Setting | Explanation |
Hostname | The hostnames for member nodes are unique. |
Power Failure Bypass Mode | In an active/passive deployment, the primary node must be set to Fail Closed so the adjacent switches can select the secondary node. The secondary unit can be set to Fail Closed or Fail Open, depending on how you want to handle the situation if both FortiDDoS nodes are down. |
SNMP system information | Each member node has its own SNMP system information. |
Certificates | X.509 certificates, certificate request files (CSR), and private keys are unique to a system. |
HA settings | Most of the HA configuration is not synchronized in order to support HA system operations. In particular: • Priority and Override settings—These settings are used to elect a primary node, so they are not synchronized to enable differentiation. • Group ID—Nodes with the same Group ID join a cluster. The setting precedes and determines group membership, so it is set manually. • HA mode—Many administrators prefer to be able to switch the primary node from an HA mode to standalone mode without the other nodes following suit, or to switch a secondary node to standalone mode and have that setting not overwritten by periodic synchronization, so the HA mode setting is not pushed from the primary node to the member nodes. |
In an HA deployment, avoid using the following CLI commands: config ddos spp threshold-report config ddos spp threshold-adjust These commands generate other commands and a command context, and could lead to unexpected behavior when synchronized to the secondary node. In an HA deployment, be sure to use the GUI or REST API to configure these particular settings. |