Fortinet black logo

Administration Guide

Home FortiPAM 1.0.0 Administration Guide
1.0.0
1.3.0
1.2.0
1.1.2
1.1.1
1.1.0
1.0.3
1.0.2
1.0.1
1.0.0

Disaster recovery

Disaster recovery

FortiPAM supports adding a disaster recovery node in a remote site. It uses HA to implement this feature.

Disaster recovery can only be set up using the CLI commands.

The HA primary and secondary nodes are set up in a location while HA disaster recovery node is set up in a remote location. The 3 nodes form an HA cluster.

On the disaster recovery node, use the following CLI command to enable it:

config system ha

set disaster-recovery-node enable

end

HA primary node CLI example

config system ha

set override enable

set priority 200

set unicast-status enable

set unicast-gateway 10.1.2.33

config unicast-peers

edit 35

set peer-ip 10.1.3.35

next

edit 37

set peer-ip 10.1.2.37

next

end

HA secondary node CLI example

config system ha

set override enable

set priority 100

set unicast-status enable

set unicast-gateway 10.1.2.33

config unicast-peers

edit 35

set peer-ip 10.1.3.35

next

edit 36

set peer-ip 10.1.2.36

next

end

Disaster recovery node CLI example

config system ha

set override enable

set disaster-recovery-node enable

set unicast-status enable

set unicast-gateway 10.1.3.33

config unicast-peers

edit 36

set peer-ip 10.1.2.36

next

edit 37

set peer-ip 10.1.2.37

next

end

The disaster recovery node has a lower heartbeat interval, in ms (default = 600).

Use the following CLI command to change the interval:

config system ha

set disaster-recovery-hb-interval <integer>

end

A disaster recovery node on a remote site is most likely under a different network segment from the primary. You must configure different interface IP, VIP, and gateway for the disaster recovery node based on the network design. In this case, the below setting should be configured. So that the VIP, system interface, static route, SAML server, and FortiToken Mobile push configuration among the primary, secondary, and disaster recovery nodes do not sync. When HA fails over to the disaster recovery node, FortiPAM can operate on the disaster recovery node's VIP as long as other services.

config system vdom-exception

edit 1

set object firewall.vip

next

edit 2

set object system.interface

next

edit 3

set object router.static

next

edit 4

set object user.saml

next

edit 5

set object system.ftm-push

next

end

If you do wish to sync the above settings from the primary to the secondary, you need to edit them on the secondary manually.

When HA primary, secondary, and disaster recovery nodes use different VIPs, they must be added individually as service providers on a SAML server. And the SAML server configurations on FortiPAM HA members are also different.

Previous
Next

Disaster recovery

FortiPAM supports adding a disaster recovery node in a remote site. It uses HA to implement this feature.

Disaster recovery can only be set up using the CLI commands.

The HA primary and secondary nodes are set up in a location while HA disaster recovery node is set up in a remote location. The 3 nodes form an HA cluster.

On the disaster recovery node, use the following CLI command to enable it:

config system ha

set disaster-recovery-node enable

end

HA primary node CLI example

config system ha

set override enable

set priority 200

set unicast-status enable

set unicast-gateway 10.1.2.33

config unicast-peers

edit 35

set peer-ip 10.1.3.35

next

edit 37

set peer-ip 10.1.2.37

next

end

HA secondary node CLI example

config system ha

set override enable

set priority 100

set unicast-status enable

set unicast-gateway 10.1.2.33

config unicast-peers

edit 35

set peer-ip 10.1.3.35

next

edit 36

set peer-ip 10.1.2.36

next

end

Disaster recovery node CLI example

config system ha

set override enable

set disaster-recovery-node enable

set unicast-status enable

set unicast-gateway 10.1.3.33

config unicast-peers

edit 36

set peer-ip 10.1.2.36

next

edit 37

set peer-ip 10.1.2.37

next

end

The disaster recovery node has a lower heartbeat interval, in ms (default = 600).

Use the following CLI command to change the interval:

config system ha

set disaster-recovery-hb-interval <integer>

end

A disaster recovery node on a remote site is most likely under a different network segment from the primary. You must configure different interface IP, VIP, and gateway for the disaster recovery node based on the network design. In this case, the below setting should be configured. So that the VIP, system interface, static route, SAML server, and FortiToken Mobile push configuration among the primary, secondary, and disaster recovery nodes do not sync. When HA fails over to the disaster recovery node, FortiPAM can operate on the disaster recovery node's VIP as long as other services.

config system vdom-exception

edit 1

set object firewall.vip

next

edit 2

set object system.interface

next

edit 3

set object router.static

next

edit 4

set object user.saml

next

edit 5

set object system.ftm-push

next

end

If you do wish to sync the above settings from the primary to the secondary, you need to edit them on the secondary manually.

When HA primary, secondary, and disaster recovery nodes use different VIPs, they must be added individually as service providers on a SAML server. And the SAML server configurations on FortiPAM HA members are also different.

Previous
Next