Fortinet black logo

Administration Guide

Configuring HA options

Configuring HA options

To configure HA options go to System Settings > HA and configure FortiAnalyzer units to create an HA cluster or change cluster configuration.

In System Settings > HA, use the Cluster Settings pane to create or change HA configuration, and use the Cluster Status pane to monitor HA status.

To configure a cluster, set the Operation Mode of the primary unit to High Availability. Then add the IP addresses and serial numbers of each backup unit to primary unit peer list. The IP address and serial number of the primary unit and all backup units must be added to each backup unit's HA configuration. The primary unit and all backup units must have the same Group Name, Group ID and Password.

You can connect to the primary unit GUI to work with FortiAnalyzer. Using configuration synchronization, you can configure and work with the cluster in the same way as you work with a standalone FortiAnalyzer unit.

Configure the following settings:

Cluster Status

Operation Mode

Select High Availability to configure the FortiAnalyzer unit for HA.

Select Standalone to stop operating in HA mode.

Preferred Role

Select the preferred role when this unit first joins the HA cluster.

If the preferred role is Master, then this unit becomes the primary unit if it is configured first in a new HA cluster. If there is an existing primary unit, then this unit becomes a backup unit.

The default is Slave so that the unit can synchronize with the primary unit. A backup unit cannot become a primary unit until it is synchronized with the current primary unit.

Cluster Virtual IP

Interface

The interface the FortiAnalyzer HA unit uses to provide redundancy.

IP Address

The IP address for which the FortiAnalyzer HA unit is to provide redundancy.

Cluster Settings

Peer IP

Type the IP address of another FortiAnalyzer unit in the cluster.

Peer SN

Type the serial number of the FortiAnalyzer unit corresponding to the entered IP address.

Group Name

Type a group name that uniquely identifies the FortiAnalyzer HA cluster. All units in a cluster must have the same Group Name, Group ID and Password.

Group ID

Type a group ID from 1 to 255 that uniquely identifies the FortiAnalyzer HA cluster.

Password

A password for the HA cluster. All members of the HA cluster must have the same password.

Heart Beat Interval

The time the primary unit waits between sending heartbeat packets, in seconds. The heartbeat interval is also the amount of time that backup units waits before expecting to receive a heartbeat packet from the primary unit.

By default, the Heart Beat Interval is set to 1.

Failover Threshold

The number of heartbeat intervals that one of the cluster units waits to receive HA heartbeat packets from other cluster units before assuming that the other cluster units have failed. The default failover threshold is 3.

In most cases you do not have to change the heartbeat interval or failover threshold. The default settings mean that if the A unit fails, the failure is detected after 3 x 1 or 3 seconds; resulting in a failure detection time of 3 seconds.

If the failure detection time is too short, the HA cluster may detect a failure when none has occurred. For example, if the primary unit is very busy it may not respond to HA heartbeat packets in time. In this situation, the backup unit may assume the primary unit has failed when the primary unit is actually just busy. Increase the failure detection time to prevent the backup unit from detecting a failure when none has occurred.

If the failure detection time is too long, administrators will be delayed in learning that the cluster has failed. In most cases, a relatively long failure detection time will not have a major effect on operations. But if the failure detection time is too long for your network conditions, then you can reduce the heartbeat interval or failover threshold.

Note

In FortiAnalyzer6.2.8, the failover threshold setting cannot be configured in the GUI or CLI.

Priority

The priority or seniority of the backup unit in the cluster.

Log Data Sync

This option is on by default. It provides real-time log synchronization among cluster members.

Configuring HA options

To configure HA options go to System Settings > HA and configure FortiAnalyzer units to create an HA cluster or change cluster configuration.

In System Settings > HA, use the Cluster Settings pane to create or change HA configuration, and use the Cluster Status pane to monitor HA status.

To configure a cluster, set the Operation Mode of the primary unit to High Availability. Then add the IP addresses and serial numbers of each backup unit to primary unit peer list. The IP address and serial number of the primary unit and all backup units must be added to each backup unit's HA configuration. The primary unit and all backup units must have the same Group Name, Group ID and Password.

You can connect to the primary unit GUI to work with FortiAnalyzer. Using configuration synchronization, you can configure and work with the cluster in the same way as you work with a standalone FortiAnalyzer unit.

Configure the following settings:

Cluster Status

Operation Mode

Select High Availability to configure the FortiAnalyzer unit for HA.

Select Standalone to stop operating in HA mode.

Preferred Role

Select the preferred role when this unit first joins the HA cluster.

If the preferred role is Master, then this unit becomes the primary unit if it is configured first in a new HA cluster. If there is an existing primary unit, then this unit becomes a backup unit.

The default is Slave so that the unit can synchronize with the primary unit. A backup unit cannot become a primary unit until it is synchronized with the current primary unit.

Cluster Virtual IP

Interface

The interface the FortiAnalyzer HA unit uses to provide redundancy.

IP Address

The IP address for which the FortiAnalyzer HA unit is to provide redundancy.

Cluster Settings

Peer IP

Type the IP address of another FortiAnalyzer unit in the cluster.

Peer SN

Type the serial number of the FortiAnalyzer unit corresponding to the entered IP address.

Group Name

Type a group name that uniquely identifies the FortiAnalyzer HA cluster. All units in a cluster must have the same Group Name, Group ID and Password.

Group ID

Type a group ID from 1 to 255 that uniquely identifies the FortiAnalyzer HA cluster.

Password

A password for the HA cluster. All members of the HA cluster must have the same password.

Heart Beat Interval

The time the primary unit waits between sending heartbeat packets, in seconds. The heartbeat interval is also the amount of time that backup units waits before expecting to receive a heartbeat packet from the primary unit.

By default, the Heart Beat Interval is set to 1.

Failover Threshold

The number of heartbeat intervals that one of the cluster units waits to receive HA heartbeat packets from other cluster units before assuming that the other cluster units have failed. The default failover threshold is 3.

In most cases you do not have to change the heartbeat interval or failover threshold. The default settings mean that if the A unit fails, the failure is detected after 3 x 1 or 3 seconds; resulting in a failure detection time of 3 seconds.

If the failure detection time is too short, the HA cluster may detect a failure when none has occurred. For example, if the primary unit is very busy it may not respond to HA heartbeat packets in time. In this situation, the backup unit may assume the primary unit has failed when the primary unit is actually just busy. Increase the failure detection time to prevent the backup unit from detecting a failure when none has occurred.

If the failure detection time is too long, administrators will be delayed in learning that the cluster has failed. In most cases, a relatively long failure detection time will not have a major effect on operations. But if the failure detection time is too long for your network conditions, then you can reduce the heartbeat interval or failover threshold.

Note

In FortiAnalyzer6.2.8, the failover threshold setting cannot be configured in the GUI or CLI.

Priority

The priority or seniority of the backup unit in the cluster.

Log Data Sync

This option is on by default. It provides real-time log synchronization among cluster members.