By default, FortiWeb appliances are each a single, standalone appliance. They operate independently.
If you have purchased more than one, however, you can configure the FortiWeb appliances to form an active-passive high availability (HA) FortiWeb cluster. This improves availability so that you can achieve 99.999% service level agreement (SLA) uptimes regardless of, for example, hardware failure or maintenance periods.
If you have multiple FortiWeb appliances but do not need failover, you can still synchronize the configuration. This can be useful for cloned network environments and externally load-balanced active-active HA. See Replicating the configuration without FortiWeb HA (external HA). You can use the FortiWeb WCCP feature to create an active-active HA cluster. You synchronize the cluster members using FortiWeb's configuration synchronization feature so that each cluster member is ready to act as backup if the other appliance is not available. The WCCP server provides load balancing between the HA pair and redirects all traffic to one cluster member if the other member is unavailable. For more information, see Example: Using WCCP with multiple FortiWeb appliances. |
HA requirements
For best fault tolerance, make sure that your topology is fully redundant, with no single points of failure. For example, in HA topology and failover — IP address transfer to the new active appliance , the switch, firewall, and Internet connection are all single points of failure. If any should fail, web sites would be unavailable, despite the HA cluster. To prevent this, you would add a dual ISP connection to separate service providers, preferably with their own redundant pathways upstream. You would also add a standby firewall, and a standby switch. |
The style of FortiWeb HA is active-passive: one appliance is elected to be the active appliance (also called the primary, main, or master), applying the policies for all connections. The other is a passive standby (also called the secondary, or slave), which assumes the role of the active appliance and begins processing connections only if the active appliance fails.
The active and standby appliances detect failures by communicating through a heartbeat link that connects the two appliances in the HA pair. Failure is assumed when the active appliance is unresponsive to the heartbeat from the standby appliance for a configured amount of time:
Heartbeat timeout = Detection Interval x Heartbeat Lost Threshold
If the active appliance fails, a failover occurs: the standby becomes active. To do this, the standby takes all IP addresses of the unresponsive appliance: it notifies the network via ARP to redirect traffic for that virtual MAC address (VMAC) to its own network interfaces. (In transparent modes, this includes the management IP. Additionally, at Layer 2, switches are notified that the VMAC is now connected to a different physical port. So even though in these modes the interfaces usually are transparent bridges without IPs, ARP traffic will still occur due to failover.)
Time required for traffic to be redirected to the new active appliance varies by your network’s responsiveness to changeover notification and by your configuration:
Total failover time = ARP Packet Numbers x ARP Packet Interval + Network responsiveness + Heartbeat timeout
For example, if:
then the total time between the first unacknowledged heartbeat and traffic redirection could be up to 5.6 seconds.
When the former active appliance comes back online, it may or may not assume its former active role. For an explanation, see How HA chooses the active appliance. (At this time, when an appliance is rejoining the cluster, FortiWeb will also send gratuitous ARP packets. This helps to ensure that traffic is not accidentally forwarded to both the current and former active appliance in cases where the cluster is connected through 2 switches.)
HA topology and failover — IP address transfer to the new active appliance shows an example HA network topology with IP address transfer from the active appliance to the standby appliance upon failover. In this example, the primary heartbeat link is formed by a crossover cable between the two port3 physical network ports; the secondary heartbeat link is formed between the two port4 physical network ports.
To configure FortiWeb appliances that are operating in HA mode, you usually connect only to the active appliance. The active unit’s configuration is almost entirely synchronized to the passive appliance, so that changes made to the active appliance are propagated to the standby appliance, ensuring that it will be prepared for a failover.
Exceptions to this rule include:
1. If the HA cluster will use FortiGuard services, license all FortiWeb appliances in the HA group, and register them with the Fortinet Technical Support web site:
2. Cable both appliances into a redundant network topology.
For an example, see HA topology and failover — IP address transfer to the new active appliance .
3. Physically link the FortiWeb appliances that will be members of the HA cluster.
You must link at least one of their ports (e.g. port4 to port4) for heartbeat and synchronization traffic between members of the cluster. You can either:
If a switch is used to connect the heartbeat interfaces, the heartbeat interfaces must be reachable by Layer 2 multicast.
4. Log in to both appliances as the admin
administrator account.
Accounts whose access profile includes Read and Write permissions to the System Configuration area can configure HA, but may not be able to use features that may be necessary when using HA, such as logs and network configuration.
5. On both appliances, go to System > Config > HA-Config.
To access this part of the web UI, your administrator's account access profile must have Read and Write permission to items in the System Configuration category. For details, see Permissions.
By default, each FortiWeb appliance operates as a single, standalone appliance: only the Configured HA mode drop-down list appears, with the Standalone option selected.
6. From Configured HA mode, select Active-Passive.
Fail-open is disabled when the FortiWeb appliance is configured as part of an HA pair. For information on fail-to-wire, see Fail-to-wire for power loss/reboots. |
Additional options appear that enable you to configure HA.
7. Configure these settings:
Setting name | Description |
---|---|
Group-name | Type a name to identify the HA pair if you have more than one. This setting is optional, and does not affect HA function. The maximum length is 35 characters. |
Device Priority | Type the priority of the appliance when electing the primary appliance in the HA pair. (On standby devices, this setting can be reconfigured using the CLI command execute ha manage <serial-number_str> <priority_int> . For details, see the FortiWeb CLI Reference.)This setting is optional. The smaller the number, the higher the priority. The valid range is 0 to 9. The default is 5. Note: By default, unless you enable Override, uptime is more important than this setting. For details, see How HA chooses the active appliance. |
Override | Enable to make Device Priority a more important factor than uptime when selecting the main appliance. See How HA chooses the active appliance. |
Group ID | Type a number that identifies the HA pair. Both members of the HA pair must have the same group ID. If you have more than one HA pair on the same network, each HA pair must have a different group ID. Changing the group ID changes the cluster’s virtual MAC address. The valid range is 0 to 63. The default value is 0. |
Detection Interval | Type the number of 100-millisecond intervals to set the pause between each heartbeat packet that the one FortiWeb appliance sends to the other FortiWeb appliance in the HA pair. This is also the amount of time that a FortiWeb appliance waits before expecting to receive a heartbeat packet from the other appliance. This part of the configuration is synchronized between the active appliance and standby appliance. The valid range is 1 to 20 (that is, between 100 and 2,000 milliseconds). Note: Although this setting is synchronized between the main and standby appliances, you should initially configure both appliances with the same Detection Interval to prevent inadvertent failover from occurring before the initial synchronization. |
Heartbeat Lost Threshold |
Type the number of times one of HA appliances retries the heartbeat and waits to receive HA heartbeat packets from the other HA appliance before assuming that the other appliance has failed. This part of the configuration is synchronized between the main appliance and standby appliance. Normally, you do not need to change this setting. Exceptions include:
The valid range is from 1 to 60.
|
Port Monitor | Mark the check boxes of one or more network interfaces that each directly correlate with a physical link. These ports will be monitored for link failure. Port monitoring (also called interface monitoring) monitors physical network ports to verify that they are functioning properly and linked to their networks. If the physical port fails or the cable becomes disconnected, a failover occurs. You can monitor physical interfaces, but not VLAN subinterfaces or 4-port switches. If you select a link aggregate interface, failover occurs only if all the physical network interfaces in the logical interface fail. For more information, see Link aggregation. Note: To prevent an unintentional failover, do not configure port monitoring until you configure HA on both appliances in the HA pair, and have plugged in the cables to link the physical network ports that will be monitored. |
Heartbeat Interface | Select which port(s) on this appliance that the main and standby appliances will use to send heartbeat signals and synchronization data between each other (i.e. the HA heartbeat link). Connect this port to the same port number on the other member of the HA cluster. (e.g., If you select port3 for the primary heartbeat link, connect port3 on this appliance to port3 on the other appliance.) At least one heartbeat interface must be selected on each appliance in the HA cluster. Ports that currently have an IP address assigned for other purposes (that is, virtual servers or bridges) cannot be re-used as a heartbeat link. Tip: If enough ports are available, you can select both a primary heartbeat interface and a secondary heartbeat interface on each appliance in the HA pair to provide heartbeat link redundancy. (You cannot use the same port as both the primary and secondary heartbeat interface on the same appliance, as this is incompatible with the purpose of link redundancy.) Note: If a switch is used to connect the heartbeat interfaces, the heartbeat interfaces must be reachable by Layer 2 multicast. |
8. Click Apply.
Both appliances join the HA cluster by matching their Group ID. They begin to send heartbeat and synchronization traffic to each other through their heartbeat links.
To determine which appliance currently has the role of the main appliance, on System > Config > HA-Config, in the HA Member table, view the HA Role column:
If both appliances believe that they are the main:
boot-time <seconds_int>
setting in the FortiWeb CLI Reference.diagnose system ha status
and diagnose debug application hatalk level
commands. For details, see the FortiWeb CLI Reference.9. To monitor the HA cluster for failover, you can use SNMP (see Configuring an SNMP community), log messages, and alert email (see Configuring logging).
If failover time is too long, adjust the following:
Setting name | Description |
---|---|
ARP Packet Numbers | Type the number of times that the FortiWeb appliance will broadcast extra address resolution protocol (ARP) packets when it takes on the main role. (Even though a new NIC has not actually been connected to the network, FortiWeb does this to notify the network that a new physical port has become associated with the IP address and virtual MAC of the HA pair.) This is sometimes called “using gratuitous ARP packets to train the network,” and can occur when the main appliance is starting up, or during a failover. Also configure ARP Packet Interval. Normally, you do not need to change this setting. Exceptions include:
|
ARP Packet Interval | Type the number of seconds to wait between each broadcast of ARP packets. Normally, you do not need to change this setting. Exceptions include:
The valid range is from 1 to 20. |
If your HA link passes through switches and/or routers, and inadvertent failovers occur when rebooting the HA pair, you can increase the maximum time to wait for a heartbeat signal after a reboot by configuring boot‑time <limit_int> . See the FortiWeb CLI Reference. |
Configuration synchronization provides the ability to duplicate the configuration from another FortiWeb appliance without using FortiWeb high availability (HA). The synchronization is unilateral push: it is not a bilateral synchronization. It adds any missing items, and overwrites any items that are identically named, but does not delete unique items on the target FortiWeb, nor does it pull items from the target to the initiating FortiWeb.
Replicating the configuration can be useful in some scenarios where you cannot use, or do not want, FortiWeb HA:
In such cases, you may be able to save time and preserve your existing network topology by synchronizing a FortiWeb appliance’s configuration with another FortiWeb. This way, you do not need to individually configure each one, and do not need to use FortiWeb HA.
Like HA, due to hardware-based differences in valid settings, configuration synchronization requires that both FortiWeb appliances be of the same model. You cannot, for example, synchronize a FortiWeb-VM and FortiWeb 1000D.
You can configure which port number the appliance uses to synchronize its configuration. See Config-Sync.
Synchronize each time you change the configuration, and are ready to propagate the changes. Unlike FortiWeb HA, configuration synchronization is not automatic and continuous. Changes will only be pushed when you manually initiate it.
Back up your system before changing the operation mode (see Backups). Synchronizing the configuration overwrites the existing configuration, and cannot be undone without restoring the configuration from a backup. |
1. Go to System > Config > Config-Synchronization.
To access this part of the web UI, your administrator's account access profile must have Read and Write permission to items in the Network Configuration category. For details, see Permissions. This feature is not available if ADOMs are enabled.
2. In Peer FortiWeb IP, type the IP address of the target FortiWeb appliance that you want to receive configuration items from your local FortiWeb appliance.
3. In Peer FortiWeb Port, type the port number that the target FortiWeb appliance uses to listen for configuration synchronization. The default port is 8333.
4. In Peer FortiWeb 'admin' user password, type the password of the administrator account named admin
on the other FortiWeb appliance.
5. In Synchronization Type, select one of the following options:
Full |
For all operation modes except WCCP, synchronizes all configuration except:
When the operation mode is WCCP, synchronizes all configuration except:
|
Partial |
Synchronizes all configuration except:
For a detailed list of settings that are excluded from a partial synchronization, including CLI-only settings, see the FortiWeb CLI Reference. |
This option is not available if the FortiWeb appliance is operating in reverse proxy mode. See also Supported features in each operation mode. |
To test the connection settings, click Test. Results appear in a pop-up window. If the test connection to the target FortiWeb succeeds, this message should appear:
Service is available...
If the following message appears:
Service isn't available...
verify that:
admin
account password matches6. Click Push config.
A dialog appears, warning you that all policies and profiles with identical names will be overwritten on the other FortiWeb, and asking if you want to continue.
7. Click Yes.
The FortiWeb appliance sends its configuration to the other, which synchronizes any identically-named policies and settings. Time required varies by the size of the configuration and the speed of the network connection. When complete, this message should appear:
Config. synchronized successfully.