Topologies for high availability (HA) clustering
Valid HA topologies vary by whether you use either:
• FortiWeb HA
• an external HA/load balancer
Figure 17 shows another network topology for reverse proxy mode, except that the single FortiWeb appliance has been replaced with two of them operating together as an
active-passive (high availability (HA) pair. If the active appliance fails, the standby appliance assumes the IP addresses and load of the failed appliance.
To carry heartbeat and synchronization traffic between the HA pair, the heartbeat interface on both HA appliances must be connected through crossover cables or through switches.
If FortiWeb will
not be operating in reverse proxy mode (such as for either true transparent proxy mode or transparent inspection mode), typically you would
not use FortiWeb HA — this could require changes to your network scheme, which defeats one of the key benefits of the transparent modes: it requires no IP changes. Instead, most customers use an existing
external load balancer/HA solution in conjunction with FortiWeb configuration synchronization
to preserve an existing active-active or active-passive topology, as shown in
Figure 18.
Unlike with FortiWeb HA, with external HA, that HA device must itself detect when a FortiWeb has failed in order to redirect the traffic stream. (FortiWeb has no way of actively notifying the external HA device.) To monitor the live paths through your FortiWebs, you could configure your HA device to poll either:
• a back-end web server, or
• an IP on each FortiWeb bridge (V-zone)
See also