About standalone versus HA deployment
If you plan to convert a standalone FortiMail unit to a member of an HA group, first understand the changes you need to make for HA deployment shown in
Figure 79 in the context of its similarities and differences with a standalone deployment.
Examine the network interface configuration of a standalone FortiMail-400 unit in
Table 36.
Table 36: Example standalone network interface configuration
Network interface | IP address | Description |
port1 | 192.168.1.5 | Administrative connections to the FortiMail unit. |
port2, port4 | Default | Not connected. |
port3 | 172.16.1.2 | Email connections to the FortiMail unit; the target of your email DNS A records. (No administrative access.) |
port5 | Default | Not connected. |
port6 | Default | Not connected. |
Similarly, for the HA group, DNS A records should target the IP address of the port3 interface of the primary FortiMail-400 unit. Additionally, administrators should administer each FortiMail unit in the HA group by connecting to the IP address of each FortiMail unit’s port1.
If a failover occurs, the network must be able to direct traffic to port3 of the secondary unit without reconfiguring the DNS A record target. The secondary unit must cleanly and automatically substitute for the primary unit, as if they were a single, standalone unit.
Unlike the configuration of the standalone unit, for the HA group to accomplish that substitution, all email connections must use an IP address that transfers between the primary unit and the secondary unit according to which one’s effective HA operating mode is currently master. This transferable IP address can be accomplished by configuring the HA group to either:
• set the IP address of the current primary unit’s network interface
• add a virtual IP address to the current primary unit’s network interface
In this example, the HA group uses the method of adding a virtual IP address. Email connections will not use the actual IP address of port3. Instead, all email connections will use only the virtual IP address 172.16.1.2, which is used by port3 of whichever FortiMail unit’s effective HA operating mode is currently master. During normal HA group operation, this IP address resides on the primary unit. Conversely, after a failover occurs, this IP address resides on the former secondary unit (now the current primary unit).
Also unlike the configuration of the standalone unit, both port5 and port6 are configured for each member of the HA group. The primary unit’s port5 is directly connected using a crossover cable to the secondary unit’s port5; the primary unit’s port6 is directly connected to the secondary unit’s port6. These links are used solely for heartbeat and synchronization traffic between members of the HA group.
For comparison with the standalone unit, examine the network configuration of the primary unit in
Table 37.
Table 37: Example primary unit HA network interface configuration
Interface | IP/Netmask | Virtual IP address | Description |
Setting | IP address |
port1 | 192.168.1.5 | Ignore | | Administrative connections to this FortiMail unit. (Because the IP address does not follow the FortiMail unit whose effective mode is currently master, connections to this IP address are specific to this physical unit. Administrators can still connect to this FortiMail unit after failover, which may be useful for diagnostic purposes.) |
port2, port4 | Default | Ignore | | Not connected. |
port3 | 172.16.1.5 | Set | 172.16.1.2 | Email connections to the FortiMail unit; the target of your email DNS MX and A records. Connections should not be destined for the actual IP address, but instead the virtual IP address (172.16.1.2) which follows the FortiMail unit whose effective HA operating mode is master. No administrative access. |
port5 | 10.0.1.2 | Ignore | | Secondary heartbeat and synchronization interface. |
port6 | 10.0.0.2 | Ignore | | Primary heartbeat and synchronization interface. |
Because the
“Virtual IP action” settings are synchronized between the primary and secondary units, you do not need to configure them separately on the secondary unit. However, you must configure the secondary unit with other settings listed in
Table 38.
Table 38: Example secondary unit HA network interface configuration
Interface | IP/Netmask | Virtual IP Address | Description |
Setting | IP address |
port1 | 192.168.1.6 | (synchronized from primary unit) | (synchronized from primary unit) | Administrative connections to this FortiMail unit. (Because the IP address does not follow the FortiMail unit whose effective mode is currently master, connections to this IP address are specific to this physical unit. Administrators can connect to this FortiMail unit even when it is currently the secondary unit, which may be useful for HA configuration and log viewing.) |
port2, port4 | Default | (synchronized from primary unit) | (synchronized from primary unit) | Not connected. |
port3 | 172.16.1.6 | (synchronized from primary unit) | (synchronized from primary unit) | Connections should not be destined for the actual IP address, but instead the virtual IP address (172.16.1.2) which follows the FortiMail unit whose effective HA operating mode is master. As a result, no connections should be destined for this network interface until a failover occurs, causing the secondary unit to become the new primary unit. No administrative access. |
port5 | 10.0.1.4 | (synchronized from primary unit) | (synchronized from primary unit) | Secondary heartbeat and synchronization interface. |
port6 | 10.0.0.4 | (synchronized from primary unit) | (synchronized from primary unit) | Primary heartbeat and synchronization interface. |