Fortinet black logo

Administration Guide

Home FortiNDR 7.0.0 Administration Guide
7.0.0
7.4.3
7.4.2
7.4.1
7.4.0
7.2.3
7.2.2
7.2.1
7.2.0
7.1.0
7.0.6
7.0.5
7.0.4
7.0.3
7.0.2
7.0.1
7.0.0

HA Failover

HA Failover

When an HA Failover occurs, the primary and secondary units switch roles.

Network topology before failover:

Network topology after failover:

Failover scenario 1: Temporary failure of the primary unit

Temporary failure of the Primary unit when the primary unit's:

  • System is down due to a sudden loss of power.

  • Monitored port link has failed.

When any of the two scenarios above occurs on the primary unit:

  • The FortiNDR HA group is operating normally. P1 is the primary unit and S2 is the secondary unit.
  • P1 runs into failure which could be a sudden loss of power, or the monitored port link has been detected as failed.
  • The effective HA operating mode of S2 changes to primary.
  • When the monitored port link fails, the effective HA operating mode of P1 changes to fail.
  • The effective HA operating mode of P1 changes to secondary when the system is back or the monitored port link is up again.
Note

The failover time in this scenario will depend on the heartbeat settings.

Failover scenario 2: System reboot or reload of the primary unit

System reboot or reload of the primary unit occurs when you trigger a system reboot or reload on the primary FortiNDR:

  1. P1 will send a HOLDOFF command to S2 so that S2 will not take over the primary role during P1’s reboot/reload.
  2. S2 will hold off checking the heartbeat with P1.
    Note

    S2 will only hold off for about 15 minutes. This is not configurable.

  3. If P1 reboot/reloads successfully within 15 minutes, P1 will stay in primary mode and S2 will go back to secondary from hold off.
  4. Otherwise, S2 will take over the primary role, and P1 will change to secondary role when it is back.

Failover scenario 3: Heartbeat links fail

This occurs when the primary heartbeat link fails, and no secondary heartbeat link is configured or secondary heartbeat failed as well:

  • The FortiNDR HA group is operating normally. Then the heartbeat link fails between the Primary unit and Secondary unit.

  • The effective HA mode of S2 changes to primary. At this time both units are acting as Primary units.

  • When the heartbeat link is reconnected, one of the units will be picked to switch back to Secondary unit, while the other will stay as Primary unit.

Trigger HA failover using CLI

You can also trigger and HA failover by running the CLI on the primary unit:

  • The FortiNDR HA group is operating normally. Then on the primary unit, run the failover testing CLI:

    execute ha test-failover.

  • The effective HA mode of the secondary unit changes to primary. The effective HA mode of the primary unit changes to secondary. The secondary unit will act as primary and take over operation.
  • If you want to restore the effective mode to be same as the configured mode, run the failover testing CLI again on the new primary unit.
Previous
Next

HA Failover

When an HA Failover occurs, the primary and secondary units switch roles.

Network topology before failover:

Network topology after failover:

Failover scenario 1: Temporary failure of the primary unit

Temporary failure of the Primary unit when the primary unit's:

  • System is down due to a sudden loss of power.

  • Monitored port link has failed.

When any of the two scenarios above occurs on the primary unit:

  • The FortiNDR HA group is operating normally. P1 is the primary unit and S2 is the secondary unit.
  • P1 runs into failure which could be a sudden loss of power, or the monitored port link has been detected as failed.
  • The effective HA operating mode of S2 changes to primary.
  • When the monitored port link fails, the effective HA operating mode of P1 changes to fail.
  • The effective HA operating mode of P1 changes to secondary when the system is back or the monitored port link is up again.
Note

The failover time in this scenario will depend on the heartbeat settings.

Failover scenario 2: System reboot or reload of the primary unit

System reboot or reload of the primary unit occurs when you trigger a system reboot or reload on the primary FortiNDR:

  1. P1 will send a HOLDOFF command to S2 so that S2 will not take over the primary role during P1’s reboot/reload.
  2. S2 will hold off checking the heartbeat with P1.
    Note

    S2 will only hold off for about 15 minutes. This is not configurable.

  3. If P1 reboot/reloads successfully within 15 minutes, P1 will stay in primary mode and S2 will go back to secondary from hold off.
  4. Otherwise, S2 will take over the primary role, and P1 will change to secondary role when it is back.

Failover scenario 3: Heartbeat links fail

This occurs when the primary heartbeat link fails, and no secondary heartbeat link is configured or secondary heartbeat failed as well:

  • The FortiNDR HA group is operating normally. Then the heartbeat link fails between the Primary unit and Secondary unit.

  • The effective HA mode of S2 changes to primary. At this time both units are acting as Primary units.

  • When the heartbeat link is reconnected, one of the units will be picked to switch back to Secondary unit, while the other will stay as Primary unit.

Trigger HA failover using CLI

You can also trigger and HA failover by running the CLI on the primary unit:

  • The FortiNDR HA group is operating normally. Then on the primary unit, run the failover testing CLI:

    execute ha test-failover.

  • The effective HA mode of the secondary unit changes to primary. The effective HA mode of the primary unit changes to secondary. The secondary unit will act as primary and take over operation.
  • If you want to restore the effective mode to be same as the configured mode, run the failover testing CLI again on the new primary unit.
Previous
Next