High Availability Deployments : HA synchronization
 
HA synchronization
The master node pushes most of its configuration to the other member nodes. This is known as synchronization. Synchronization occurs immediately when a node joins the cluster, and thereafter every 30 seconds. Synchronization includes the configuration for network interfaces, SPPs, and ACLs.
You usually configure only the main cluster node, and its settings are pushed to other members. You might log into the system for the other member in the following situations:
To configure settings that are not synchronized
To view log messages recorded about the member node itself on its own hard disk
To view traffic reports for traffic processed by the member node
Table 84 summarizes the configuration settings that are not synchronized. All other configuration settings are synchronized.
Table 84: Settings that are not synchronized
Setting
Explanation
Hostname
The hostnames for member nodes are unique.
Power Failure Bypass Mode
In an active/passive deployment, the primary node must be set to Fail Closed so the adjacent switches can select the secondary node. The secondary unit can be set to Fail Closed or Fail Open, depending on how you want to handle the situation if both FortiDDoS nodes are down.
SNMP system information
Each member node has its own SNMP system information.
Certificates
X.509 certificates, certificate request files (CSR), and private keys are unique to a system.
HA settings
Most of the HA configuration is not synchronized in order to support HA system operations. In particular:
Priority and Override settings—These settings are used to elect a primary node, so they are not synchronized to enable differentiation.
Group ID—Nodes with the same Group ID join a cluster. The setting precedes and determines group membership, so it is set manually.
HA mode—Many administrators prefer to be able to switch the primary node from an HA mode to standalone mode without the other nodes following suit, or to switch a secondary node to standalone mode and have that setting not overwritten by periodic synchronization, so the HA mode setting is not pushed from the primary node to the member nodes.
Most data is also not synchronized. The following data is not synchronized:
Session data—It does not synchronize session information or any other element of the data traffic.
Estimated thresholds—Configured thresholds are part of the configuration and are synchronized, but estimated thresholds that are shown in Monitor graphs are based on the history of traffic processed by the local system.
Log messages—These describe events that happened on that specific appliance. After a failover, you might notice that there is a gap in the original active appliance’s log files that corresponds to the period of its down time. Log messages created during the time when the standby was acting as the active appliance (if you have configured local log storage) are stored there, on the original standby appliance.
Generated reports—Like the log messages that they are based upon, PDF, HTML, RTF, and plain text reports also describe events that happened on that specific appliance. As such, report settings are synchronized, but report output is not.In an active-passive cluster, only the management IP address for the primary node is active.
 
 
In an HA deployment, avoid using the following CLI commands:
config ddos spp threshold-report
config ddos spp threshold-adjust
These commands generate other commands and a command context, and could lead to unexpected behavior when synchronized to the secondary node. In an HA deployment, be sure to use the GUI or REST API to configure these particular settings.