Configuring an HA group
Before configuring an HA group, we recommend performing a factory reset or restoring the database on both FortiNDR primary and secondary units.
If your FortiNDR unit is running, you can join a secondary unit to form the HA. However, you should allow more time to synchronize larger databases. |
To configure an HA group:
- Make all the necessary connections and network settings configuration. Individual interface settings for both units can be configured from the Network page or with the CLI.
The following image shows an example network settings configuration:
- Load the latest ANN database on both FortiNDR units. The ANN database can be updated from FDS (see, Updating the ANN database from FDS for malware detection) or with the CLI (see, Loading the ANN database to FortiNDR for malware detection).
The ANN database is not synchronized.
The ANN scheduled update settings are not synchronized. You will need to configure both units to enusre the latest ANN is used after failover.
- On the primary unit, use the CLI to configure the HA for the network topology (see the example above):
config system ha set mode primary set password xxx config interface edit port1 set virtual-ip 192.168.1.80/24 set action-on-primary use-vip set port-monitor enable end edit port3 set heartbeat-status primary set peer-ip 192.168.3.101 << IP of secondary unit’s port3 interface end edit port4 set heartbeat-status secondary set peer-ip 192.168.4.111 << IP of secondary unit’s port4 interface end end
CLI option
Description
mode
Enables or disables HA, selects the initial configured role:
Off
: disable HA.Primary
: configured as primary Unit.Secondary
: configured as secondary Unit.
password
Enter an HA password for the HA group.
You must configure the same password value on both the primary and secondary units.
heartbeat-status
Specify if this interface will be used for HA heartbeat and synchronization:
Disable
: The interface is not used for HA heartbeat and synchronization.Primary
: We recommend to using port3 as the primary HA interface.Secondary
: We recommend having a secondary HA interface to improve availability. Use port4 as the secondary HA interface.
peer-ip
When configuring primary HA interfaces:
When configuring the primary
unit
, enter the IP address of the secondary unit’sprimary
HA interface.When configuring the secondary
unit
, enter the IP address of the primary unit’sprimary
HA interface.
The same rule should be applied when configuring the secondary HA interface.
virtual-ip
Enter the virtual IP address and netmask for this interface.
If configured, this virtual IP can serve as the external IP of the HA group.
When failover occurs, this setting will take effect on the new Primary unit. For details, see Using Virtual IP.
action-on-primary
ignore-vip [Default]
: Ignore the Virtual IP interface configuration on the new Primary unit after failover.use-vip
: Add the specified Virtual IP address and netmask to the interface on the new Primary unit after failover.port-monitor
Enable to monitor a network interface for failure on the Primary unit. If the interface failure is detected, the Primary unit will trigger a failover.
This does not apply to heartbeat interfaces.
- On the Secondary unit, configure the HA using the same CLI configuration except for the
ha mode
andpeer-ip
settings for the HA interface.config system ha set mode secondary set password xxx << password should be same as primary unit config interface edit port1 << HA configuration for port1 should be same as primary unit set virtual-ip 192.168.1.80/24 set action-on-primary use-vip set port-monitor enable end edit port3 set heartbeat-status primary set peer-ip 192.168.3.100 << IP of primary unit’s port3 interface end edit port4 set heartbeat-status secondary set peer-ip 192.168.4.110 << IP of primary unit’s port4 interface end end
- Check the HA status of both units.
Ensure the HA effective mode on both units has been updated successfully.
Check the HA status details. See, Check HA status.
Ensure no errors appear on the HA event log. See, HA Logs.
After the HA group is configured:
- The heartbeat check between the primary and secondary units will be done through the HA port.
The default heartbeat check is 30 seconds. This is configurable via the CLI.
-
Configuration changes will be synced from the primary unit to the secondary unit. See HA configuration settings synchronization.
- Data (Database and sample files) will be synced from the primary unit to the secondary unit.
The database on the primary unit is large. Database synchronization may take a while.