Key concepts : HA heartbeat & synchronization
 
HA heartbeat & synchronization
You can group multiple FortiWeb appliances together as a high availability (HA) cluster (see “Configuring a high availability (HA) FortiWeb cluster”). The heartbeat traffic indicates to other appliances in the HA cluster that the appliance is up and “alive.” Synchronization ensures that all appliances in the cluster remain ready to process traffic, even if you only change one of the appliances.
Heartbeat and synchronization traffic between cluster appliances occurs over the physical network ports selected in Heartbeat Interface. HA traffic uses multicast UDP on port numbers 6065 (heartbeat) and 6066 (synchronization). The HA multicast IP addresses are 239.0.0.1 (heartbeat) and 239.0.0.2 (synchronization); they are hard-coded, and cannot be configured.
 
If switches are used to connect heartbeat interfaces between an HA pair, the heartbeat interfaces must be reachable by Layer 2 multicast.
Failover is triggered by any interruption to either the heartbeat or a port monitored network interface whose length of time exceeds your configured limits (Detection Interval x Heartbeat Lost Threshold). When the active (“main”) appliance becomes unresponsive, the standby appliance:
1. Notifies the network via ARP that the network interface IP addresses (including the IP address of the bridge, if any) are now associated with its virtual MAC addresses
2. Assumes the role of the active appliance and scans network traffic
To keep the standby appliance ready in case of a failover, HA pairs also use the heartbeat link to automatically synchronize most of their configuration. Synchronization includes:
core CLI-style configuration file (fwb_system.conf)
X.509 certificates, certificate request files (CSR), and private keys
HTTP error pages
FortiGuard IRIS Service database
FortiGuard Security Service files (attack signatures, predefined data types & suspicious URLs, known web crawlers & content scrapers, global white list, vulnerability scan signatures)
FortiGuard Antivirus signatures
Geography-to-IP database
and occurs immediately when an appliance joins the cluster, and thereafter every 30 seconds.
Although they are not automatically synchronized for performance reasons due to large size and frequent updates, you can manually force HA to synchronize. For instructions, see execute ha synchronize in the FortiWeb CLI Reference. For a list of settings and data that are not synchronized, see “Data that is not synchronized by HA” and “Configuration settings that are not synchronized by HA”.
 
If you do not want to configure HA (perhaps you have a separate network appliance implementing HA externally), you can still replicate the FortiWeb’s configuration on another FortiWeb appliance. For more information, see “Replicating the configuration without FortiWeb HA (external HA)”
See also
Configuring a high availability (HA) FortiWeb cluster
Replicating the configuration without FortiWeb HA (external HA)