Fortinet black logo

Administration Guide

Home FortiNDR 7.0.0 Administration Guide
7.0.0
7.4.3
7.4.2
7.4.1
7.4.0
7.2.3
7.2.2
7.2.1
7.2.0
7.1.0
7.0.6
7.0.5
7.0.4
7.0.3
7.0.2
7.0.1
7.0.0

Configuring an HA group

Configuring an HA group

Before configuring an HA group, we recommend performing a factory reset or restoring the database on both FortiNDR primary and secondary units.

Note

If your FortiNDR unit is running, you can join a secondary unit to form the HA. However, you should allow more time to synchronize larger databases.
To configure an HA group:
  1. Make all the necessary connections and network settings configuration. Individual interface settings for both units can be configured from the Network page or with the CLI.

    The following image shows an example network settings configuration:

  2. Load the latest ANN database on both FortiNDR units. The ANN database can be updated from FDS (see, Updating the ANN database from FDS for malware detection) or with the CLI (see, Loading the ANN database to FortiNDR for malware detection).
    Note

    • The ANN database is not synchronized.

    • The ANN scheduled update settings are not synchronized. You will need to configure both units to enusre the latest ANN is used after failover.

  3. On the primary unit, use the CLI to configure the HA for the network topology (see the example above):
    config system ha
    set mode primary
    set password xxx
    config interface
        edit port1
            set virtual-ip 192.168.1.80/24
            set  action-on-primary use-vip
            set port-monitor enable
        end
        edit port3
            set heartbeat-status primary
            set peer-ip 192.168.3.101           << IP of secondary unit’s port3 interface
        end
        edit port4
            set heartbeat-status secondary
            set peer-ip 192.168.4.111          << IP of secondary unit’s port4 interface
    end
end

    CLI option

    Description

    mode

    Enables or disables HA, selects the initial configured role:

    • Off: disable HA.

    • Primary: configured as primary Unit.

    • Secondary: configured as secondary Unit.

    password

    Enter an HA password for the HA group.

    You must configure the same password value on both the primary and secondary units.

    heartbeat-status

    Specify if this interface will be used for HA heartbeat and synchronization:

    • Disable: The interface is not used for HA heartbeat and synchronization.

    • Primary: We recommend to using port3 as the primary HA interface.

    • Secondary: We recommend having a secondary HA interface to improve availability. Use port4 as the secondary HA interface.

    peer-ip

    When configuring primary HA interfaces:

    • When configuring the primary unit, enter the IP address of the secondary unit’s primary HA interface.

    • When configuring the secondary unit, enter the IP address of the primary unit’s primary HA interface.

    The same rule should be applied when configuring the secondary HA interface.

    virtual-ip

    Enter the virtual IP address and netmask for this interface.

    If configured, this virtual IP can serve as the external IP of the HA group.

    When failover occurs, this setting will take effect on the new Primary unit. For details, see Using Virtual IP.

    action-on-primary

    ignore-vip [Default]: Ignore the Virtual IP interface configuration on the new Primary unit after failover.

    use-vip: Add the specified Virtual IP address and netmask to the interface on the new Primary unit after failover.

    port-monitor

    Enable to monitor a network interface for failure on the Primary unit. If the interface failure is detected, the Primary unit will trigger a failover.

    This does not apply to heartbeat interfaces.

  4. On the Secondary unit, configure the HA using the same CLI configuration except for the ha mode and peer-ip settings for the HA interface.
    config system ha
    set mode secondary
    set password xxx    << password should be same as primary unit 
    config interface
        edit port1                         << HA configuration for port1  should be same as primary unit
            set virtual-ip 192.168.1.80/24
            set  action-on-primary use-vip
            set port-monitor enable
        end
        edit port3
            set heartbeat-status primary
            set peer-ip 192.168.3.100      << IP of primary unit’s port3 interface
        end
        edit port4
            set heartbeat-status secondary
            set peer-ip 192.168.4.110      << IP of primary unit’s port4 interface
    end
end
  5. Check the HA status of both units.

    • Ensure the HA effective mode on both units has been updated successfully.

    • Check the HA status details. See, Check HA status.

    • Ensure no errors appear on the HA event log. See, HA Logs.

After the HA group is configured:
  • The heartbeat check between the primary and secondary units will be done through the HA port.

    The default heartbeat check is 30 seconds. This is configurable via the CLI.

  • Configuration changes will be synced from the primary unit to the secondary unit. See HA configuration settings synchronization.

  • Data (Database and sample files) will be synced from the primary unit to the secondary unit.
    Note

    The database on the primary unit is large. Database synchronization may take a while.

Previous
Next

Configuring an HA group

Before configuring an HA group, we recommend performing a factory reset or restoring the database on both FortiNDR primary and secondary units.

Note

If your FortiNDR unit is running, you can join a secondary unit to form the HA. However, you should allow more time to synchronize larger databases.
To configure an HA group:
  1. Make all the necessary connections and network settings configuration. Individual interface settings for both units can be configured from the Network page or with the CLI.

    The following image shows an example network settings configuration:

  2. Load the latest ANN database on both FortiNDR units. The ANN database can be updated from FDS (see, Updating the ANN database from FDS for malware detection) or with the CLI (see, Loading the ANN database to FortiNDR for malware detection).
    Note

    • The ANN database is not synchronized.

    • The ANN scheduled update settings are not synchronized. You will need to configure both units to enusre the latest ANN is used after failover.

  3. On the primary unit, use the CLI to configure the HA for the network topology (see the example above):
    config system ha
    set mode primary
    set password xxx
    config interface
        edit port1
            set virtual-ip 192.168.1.80/24
            set  action-on-primary use-vip
            set port-monitor enable
        end
        edit port3
            set heartbeat-status primary
            set peer-ip 192.168.3.101           << IP of secondary unit’s port3 interface
        end
        edit port4
            set heartbeat-status secondary
            set peer-ip 192.168.4.111          << IP of secondary unit’s port4 interface
    end
end

    CLI option

    Description

    mode

    Enables or disables HA, selects the initial configured role:

    • Off: disable HA.

    • Primary: configured as primary Unit.

    • Secondary: configured as secondary Unit.

    password

    Enter an HA password for the HA group.

    You must configure the same password value on both the primary and secondary units.

    heartbeat-status

    Specify if this interface will be used for HA heartbeat and synchronization:

    • Disable: The interface is not used for HA heartbeat and synchronization.

    • Primary: We recommend to using port3 as the primary HA interface.

    • Secondary: We recommend having a secondary HA interface to improve availability. Use port4 as the secondary HA interface.

    peer-ip

    When configuring primary HA interfaces:

    • When configuring the primary unit, enter the IP address of the secondary unit’s primary HA interface.

    • When configuring the secondary unit, enter the IP address of the primary unit’s primary HA interface.

    The same rule should be applied when configuring the secondary HA interface.

    virtual-ip

    Enter the virtual IP address and netmask for this interface.

    If configured, this virtual IP can serve as the external IP of the HA group.

    When failover occurs, this setting will take effect on the new Primary unit. For details, see Using Virtual IP.

    action-on-primary

    ignore-vip [Default]: Ignore the Virtual IP interface configuration on the new Primary unit after failover.

    use-vip: Add the specified Virtual IP address and netmask to the interface on the new Primary unit after failover.

    port-monitor

    Enable to monitor a network interface for failure on the Primary unit. If the interface failure is detected, the Primary unit will trigger a failover.

    This does not apply to heartbeat interfaces.

  4. On the Secondary unit, configure the HA using the same CLI configuration except for the ha mode and peer-ip settings for the HA interface.
    config system ha
    set mode secondary
    set password xxx    << password should be same as primary unit 
    config interface
        edit port1                         << HA configuration for port1  should be same as primary unit
            set virtual-ip 192.168.1.80/24
            set  action-on-primary use-vip
            set port-monitor enable
        end
        edit port3
            set heartbeat-status primary
            set peer-ip 192.168.3.100      << IP of primary unit’s port3 interface
        end
        edit port4
            set heartbeat-status secondary
            set peer-ip 192.168.4.110      << IP of primary unit’s port4 interface
    end
end
  5. Check the HA status of both units.

    • Ensure the HA effective mode on both units has been updated successfully.

    • Check the HA status details. See, Check HA status.

    • Ensure no errors appear on the HA event log. See, HA Logs.

After the HA group is configured:
  • The heartbeat check between the primary and secondary units will be done through the HA port.

    The default heartbeat check is 30 seconds. This is configurable via the CLI.

  • Configuration changes will be synced from the primary unit to the secondary unit. See HA configuration settings synchronization.

  • Data (Database and sample files) will be synced from the primary unit to the secondary unit.
    Note

    The database on the primary unit is large. Database synchronization may take a while.

Previous
Next