Replicating the configuration without FortiWeb HA (external HA)

How to set up your FortiWeb : Configuring a high availability (HA) FortiWeb cluster : Replicating the configuration without FortiWeb HA (external HA)

Configuration synchronization provides the ability to duplicate the configuration from another FortiWeb appliance without using FortiWeb high availability (HA). The synchronization is unilateral push: it is not a bilateral synchronization. It adds any missing items, and overwrites any items that are identically named, but does not delete unique items on the target FortiWeb, nor does it pull items from the target to the initiating FortiWeb.

Replicating the configuration can be useful in some scenarios where you cannot use, or do not want, FortiWeb HA:

• External active-active HA (load balancing) could be provided by the firewall, the router, or an HTTP-aware load balancer such as FortiADC , since active-active HA is not provided by FortiWeb itself.

• External active-passive HA (failover) could be provided by a specialized failover device, instead of the FortiWebs themselves, for network load distribution, latency, and performance optimization reasons. The failover device must monitor for live routes.

• Multiple identical non-HA FortiWeb appliances in physically distant locations with the same network scheme might be required to have the same (maybe with a few extra different) server policies, and therefore management could be simplified by configuring one FortiWeb and then replicating that to the others.

In such cases, you may be able to save time and preserve your existing network topology by synchronizing a FortiWeb appliance’s configuration with another FortiWeb. This way, you do not need to individually configure each one, and do not need to use FortiWeb HA.

Figure 22: Example network topology: Configuration synchronization with multiple identical FortiWeb appliances (non‑HA)


	Configuration synchronization is not a complete replacement for HA. Each synchronized FortiWeb does not keep any heartbeat link (no failover will occur and availability will not be increased) nor does it balance load with the other. Additionally, configuration synchronization will not delete items on the target FortiWeb if the item’s name is different. Also it will not import items that exist on the target, but not on your local FortiWeb. Configuration synchronization is not supported when administrative domains (ADOMs) are enabled. If you require such features, either use FortiWeb HA instead, or augment configuration synchronization with an external HA/load balancing device such as FortiADC.

Like HA, due to hardware-based differences in valid settings, configuration synchronization requires that both FortiWeb appliances be of the same model. You cannot, for example, synchronize a FortiWeb-VM and FortiWeb 1000D.

You can configure which port number the appliance uses to synchronize its configuration. See “Config-Sync”.

Synchronize each time you change the configuration, and are ready to propagate the changes. Unlike FortiWeb HA, configuration synchronization is not automatic and continuous. Changes will only be pushed when you manually initiate it.

To replicate the configuration from another FortiWeb


	Back up your system before changing the operation mode (see “Backups”). Synchronizing the configuration overwrites the existing configuration, and cannot be undone without restoring the configuration from a backup.

1. Go to System > Config > Config-Synchronization.

To access this part of the web UI, your administrator's account access profile must have Read and Write permission to items in the Network Configuration category. For details, see “Permissions”. This feature is not available if ADOMs are enabled.

2. In Peer FortiWeb IP, type the IP address of the target FortiWeb appliance that you want to receive configuration items from your local FortiWeb appliance.

3. In Peer FortiWeb Port, type the port number that the target FortiWeb appliance uses to listen for configuration synchronization. The default port is 8333.

4. In Peer FortiWeb Password, type the password of the administrator account named admin on the other FortiWeb appliance.

5. In Synchronization Type, select either:

• Full — Syncs all configuration except:

• Network interface used for synchronization (prevents sync from accidentally breaking connectivity with future syncs)

• Administrator accounts

• Access profiles

• HA settings


	This option is not available if the FortiWeb appliance is operating in reverse proxy mode. See also “Supported features in each operation mode”.

• Partial — Syncs all configuration except:

• System

• Router > Static > Static Route

• Router > Static > Setting

• Server Objects > Virtual Server

• Server Objects > Server Pool

• Server Objects > Health Check

• Server Objects > Persistence

• Server Objects > HTTP Content Routing

• Server Objects > Service

• Server Objects > Error Page

• Policy > Server Policy > Server Policy

To test the connection settings, click Test. Results appear in a pop-up window. If the test connection to the target FortiWeb succeeds, this message should appear:

Service is available...

If the following message appears:

Service isn't available...

verify that:

• the other FortiWeb is the same model

• the other FortiWeb is configured to listen on your indicated configuration sync port number (see “Config-Sync”)

• the other FortiWeb’s admin account password matches

• firewalls and routers between the two FortiWebs allow the connection

6. Click Synchronize.

A dialog appears, warning you that all policies and profiles with identical names will be overwritten on the other FortiWeb, and asking if you want to continue.

7. Click Yes.

The FortiWeb appliance sends its configuration to the other, which synchronizes any identically-named policies and settings. Time required varies by the size of the configuration and the speed of the network connection. When complete, this message should appear:

Config. synchronized successfully.