Fortinet black logo

CLI reference

Home FortiNDR 7.0.3 CLI reference
7.0.3
7.4.3
7.4.2
7.4.1
7.4.0
7.2.3
7.2.2
7.2.1
7.2.0
7.1.0
7.0.6
7.0.5
7.0.4
7.0.3
7.0.2
7.0.1
7.0.0

config system ha

config system ha

Use this command to configure FortiNDR to act as a member of a Hgh Availability (HA) cluster in order to increase availability.

config system ha
config interface
  edit <interface_name>
    set action-on-primary {ignore-vip | use-vip}
    set heartbeat-status {disable | primary | secondary}
    set peer-ip <ipv4mask>
    set port-monitor <enable | disable>
    set virtual-ip <ipv4mask>
set hb-base-port <hb-port_int>
set hb-lost-threshold <hb-threshold_int>
set mode {off | primary | secondary}
set password <password_str>

Variable

Description

Default

<interface_name>

Enter the interface name of which you want to apply HA configuration.

action-on-primary {ignore-vip | use-vip}

Enable/disable virtual IP configured on this interface.

  • ignore-vip: Do not use the virtual ip configuration when HA mode is primary

  • Use-vip: Add the specified virtual IP address and netmask to the network interface when HA mode is primary. This option results in the network interface having two IP addresses: the actual and the virtual.

Ignore-vip

heartbeat-status {disable | primary | secondary}

Specify if this interface will be used for HA heartbeat and synchronization.

  • Disable: Do not use this interface for HA heartbeat and synchronization.

  • primary: Select the primary network interface for heartbeat and synchronization traffic.

    This network interface must be connected directly or through a switch to the Primary heartbeat network interface of other member in the HA group.

  • secondary: Select the secondary network interface for heartbeat and synchronization traffic.

    The secondary heartbeat interface is the backup heartbeat link between the units in the HA group. If the primary heartbeat link is functioning, the secondary heartbeat link is only used for the HA heartbeat. Otherwise the secondary link is used for both the HA heartbeat and synchronization.

Note

In general, you should isolate the network interfaces that are used for heartbeat traffic from your overall network. Heartbeat and synchronization packets contain sensitive configuration information, are latency-sensitive, and can consume considerable network bandwidth.

disable

peer-ip <ipv4mask>

Enter the IP address of the matching heartbeat network interface of the other member of the HA group.

If you are configuring the primary unit’s primary heartbeat network interface, enter the IP address of the secondary unit’s primary heartbeat network interface.

For the secondary heartbeat network interface, enter the IP address of the other unit’s secondary heartbeat network interface.

0.0.0.0

port-monitor <enable | disable>

Enable to monitor a network interface for failure. If the port fails, the primary unit will trigger a failover.

disable

virtual-ip <ipv4mask>

Enter the virtual IP address and netmask for this interface.

0.0.0.0/0

hb-base-port <hb-port_int>

Enter the first of four total TCP port numbers that will be used for:

  • The heartbeat signal

  • Synchronization control

  • Data synchronization

  • Configuration synchronization

20000

hb-lost-threshold <hb-threshold_int>

Enter the total span of time, in seconds, for which the primary unit can be unresponsive before it triggers a failover and the secondary unit assumes the role of the primary unit.

Note

If the failure detection time is too short, the secondary unit may falsely detect a failure during periods of high load.

30

mode {off | primary | secondary}

Enter the HA operating mode or disable HA

off

password <password_str>

Enter a password for the HA group. The password must be the same on the primary and secondary FortiAI unit(s). The password must be a least 1 character.

Previous
Next

config system ha

Use this command to configure FortiNDR to act as a member of a Hgh Availability (HA) cluster in order to increase availability.

config system ha
config interface
  edit <interface_name>
    set action-on-primary {ignore-vip | use-vip}
    set heartbeat-status {disable | primary | secondary}
    set peer-ip <ipv4mask>
    set port-monitor <enable | disable>
    set virtual-ip <ipv4mask>
set hb-base-port <hb-port_int>
set hb-lost-threshold <hb-threshold_int>
set mode {off | primary | secondary}
set password <password_str>

Variable

Description

Default

<interface_name>

Enter the interface name of which you want to apply HA configuration.

action-on-primary {ignore-vip | use-vip}

Enable/disable virtual IP configured on this interface.

  • ignore-vip: Do not use the virtual ip configuration when HA mode is primary

  • Use-vip: Add the specified virtual IP address and netmask to the network interface when HA mode is primary. This option results in the network interface having two IP addresses: the actual and the virtual.

Ignore-vip

heartbeat-status {disable | primary | secondary}

Specify if this interface will be used for HA heartbeat and synchronization.

  • Disable: Do not use this interface for HA heartbeat and synchronization.

  • primary: Select the primary network interface for heartbeat and synchronization traffic.

    This network interface must be connected directly or through a switch to the Primary heartbeat network interface of other member in the HA group.

  • secondary: Select the secondary network interface for heartbeat and synchronization traffic.

    The secondary heartbeat interface is the backup heartbeat link between the units in the HA group. If the primary heartbeat link is functioning, the secondary heartbeat link is only used for the HA heartbeat. Otherwise the secondary link is used for both the HA heartbeat and synchronization.

Note

In general, you should isolate the network interfaces that are used for heartbeat traffic from your overall network. Heartbeat and synchronization packets contain sensitive configuration information, are latency-sensitive, and can consume considerable network bandwidth.

disable

peer-ip <ipv4mask>

Enter the IP address of the matching heartbeat network interface of the other member of the HA group.

If you are configuring the primary unit’s primary heartbeat network interface, enter the IP address of the secondary unit’s primary heartbeat network interface.

For the secondary heartbeat network interface, enter the IP address of the other unit’s secondary heartbeat network interface.

0.0.0.0

port-monitor <enable | disable>

Enable to monitor a network interface for failure. If the port fails, the primary unit will trigger a failover.

disable

virtual-ip <ipv4mask>

Enter the virtual IP address and netmask for this interface.

0.0.0.0/0

hb-base-port <hb-port_int>

Enter the first of four total TCP port numbers that will be used for:

  • The heartbeat signal

  • Synchronization control

  • Data synchronization

  • Configuration synchronization

20000

hb-lost-threshold <hb-threshold_int>

Enter the total span of time, in seconds, for which the primary unit can be unresponsive before it triggers a failover and the secondary unit assumes the role of the primary unit.

Note

If the failure detection time is too short, the secondary unit may falsely detect a failure during periods of high load.

30

mode {off | primary | secondary}

Enter the HA operating mode or disable HA

off

password <password_str>

Enter a password for the HA group. The password must be the same on the primary and secondary FortiAI unit(s). The password must be a least 1 character.

Previous
Next