Configuring system settings : Using high availability (HA) : Configuring the HA mode and group : Configuring interface monitoring
Configuring interface monitoring
In active-passive HA mode, Interface monitor checks the local interfaces on the primary unit. If a malfunctioning interface is detected, a failover will be triggered.
To configure interface monitoring
1. Go to System > High Availability > Configuration.
2. Select master or slave as the mode of operation.
3. Expand the Interface area, if required.
4. Click on the port/interface name to configure the interface. For details, see “Configuring the network interfaces”.
 
The interface IP address must be different from, but on the same subnet as, the IP addresses of the other heartbeat network interfaces of other members in the HA group.
When configuring other FortiMail units in the HA group, use this value as the:
Remote peer IP (for active-passive groups)
Master configuration (for secondary units in config-only groups)
Peer systems (for the primary unit on config-only groups)
5. Select a row in the table and click Edit to configure the following HA settings on the interface.
 
GUI item
Description
Port
Displays the interface name you’re configuring.
Enable port monitor
Enable to monitor a network interface for failure. If the port fails, the primary unit will trigger a failover.
Heartbeat status
Specify if this interface will be used for HA heartbeat and synchronization.
Disable
Do not use this interface for HA heartbeat and synchronization.
Primary
Select the primary network interface for heartbeat and synchronization traffic. For more information, see “About the heartbeat and synchronization”.
This network interface must be connected directly or through a switch to the Primary heartbeat network interface of other members in the HA group.
Secondary
Select the secondary network interface for heartbeat and synchronization traffic. For more information, see “About the heartbeat and synchronization”.
The secondary heartbeat interface is the backup heartbeat link between the units in the HA group. If the primary heartbeat link is functioning, the secondary heartbeat link is used for the HA heartbeat. If the primary heartbeat link fails, the secondary link is used for the HA heartbeat and for HA synchronization.
This network interface must be connected directly or through a switch to the Secondary heartbeat network interfaces of other members in the HA group.
Caution: Using the same network interface for both HA synchronization/heartbeat traffic and other network traffic could result in issues with heartbeat and synchronization during times of high traffic load, and is not recommended.
Note: In general, you should isolate the network interfaces that are used for heartbeat traffic from your overall network. Heartbeat and synchronization packets contain sensitive configuration information, are latency-sensitive, and can consume considerable network bandwidth.
Peer IP address
Enter the IP address of the matching heartbeat network interface of the other member of the HA group.
For example, if you are configuring the primary unit’s primary heartbeat network interface, enter the IP address of the secondary unit’s primary heartbeat network interface.
Similarly, for the secondary heartbeat network interface, enter the IP address of the other unit’s secondary heartbeat network interface.
For information about configuration synchronization and what is not synchronized, see “About the heartbeat and synchronization”.
This option appears only for active-passive HA.
Peer IPv6 address
Enter the peer IPv6 address in the active-passive HA group. For IPv6 support, see “About IPv6 Support”.
Virtual IP action
Select whether and how to configure the IP addresses and netmasks of the FortiMail unit whose effective HA mode of operation is currently master.
For example, a primary unit might be configured to receive email traffic through port1 and receive heartbeat and synchronization traffic through port5 and port6. In that case, you would configure the primary unit to set the IP addresses or add virtual IP addresses for port1 of the secondary unit on failover in order to mimic that of the primary unit.
Ignore: Do not change the network interface configuration on failover, and do not monitor. For details on service monitoring for network interfaces, see “Configuring the network interfaces”.
Set: Add the specified virtual IP address and netmask to the network interface on failover. Normally, you will configure your network (MX records, firewall policies, routing and so on) so that clients and mail services use the virtual IP address. Both originating and reply traffic uses the virtual IP address. This option results in the network interface having two IP Addresses: the actual and the virtual. For examples, see “Example: Active-passive HA group in gateway mode”. In v3.0 MR2 and older releases, the behavior is different -- the originating traffic uses the actual IP address, instead of the virtual IP address. For details, see the Fortinet Knowledge Base article at http://kb.fortinet.com.
Bridge: Include the network interface in the Layer 2 bridge. While the effective HA mode of operation is slave, the interface is deactivated and cannot process traffic, preventing Layer 2 loops. Then, when the effective HA mode of operation becomes master, the interface is activated again and can process traffic. This option appears only if the FortiMail unit is operating in transparent mode. This option is not available for Port1 and the ports not in the bridge group. For information on configuring bridging network interfaces, see “Editing network interfaces”.
Note: Settings in this section are synchronizable. Configure the primary unit, then synchronize it to the secondary unit. For details, see “click HERE to start a configuration/data sync”.
Virtual IP address
Enter the virtual IPv4 address for this interface.
Virtual IPv6 address
Enter the virtual IPv6 address for this interface. For IPv6 support, see “About IPv6 Support”.