A FortiAnalyzer high availability (HA) cluster provides the following features:
- Provide real-time redundancy in case a FortiAnalyzer primary unit fails. If the primary unit fails, another unit in the cluster is selected as the primary unit. See If the primary unit fails.
- Synchronize logs and data securely among multiple FortiAnalyzer units. System and configuration settings applicable to HA are also synchronized.
- Alleviate the load on the primary unit by using backup units for processes such as running reports.
FortiManager high availability (HA) provides a solution for a key requirement of critical enterprise management and networking components: enhanced reliability. Understanding what's required for FortiManager reliability begins with understanding what normal FortiManager operations are and how to make sure normal operations continue if a FortiManager unit fails.
Most of the FortiManager operations involve storing FortiManager and FortiGate configuration and related information in the FortiManager database on the FortiManager unit hard disk. A key way to enhance reliability of FortiManager is to protect the data in the FortiManager database from being lost if the FortiManager unit fails. This can be achieved by dynamically backing up FortiManager database changes to one or more backup FortiManager units. Then, if the operating FortiManager unit fails, a backup FortiManager unit can take the place of the failed unit.
A FortiAnalyzer HA cluster can have a maximum of five units: one primary or master unit with up to four backup or slave units. All units in the cluster must be of the same FortiAnalyzer series. All units are visible on the network.
The primary unit and the backup units can be in the same location or different locations. FortiManager HA supports geographic redundancy so the primary unit and backup units can be in different locations attached to different networks as long as communication is possible between them (for example, on the Internet, on a WAN, or in a private network).
All units must run in the same operation mode: Analyzer or Collector. HA is not supported when FortiManager features are enabled.
Due to technical limitations, the current FortiAnalyzer HA implementation is not supported by some public cloud infrastructures, such as AWS (Amazon Web Services), Microsoft Azure, Google Cloud Platform, etc. FortiAnalyzer HA only functions under setups where VRRP is permitted.
Administrators connect to the primary unit GUI or CLI to perform FortiManager operations. Managed devices connect with the primary unit for normal management operations (configuration push, auto-update, firmware upgrade, and so on). If FortiManager is used to distribute FortiGuard updates to managed devices, managed devices can connect to the primary FortiManager unit or one of the backup units.
If the primary FortiManager unit fails you must manually configure one of the backup units to become the primary unit. The new primary unit will have the same IP addresses as it did when it was the backup unit.
You don't need to reboot the FortiManager device when it is promoted from a backup to the primary unit.
When devices with different licenses are used to create an HA cluster, the license that allows for the smallest number of managed devices is used.