Disaster recovery
FortiPAM supports adding a disaster recovery node in a remote site. It uses HA to implement this feature.
Disaster recovery can only be set up using the CLI commands. |
The HA primary and secondary nodes are set up in a location while HA disaster recovery node is set up in a remote location. The 3 nodes form an HA cluster.
On the disaster recovery node, use the following CLI command to enable it:
config system ha
set disaster-recovery-node enable
end
HA primary node CLI example
config system ha
set override enable
set priority 200
set unicast-status enable
set unicast-gateway 10.1.2.33
config unicast-peers
edit 35
set peer-ip 10.1.3.35
next
edit 37
set peer-ip 10.1.2.37
next
end
HA secondary node CLI example
config system ha
set override enable
set priority 100
set unicast-status enable
set unicast-gateway 10.1.2.33
config unicast-peers
edit 35
set peer-ip 10.1.3.35
next
edit 36
set peer-ip 10.1.2.36
next
end
Disaster recovery node CLI example
config system ha
set override enable
set disaster-recovery-node enable
set unicast-status enable
set unicast-gateway 10.1.3.33
config unicast-peers
edit 36
set peer-ip 10.1.2.36
next
edit 37
set peer-ip 10.1.2.37
next
end
The disaster recovery node has a lower heartbeat interval, in ms (default = 600). Use the following CLI command to change the interval: config system ha set disaster-recovery-hb-interval <integer> end |
A disaster recovery node on a remote site is most likely under a different network segment from the primary. You must configure different interface IP, VIP, and gateway for the disaster recovery node based on the network design. In this case, the below setting should be configured. So that the VIP, system interface, static route, SAML server, and FortiToken Mobile push configuration among the primary, secondary, and disaster recovery nodes do not sync. When HA fails over to the disaster recovery node, FortiPAM can operate on the disaster recovery node's VIP as long as other services.
config system vdom-exception
edit 1
set object firewall.vip
next
edit 2
set object system.interface
next
edit 3
set object router.static
next
edit 4
set object user.saml
next
edit 5
set object system.ftm-push
next
end
If you do wish to sync the above settings from the primary to the secondary, you need to edit them on the secondary manually. |
When HA primary, secondary, and disaster recovery nodes use different VIPs, they must be added individually as service providers on a SAML server. And the SAML server configurations on FortiPAM HA members are also different.