Fortinet black logo

HA Deployment Guide

Home FortiADC 5.4.1 HA Deployment Guide

Deploy HA-AP mode

5.4.1
7.4.0
5.4.1
5.4.0
5.2.0
5.1.3
Copy Link
Copy Doc ID 9d9a7f8b-8422-11ea-9384-00505692583a:76366
Download PDF

Deploy HA-AP mode

1) Enable the management-interface

It is recommended that the management-interface should be enabled when the HA-AP mode is deployed. Because once you complete the HA-AP mode, only master can handle the traffic, it means that you’re not able to access slave device directly. It is not convenient in most cases. Management-interface on the other hand, is a virtual-interface binding to the physical interface. It can always work on all the modes including standalone. Please perform the following steps on all the HA nodes.

Steps
  1. Get the console control for FortiADC, execute the next steps in the console.
  2. Since the manage-interface is a virtual-interface inside the system, so it has the similar routing mechanism as other interface. So there should be no overlapping subnet in the system. Therefore, usually we clear the original IP address of the physical interface. This can result in the losing the connectivity, so the first step is requiring the console.

    3. FAD2 # config system interface

    FAD2 (interface) # edit port1

    FAD2 (port1) # unset ip

    FAD2 (port1) # end

  3. Configure the management-interface

    4. FAD2 # config system ha

    FAD2 (ha) # set mgmt-status enable

    FAD2 (ha) # set mgmt-interface port1

    FAD2 (ha) # set mgmt-ip 10.106.188.42/23

    FAD2 (ha) # set mgmt-ip-allowaccess http https ping snmp ssh telnet

    FAD2 (ha) # end

  4. Configure the default route accordingly

    5. FAD2 # config router static

    FAD2 (static) # edit 1

    FAD2 (1) # set gateway 10.106.189.254

    FAD2 (1) # end

Note: On the virtualization platform such as VMware ESXi, KVM, Hyper-V and so on. The VM interface which you are going to bind the management-interface should enable the Promiscuous mode. This mode has different name on different platform, for example it is called “MAC address spoofing” on Hyper-V platform.

2) Configure the HA-AP mode on both sides

Once you completed the management-interface, then you can perform the following steps on Web-UI.

Steps
  1. Plan the HA role for the devices

    2. There are two types of HA roles you have to plan, one is the traffic-role, the other is the config-role. Technically, you can configure the traffic-master and config-master on different devices. Only the traffic-master can handle the traffic, and the full configuration sync can be only from the config-master to others. (Incremental configuration sync can happen from any side.).

    Typically, the traffic-master and config-master are the same one. Here is the example to configure the traffic-master and config-master on the same device with override enabled.

    The condition to make sure negotiation successfully:

  • All the HA devices use the same heartbeat ports and data ports.
  • All the HA devices have same group-id

How the traffic-master is elected in HA-AP mode:

Override enabled:

Disk state > monitor interface > priority > uptime > SN

Override disabled:

Disk state > monitor interface > uptime > priority > SN

  • Disk state means the harddisk working state, the device without harddisk error wins. If all the devices have disk error, then compare the next condition.
  • Monitor interface means the up monitored interfaces count, devices with more up interfaces wins, if all the devices have the same number of up interfaces, then compare the next condition.
  • Priority is the value specified in HA configuration, device with lower value wins, if all the devices have same value, then compare next condition.
  • Uptime is the uptime of the device, device with long uptime wins, if all the devices have the same uptime, then compare the next condition.
  • SN means the serial number, the device with higher SN will be the master.

How the config-master is elected (This is same in 3 modes):

config-priority > SN

  • Config-priority is the value specified in HA config, the device with lower config-priority value will be the config-master.
  • SN means the serial number, the device with higher SN will be the config-master.

Here we set up 2 HA devices running HA-AP mode, make FAD1 the master, and the FAD2 the slave. We put config example like following.

FAD1:

config system ha

set mode active-passive

set hbdev port6 port7

set group-id 14

set group-name group1

set priority 1

set config-priority 10

set override enable

set l7-persistence-pickup enable

set l4-persistence-pickup enable

set l4-session-pickup enable

set monitor port2 port3 port4 port5

end

FAD2:

config system ha

set mode active-passive

set hbdev port6 port7

set group-id 14

set group-name group1

set priority 9

set config-priority 100

set override enable

set l7-persistence-pickup enable

set l4-persistence-pickup enable

set l4-session-pickup enable

set monitor port2 port3 port4 port5

end

There are some preconditions for the HA negotiation:

  • The hostname of HA nodes must NOT be same
  • The group-id of HA nodes must be same
  • The heartbeat interfaces should be connected directly or in the same VLAN
  • On some virtualization platforms like Hyper-V, the heartbeat interface should enable the “Mac address spoofing”.
  • Configure the basic HA options

    • The following example shows the FAD1 configuration, the FAD2 is similar.

    Navigate to “System->High Availability” page:

    Configure the required options:

    Configure the synchronization options

    Configure the advanced options

    Previous
    Next

    Deploy HA-AP mode

    1) Enable the management-interface

    It is recommended that the management-interface should be enabled when the HA-AP mode is deployed. Because once you complete the HA-AP mode, only master can handle the traffic, it means that you’re not able to access slave device directly. It is not convenient in most cases. Management-interface on the other hand, is a virtual-interface binding to the physical interface. It can always work on all the modes including standalone. Please perform the following steps on all the HA nodes.

    Steps
    1. Get the console control for FortiADC, execute the next steps in the console.
    2. Since the manage-interface is a virtual-interface inside the system, so it has the similar routing mechanism as other interface. So there should be no overlapping subnet in the system. Therefore, usually we clear the original IP address of the physical interface. This can result in the losing the connectivity, so the first step is requiring the console.

      3. FAD2 # config system interface

      FAD2 (interface) # edit port1

      FAD2 (port1) # unset ip

      FAD2 (port1) # end

    3. Configure the management-interface

      4. FAD2 # config system ha

      FAD2 (ha) # set mgmt-status enable

      FAD2 (ha) # set mgmt-interface port1

      FAD2 (ha) # set mgmt-ip 10.106.188.42/23

      FAD2 (ha) # set mgmt-ip-allowaccess http https ping snmp ssh telnet

      FAD2 (ha) # end

    4. Configure the default route accordingly

      5. FAD2 # config router static

      FAD2 (static) # edit 1

      FAD2 (1) # set gateway 10.106.189.254

      FAD2 (1) # end

    Note: On the virtualization platform such as VMware ESXi, KVM, Hyper-V and so on. The VM interface which you are going to bind the management-interface should enable the Promiscuous mode. This mode has different name on different platform, for example it is called “MAC address spoofing” on Hyper-V platform.

    2) Configure the HA-AP mode on both sides

    Once you completed the management-interface, then you can perform the following steps on Web-UI.

    Steps
    1. Plan the HA role for the devices

      2. There are two types of HA roles you have to plan, one is the traffic-role, the other is the config-role. Technically, you can configure the traffic-master and config-master on different devices. Only the traffic-master can handle the traffic, and the full configuration sync can be only from the config-master to others. (Incremental configuration sync can happen from any side.).

      Typically, the traffic-master and config-master are the same one. Here is the example to configure the traffic-master and config-master on the same device with override enabled.

      The condition to make sure negotiation successfully:

    • All the HA devices use the same heartbeat ports and data ports.
    • All the HA devices have same group-id

    How the traffic-master is elected in HA-AP mode:

    Override enabled:

    Disk state > monitor interface > priority > uptime > SN

    Override disabled:

    Disk state > monitor interface > uptime > priority > SN

    • Disk state means the harddisk working state, the device without harddisk error wins. If all the devices have disk error, then compare the next condition.
    • Monitor interface means the up monitored interfaces count, devices with more up interfaces wins, if all the devices have the same number of up interfaces, then compare the next condition.
    • Priority is the value specified in HA configuration, device with lower value wins, if all the devices have same value, then compare next condition.
    • Uptime is the uptime of the device, device with long uptime wins, if all the devices have the same uptime, then compare the next condition.
    • SN means the serial number, the device with higher SN will be the master.

    How the config-master is elected (This is same in 3 modes):

    config-priority > SN

    • Config-priority is the value specified in HA config, the device with lower config-priority value will be the config-master.
    • SN means the serial number, the device with higher SN will be the config-master.

    Here we set up 2 HA devices running HA-AP mode, make FAD1 the master, and the FAD2 the slave. We put config example like following.

    FAD1:

    config system ha

    set mode active-passive

    set hbdev port6 port7

    set group-id 14

    set group-name group1

    set priority 1

    set config-priority 10

    set override enable

    set l7-persistence-pickup enable

    set l4-persistence-pickup enable

    set l4-session-pickup enable

    set monitor port2 port3 port4 port5

    end

    FAD2:

    config system ha

    set mode active-passive

    set hbdev port6 port7

    set group-id 14

    set group-name group1

    set priority 9

    set config-priority 100

    set override enable

    set l7-persistence-pickup enable

    set l4-persistence-pickup enable

    set l4-session-pickup enable

    set monitor port2 port3 port4 port5

    end

    There are some preconditions for the HA negotiation:

    • The hostname of HA nodes must NOT be same
    • The group-id of HA nodes must be same
    • The heartbeat interfaces should be connected directly or in the same VLAN
    • On some virtualization platforms like Hyper-V, the heartbeat interface should enable the “Mac address spoofing”.
  • Configure the basic HA options

    • The following example shows the FAD1 configuration, the FAD2 is similar.

    Navigate to “System->High Availability” page:

    Configure the required options:

    Configure the synchronization options

    Configure the advanced options

    Previous
    Next