv4-classnet}
            set gateway {ipv4-address}
            set gateway6 {ipv6-address}
        next
    end
    set ha-mgmt-status [enable|disable]
    set ha-uptime-diff-margin {integer}
    set hb-interval {integer}
    set hb-interval-in-milliseconds [100ms|10ms]
    set hb-lost-threshold {integer}
    set hbdev {user}
    set hc-eth-type {string}
    set hello-holddown {integer}
    set http-proxy-threshold {user}
    set imap-proxy-threshold {user}
    set ipsec-phase2-proposal {option1}, {option2}, ...
    set key {password}
    set l2ep-eth-type {string}
    set link-failed-signal [enable|disable]
    set load-balance-all [enable|disable]
    set logical-sn [enable|disable]
    set memory-based-failover [enable|disable]
    set memory-compatible-mode [enable|disable]
    set memory-failover-flip-timeout {integer}
    set memory-failover-monitor-period {integer}
    set memory-failover-sample-rate {integer}
    set memory-failover-threshold {integer}
    set memory-threshold {user}
    set mode [standalone|a-a|...]
    set monitor {user}
    set multicast-ttl {integer}
    set nntp-proxy-threshold {user}
    set override [enable|disable]
    set override-wait-time {integer}
    set password {password}
    set pingserver-failover-threshold {integer}
    set pingserver-flip-timeout {integer}
    set pingserver-monitor-interface {user}
    set pingserver-secondary-force-reset [enable|disable]
    set pop3-proxy-threshold {user}
    set priority {integer}
    set route-hold {integer}
    set route-ttl {integer}
    set route-wait {integer}
    set schedule [none|leastconnection|...]
    set session-pickup [enable|disable]
    set session-pickup-connectionless [enable|disable]
    set session-pickup-delay [enable|disable]
    set session-pickup-expectation [enable|disable]
    set session-pickup-nat [enable|disable]
    set session-sync-dev {user}
    set smtp-proxy-threshold {user}
    set ssd-failover [enable|disable]
    set standalone-config-sync [enable|disable]
    set standalone-mgmt-vdom [enable|disable]
    set sync-config [enable|disable]
    set sync-packet-balance [enable|disable]
    set unicast-gateway {ipv4-address}
    set unicast-hb [enable|disable]
    set unicast-hb-netmask {ipv4-netmask}
    set unicast-hb-peerip {ipv4-address}
    config unicast-peers
        Description: Number of unicast peers.
        edit <id>
            set peer-ip {ipv4-address}
        next
    end
    set unicast-status [enable|disable]
    set uninterruptible-primary-wait {integer}
    set upgrade-mode [simultaneous|uninterruptible|...]
    config vcluster
        Description: Virtual cluster table.
        edit <vcluster-id>
            set override [enable|disable]
            set priority {integer}
            set override-wait-time {integer}
            set monitor {user}
            set pingserver-monitor-interface {user}
            set pingserver-failover-threshold {integer}
            set pingserver-secondary-force-reset [enable|disable]
            set pingserver-flip-timeout {integer}
            set vdom <name1>, <name2>, ...
        next
    end
    set vcluster-status [enable|disable]
    set weight {user}
end

config system ha

Parameter

Description

Type

Size

Default

arps

Number of gratuitous ARPs. Lower to reduce traffic. Higher to reduce failover time.

integer

Minimum value: 1 Maximum value: 60

5

arps-interval

Time between gratuitous ARPs . Lower to reduce failover time. Higher to reduce traffic.

integer

Minimum value: 1 Maximum value: 20

8

authentication

Enable/disable heartbeat message authentication.

option

-

disable

Option

Description

enable

Enable heartbeat message authentication.

disable

Disable heartbeat message authentication.

cpu-threshold

Dynamic weighted load balancing CPU usage weight and high and low thresholds.

user

Not Specified

encryption

Enable/disable heartbeat message encryption.

option

-

disable

Option

Description

enable

Enable heartbeat message encryption.

disable

Disable heartbeat message encryption.

evpn-ttl

HA EVPN FDB TTL on primary box.

integer

Minimum value: 5 Maximum value: 3600

60

failover-hold-time

Time to wait before failover , to avoid flip.

integer

Minimum value: 0 Maximum value: 300

0

ftp-proxy-threshold

Dynamic weighted load balancing weight and high and low number of FTP proxy sessions.

user

Not Specified

gratuitous-arps

Enable/disable gratuitous ARPs. Disable if link-failed-signal enabled.

option

-

enable

Option

Description

enable

Enable gratuitous ARPs.

disable

Disable gratuitous ARPs.

group-id

HA group ID . Must be the same for all members.

integer

Minimum value: 0 Maximum value: 1023

0

group-name

Cluster group name. Must be the same for all members.

string

Maximum length: 32

ha-direct

Enable/disable using ha-mgmt interface for syslog, remote authentication (RADIUS), FortiAnalyzer, FortiSandbox, sFlow, and Netflow.

option

-

disable

Option

Description

enable

Enable using ha-mgmt interface for syslog, remote authentication (RADIUS), FortiAnalyzer, FortiSandbox, sFlow, and Netflow.

disable

Disable using ha-mgmt interface for syslog, remote authentication (RADIUS), FortiAnalyzer, FortiSandbox, sFlow, and Netflow.

ha-eth-type

HA heartbeat packet Ethertype (4-digit hex).

string

Maximum length: 4

8890

ha-mgmt-status

Enable to reserve interfaces to manage individual cluster units.

option

-

disable

Option

Description

enable

Enable setting.

disable

Disable setting.

ha-uptime-diff-margin

Normally you would only reduce this value for failover testing.

integer

Minimum value: 1 Maximum value: 65535

300

hb-interval

Time between sending heartbeat packets. Increase to reduce false positives.

integer

Minimum value: 1 Maximum value: 20

2

hb-interval-in-milliseconds

Units of heartbeat interval time between sending heartbeat packets. Default is 100ms.

option

-

100ms

Option

Description

100ms

Each heartbeat interval is 100ms.

10ms

Each heartbeat interval is 10ms.

hb-lost-threshold

Number of lost heartbeats to signal a failure. Increase to reduce false positives.

integer

Minimum value: 1 Maximum value: 60

6 **

hbdev

Heartbeat interfaces. Must be the same for all members. Enter <interface> <priority> pairs to specify the priority of each heartbeat interface. Higher priority takes precedence.

user

Not Specified

hc-eth-type

Transparent mode HA heartbeat packet Ethertype (4-digit hex).

string

Maximum length: 4

8891

hello-holddown

Time to wait before changing from hello to work state.

integer

Minimum value: 5 Maximum value: 300

20

http-proxy-threshold

Dynamic weighted load balancing weight and high and low number of HTTP proxy sessions.

user

Not Specified

imap-proxy-threshold

Dynamic weighted load balancing weight and high and low number of IMAP proxy sessions.

user

Not Specified

ipsec-phase2-proposal

IPsec phase2 proposal.

option

-

Option

Description

aes128-sha1

aes128-sha1

aes128-sha256

aes128-sha256

aes128-sha384

aes128-sha384

aes128-sha512

aes128-sha512

aes192-sha1

aes192-sha1

aes192-sha256

aes192-sha256

aes192-sha384

aes192-sha384

aes192-sha512

aes192-sha512

aes256-sha1

aes256-sha1

aes256-sha256

aes256-sha256

aes256-sha384

aes256-sha384

aes256-sha512

aes256-sha512

aes128gcm

aes128gcm

aes256gcm

aes256gcm

chacha20poly1305

chacha20poly1305

key

Key.

password

Not Specified

l2ep-eth-type

Telnet session HA heartbeat packet Ethertype (4-digit hex).

string

Maximum length: 4

8893

link-failed-signal

Enable to shut down all interfaces for 1 sec after a failover. Use if gratuitous ARPs do not update network.

option

-

disable

Option

Description

enable

Enable setting.

disable

Disable setting.

load-balance-all

Enable to load balance TCP sessions. Disable to load balance proxy sessions only.

option

-

disable

Option

Description

enable

Enable load balance.

disable

Disable load balance.

logical-sn

Enable/disable usage of the logical serial number.

option

-

disable

Option

Description

enable

Enable usage of the logical serial number.

disable

Disable usage of the logical serial number.

memory-based-failover

Enable/disable memory based failover.

option

-

disable

Option

Description

enable

Enable setting.

disable

Disable setting.

memory-compatible-mode

Enable/disable memory compatible mode.

option

-

disable

Option

Description

enable

Enable setting.

disable

Disable setting.

memory-failover-flip-timeout

Time to wait between subsequent memory based failovers in minutes.

integer

Minimum value: 6 Maximum value: 2147483647

6

memory-failover-monitor-period

Duration of high memory usage before memory based failover is triggered in seconds.

integer

Minimum value: 1 Maximum value: 300

60

memory-failover-sample-rate

Rate at which memory usage is sampled in order to measure memory usage in seconds.

integer

Minimum value: 1 Maximum value: 60

1

memory-failover-threshold

Memory usage threshold to trigger memory based failover (0 means using conserve mode threshold in system.global).

integer

Minimum value: 0 Maximum value: 95

0

memory-threshold

Dynamic weighted load balancing memory usage weight and high and low thresholds.

user

Not Specified

mode

HA mode. Must be the same for all members. FGSP requires standalone.

option

-

standalone

Option

Description

standalone

Standalone mode.

a-a

Active-active mode.

a-p

Active-passive mode.

monitor

Interfaces to check for port monitoring (or link failure).

user

Not Specified

multicast-ttl

HA multicast TTL on primary.

integer

Minimum value: 5 Maximum value: 3600

600

nntp-proxy-threshold

Dynamic weighted load balancing weight and high and low number of NNTP proxy sessions.

user

Not Specified

override

Enable and increase the priority of the unit that should always be primary (master).

option

-

disable

Option

Description

enable

Enable setting.

disable

Disable setting.

override-wait-time

Delay negotiating if override is enabled. Reduces how often the cluster negotiates.

integer

Minimum value: 0 Maximum value: 3600

0

password

Cluster password. Must be the same for all members.

password

Not Specified

pingserver-failover-threshold

Remote IP monitoring failover threshold.

integer

Minimum value: 0 Maximum value: 50

0

pingserver-flip-timeout

Time to wait in minutes before renegotiating after a remote IP monitoring failover.

integer

Minimum value: 6 Maximum value: 2147483647

60

pingserver-monitor-interface

Interfaces to check for remote IP monitoring.

user

Not Specified

pingserver-secondary-force-reset

Enable to force the cluster to negotiate after a remote IP monitoring failover.

option

-

enable

Option

Description

enable

Enable force reset of secondary member after PING server failure.

disable

Disable force reset of secondary member after PING server failure.

pop3-proxy-threshold

Dynamic weighted load balancing weight and high and low number of POP3 proxy sessions.

user

Not Specified

priority

Increase the priority to select the primary unit.

integer

Minimum value: 0 Maximum value: 255

128

route-hold

Time to wait between routing table updates to the cluster.

integer

Minimum value: 0 Maximum value: 3600

10

route-ttl

TTL for primary unit routes. Increase to maintain active routes during failover.

integer

Minimum value: 5 Maximum value: 3600

10

route-wait

Time to wait before sending new routes to the cluster.

integer

Minimum value: 0 Maximum value: 3600

0

schedule

Type of A-A load balancing. Use none if you have external load balancers.

option

-

round-robin

Option

Description

none

None.

leastconnection

Least connection.

round-robin

Round robin.

weight-round-robin

Weight round robin.

random

Random.

ip

IP.

ipport

IP port.

session-pickup

Enable/disable session pickup. Enabling it can reduce session down time when fail over happens.

option

-

disable

Option

Description

enable

Enable session pickup.

disable

Disable session pickup.

session-pickup-connectionless

Enable/disable UDP and ICMP session sync.

option

-

disable

Option

Description

enable

Enable setting.

disable

Disable setting.

session-pickup-delay

Enable to sync sessions longer than 30 sec. Only longer lived sessions need to be synced.

option

-

disable

Option

Description

enable

Enable setting.

disable

Disable setting.

session-pickup-expectation

Enable/disable session helper expectation session sync for FGSP.

option

-

disable

Option

Description

enable

Enable setting.

disable

Disable setting.

session-pickup-nat

Enable/disable NAT session sync for FGSP.

option

-

disable

Option

Description

enable

Enable setting.

disable

Disable setting.

session-sync-dev

Offload session-sync process to kernel and sync sessions using connected interface(s) directly.

user

Not Specified

smtp-proxy-threshold

Dynamic weighted load balancing weight and high and low number of SMTP proxy sessions.

user

Not Specified

ssd-failover *

Enable/disable automatic HA failover on SSD disk failure.

option

-

disable

Option

Description

enable

Enable setting.

disable

Disable setting.

standalone-config-sync

Enable/disable FGSP configuration synchronization.

option

-

disable

Option

Description

enable

Enable setting.

disable

Disable setting.

standalone-mgmt-vdom

Enable/disable standalone management VDOM.

option

-

disable

Option

Description

enable

Enable setting.

disable

Disable setting.

sync-config

Enable/disable configuration synchronization.

option

-

enable

Option

Description

enable

Enable configuration synchronization.

disable

Disable configuration synchronization.

sync-packet-balance

Enable/disable HA packet distribution to multiple CPUs.

option

-

disable

Option

Description

enable

Enable HA packet distribution to multiple CPUs.

disable

Disable HA packet distribution to multiple CPUs.

unicast-gateway *

Default route gateway for unicast interface.

ipv4-address

Not Specified

0.0.0.0

unicast-hb *

Enable/disable unicast heartbeat.

option

-

disable

Option

Description

enable

Enable setting.

disable

Disable setting.

unicast-hb-netmask *

Unicast heartbeat netmask.

ipv4-netmask

Not Specified

0.0.0.0

unicast-hb-peerip *

Unicast heartbeat peer IP.

ipv4-address

Not Specified

0.0.0.0

unicast-status *

Enable/disable unicast connection.

option

-

disable

Option

Description

enable

Enable setting.

disable

Disable setting.

uninterruptible-primary-wait

Number of minutes the primary HA unit waits before the secondary HA unit is considered upgraded and the system is started before starting its own upgrade.

integer

Minimum value: 15 Maximum value: 300

30

upgrade-mode

The mode to upgrade a cluster.

option

-

uninterruptible

Option

Description

simultaneous

Upgrade all HA members at the same time.

uninterruptible

Upgrade HA cluster without blocking network traffic.

local-only

Upgrade local member only.

secondary-only

Upgrade secondary member only.

vcluster-status

Enable/disable virtual cluster for virtual clustering.

option

-

disable

Option

Description

enable

Enable setting.

disable

Disable setting.

weight

Weight-round-robin weight for each cluster unit. Syntax <priority> <weight>.

user

Not Specified

0 40

* This parameter may not exist in some models.

** Values may differ between models.

config ha-mgmt-interfaces

Parameter

Description

Type

Size

Default

id

Table ID.

integer

Minimum value: 0 Maximum value: 4294967295

0

interface

Interface to reserve for HA management.

string

Maximum length: 15

dst

Default route destination for reserved HA management interface.

ipv4-classnet

Not Specified

0.0.0.0 0.0.0.0

gateway

Default route gateway for reserved HA management interface.

ipv4-address

Not Specified

0.0.0.0

gateway6

Default IPv6 gateway for reserved HA management interface.

ipv6-address

Not Specified

::

config unicast-peers

Parameter

Description

Type

Size

Default

id

Table ID.

integer

Minimum value: 0 Maximum value: 4294967295

0

peer-ip

Unicast peer IP.

ipv4-address

Not Specified

0.0.0.0

config vcluster

Parameter

Description

Type

Size

Default

vcluster-id

ID.

integer

Minimum value: 1 Maximum value: 30

1

override

Enable and increase the priority of the unit that should always be primary (master).

option

-

disable

Option

Description

enable

Enable setting.

disable

Disable setting.

priority

Increase the priority to select the primary unit.

integer

Minimum value: 0 Maximum value: 255

128

override-wait-time

Delay negotiating if override is enabled. Reduces how often the cluster negotiates.

integer

Minimum value: 0 Maximum value: 3600

0

monitor

Interfaces to check for port monitoring (or link failure).

user

Not Specified

pingserver-monitor-interface

Interfaces to check for remote IP monitoring.

user

Not Specified

pingserver-failover-threshold

Remote IP monitoring failover threshold.

integer

Minimum value: 0 Maximum value: 50

0

pingserver-secondary-force-reset

Enable to force the cluster to negotiate after a remote IP monitoring failover.

option

-

enable

Option

Description

enable

Enable force reset of secondary member after PING server failure.

disable

Disable force reset of secondary member after PING server failure.

pingserver-flip-timeout

Time to wait in minutes before renegotiating after a remote IP monitoring failover.

integer

Minimum value: 6 Maximum value: 2147483647

60

vdom <name>

Virtual domain(s) in the virtual cluster.

Virtual domain name.

string

Maximum length: 79