Replicating the configuration without FortiWeb HA (external HA)

Configuration synchronization provides the ability to duplicate the configuration from another FortiWeb appliance without using FortiWeb high availability (HA). The synchronization is unilateral push; it is not a bilateral synchronization. It adds any missing items, and overwrites any items that are identically named, but does not delete unique items on the target FortiWeb, nor does it pull items from the target to the initiating FortiWeb.

Replicating the configuration can be useful in some scenarios where you cannot use, or do not want, FortiWeb HA: 

• External active-active HA (load balancing) could be provided by the firewall, the router, or an HTTP-aware load balancer such as FortiADC , since active-active HA is not provided by FortiWeb itself.
• External active-passive HA (failover) could be provided by a specialized failover device, instead of the FortiWebs themselves, for network load distribution, latency, and performance optimization reasons. The failover device must monitor for live routes.
• Multiple identical non-HAFortiWeb appliances in physically distant locations with the same network scheme might be required to have the same (maybe with a few extra different) server policies, and therefore management could be simplified by configuring one FortiWeb and then replicating that to the others.

In such cases, you may be able to save time and preserve your existing network topology by synchronizing a FortiWeb appliance’s configuration with another FortiWeb. This way, you do not need to individually configure each one, and do not need to use FortiWeb HA.

This is an example of a configuration synchronization network topology:

Configuration synchronization is not a complete replacement for HA. Each synchronized FortiWeb does not keep any heartbeat link (no failover will occur and availability will not be increased) nor does it load balance with the other. Additionally, configuration synchronization will not delete items on the target FortiWeb if the item’s name is different. Also it will not import items that exist on the target, but not on your local FortiWeb. If you require such features, either use FortiWeb HA instead, or augment configuration synchronization with an external HA/load balancing device such as FortiADC.

Like HA, due to hardware-based differences in valid settings, configuration synchronization requires that both FortiWeb appliances be of the same model. You cannot, for example, synchronize a FortiWeb-VM and FortiWeb 1000D.

You can configure which port number the appliance uses to synchronize its configuration. For details, see Config-Sync.

Synchronize each time you change the configuration, and are ready to propagate the changes. Unlike FortiWeb HA, configuration synchronization is not automatic and continuous. Changes will only be pushed when you manually initiate it.

To replicate the configuration from another FortiWeb

Back up your system before changing the operation mode (see Backups). Synchronizing the configuration overwrites the existing configuration, and cannot be undone without restoring the configuration from a backup.

1.  Go to System > Config > Config-Synchronization.

To access this part of the web UI, your administrator's account access profile must have Read and Write permission to items in the Network Configuration category. For details, see Permissions.

2.  For Peer FortiWeb IP, enter the IP address of the target FortiWeb appliance that you want to receive configuration items from your local FortiWeb appliance.

3.  For Peer FortiWeb Port, enter the port number that the target FortiWeb appliance uses to listen for configuration synchronization. The default port is 995.

4.  For Peer FortiWeb 'admin' user password, enter the password of the administrator account named admin on the other FortiWeb appliance.

5.  For Synchronization Type, select one of the following options:

To test the connection settings, click Test. Results appear in a pop-up window. If the test connection to the target FortiWeb succeeds, this message should appear:

Service is available...

If the following message appears:

Service isn't available...

verify that:

• the other FortiWeb is the same model
• the other FortiWeb is configured to listen on your indicated configuration sync port number (see Config-Sync)
• the other FortiWeb’s admin account password matches
• firewalls and routers between the two FortiWebs allow the connection

6.  Optionally, enable Auto-Sync. This feature allows you to automatically synchronize the configurations hourly, daily, or weekly. Select one of the following:

Every—Use the hour and minute drop-down menus to select the interval at which the configurations are synchronized. For example, selecting 5 for hour and 0 for minute will synchronize the configurations every five hours.

Daily—Use the hour and minute drop-down menus to select the time (24-hour clock) at which the configurations are synchronized. For example, Selecting 10 for hour and 30 for minute will synchronize the configurations every day at 10:30.

Weekly—Use the day, hour, and minute drop-down menus to select the day and time of day at which the configurations are synchronized. For example, selecting Sunday for day, 5 for hour, and 15 for minute will synchronize the configurations every Sunday at 5:15.

7.  Click Push config.

A dialog appears, warning you that all policies and profiles with identical names will be overwritten on the other FortiWeb, and asking if you want to continue.

8.  Click Yes.

The FortiWeb appliance sends its configuration to the other, which synchronizes any identically-named policies and settings. Time required varies by the size of the configuration and the speed of the network connection. When complete, this message should appear:

Config. synchronized successfully.

See also

• Topologies for high availability (HA) clustering

Open topic with navigation