How to use HA
In general, to enable and configure HA, you should perform the following:
1. If the HA cluster will use FortiGuard Antivirus and/or FortiGuard Antispam services, license all FortiMail units in the HA group for the FortiGuard Antispam and FortiGuard Antivirus services, and register them with the Fortinet Technical Support web site,
https://support.fortinet.com/.
2. Physically connect the FortiMail units that will be members of the HA cluster.
You must connect at least one of their network interfaces for heartbeat and synchronization traffic between members of the cluster. For reliability reasons, Fortinet recommends that you connect both a primary and a secondary heartbeat interface, and that they be connected directly or through a dedicated switch that is not connected to your overall network.
3. For config-only clusters, configure each member of the cluster to store mail data on a NAS server that supports NFS connections. (Active-passive groups may also use a NAS server, but do not require it.) For details, see
“Selecting the mail data storage location”.
4. On each member of the cluster:
• Enable the HA mode that you want to use (either active-passive or config-only) and select whether the individual member will act as a primary unit or secondary unit within the cluster. For information about the differences between the HA modes, see
“About high availability”.
• Configure the local IP addresses of the primary and secondary heartbeat and synchronization network interfaces.
• For active-passive clusters, configure the behavior on failover, and how the network interfaces should be configured for whichever FortiMail unit is currently acting as the primary unit. Additionally, if the FortiMail units store mail data on a NAS, disable mail data synchronization between members.
• For config-only clusters, if the FortiMail unit is a primary unit, configure the IP addresses of its secondary units; if the FortiMail unit is a secondary unit, configure the IP address of its primary unit.
5. If the HA cluster is active-passive and you want to trigger failover when hardware or a service fails, even if the heartbeat connection is still functioning, configure service monitoring. For details, see
“Configuring service-based failover”.