Fortinet black logo

Administration Guide

Home FortiPAM 1.0.3 Administration Guide
1.0.3
1.3.0
1.2.0
1.1.2
1.1.1
1.1.0
1.0.3
1.0.2
1.0.1
1.0.0

High availability

High availability

Multiple FortiPAM units can operate as an high availability (HA) cluster to provide even higher reliability.

FortiPAM can operate in Active-Passive HA mode.

Active-Passive: Clustered fail-over mode where all of the configuration is synchronized between the devices.

PAM configurations, such as users and secrets, are automatically synced to secondary devices to ensure PAM services can be operated or recovered when the primary device is down. All tasks are handled by the primary device as long as system events and logs are only recorded on the primary device.

Your FortiPAM device can be configured as a standalone unit, or you can configure up to three FortiPAM devices in HA, one Active and up to two Passive mode devices, for failover protection and/or disaster recovery.

HA requires an additional license for each cluster unit with the same number of seats as you have for the primary FortiPAM. Each FortiPAM device in HA must be the same device model and version number.

The following shows FortiPAM devices in Active-Passive mode:

Status, priority, hostname, serial number, role, system uptime, sessions, and throughput are displayed for each unit in the HA cluster.

  • Click Refresh to fetch the latest information on the HA topology in use.

  • Select a FortiPAM unit and select Remove device from HA cluster to remove the FortiPAM unit from the HA cluster.

  • To edit a FortiPAM unit in an HA cluster, select the FortiPAM unit and then select Edit.

The primary unit in an Active-Passive cluster cannot be removed from the cluster.

Before configuring an HA cluster, ensure that interfaces are not using the DHCP mode to get IP addresses.

Configuring HA and cluster settings

To configure HA and cluster settings:
  1. Go to System > HA.
  2. Configure the following settings:

    Mode

    From the dropdown, select Standalone or Active-Passive.

    If you select Standalone, no other options are displayed.

    Device priority

    You can set a different device priority for each cluster member to control the order in which cluster units become the primary unit (HA primary) when the primary unit fails. The device with the highest device priority becomes the primary unit (default = 128, 0 - 255).

    Since all videos and logs are only stored on the primary device, one FortiPAM should be configured with higher priority.

    And with override enabled, the primary unit with the highest device priority will always become the primary unit.

    The override setting and device priority value are not synchronized to all cluster units. You must enable override and adjust device priority manually and separately for each cluster unit.

    Cluster Settings

    Group name

    Enter a name to identify the cluster.

    Password

    Select Change to enter a password to identify the HA cluster. The maximum password length is 15 characters. The password must be the same for all cluster FortiPAM units before the FortiPAM units can form the HA cluster.

    It is suggested that you add a password to protect the HA cluster.

    Each HA cluster device on the same network must have different passwords.

    Monitor interfaces

    Select the specific ports to monitor or create new interfaces.

    Use the search bar to look for an interface.

    Use the pen icon next to the interface to edit it.

    If a monitored interface fails or is disconnected from its network, the interface leaves the cluster and a link failover occurs. The link failover causes the cluster to reroute the traffic being processed by that interface to the same interface of another cluster that still has a connection to the network. This other cluster becomes the new primary unit.

    Heartbeat interfaces

    Select to enable or disable the HA heartbeat communication for each interface in the cluster and then set the heartbeat interface priority.

    You can also create new interfaces.

    Use the search bar to look for an interface.

    Use the pen icon next to the interface to edit it.

    The heartbeat interface with the highest priority processes all heartbeat traffic. You must select at least one heartbeat interface. If the interface functioning as the heartbeat fails, the heartbeat is transferred to another interface configured as a heartbeat interface. If heartbeat communication is interrupted, the cluster stops processing traffic. Priority ranges from 0 to 512.

    Heartbeat interfaces should use dedicated interfaces and not share the VIP interface.

    Management Interface Reservation

    Enable or disable the management interface reservation.

    Note: The option is disabled by default.

    You can provide direct management access to individual cluster units by reserving a management interface as part of the HA configuration. After this management interface is reserved, you can configure a different IP address, administrative access, and other interface settings for this interface for each cluster unit. You can also specify static routing settings for this interface. Then by connecting this interface of each cluster unit to your network, you can manage each cluster unit separately from a different IP address.

    Interface

    Select the management interface or create a new interface.

    Use the search bar to look for an interface.

    Use the pen icon next to the interface to edit it.

    Management interfaces should use dedicated interfaces.

    Gateway

    Enter the IPv4 address for the remote gateway.

    IPv6 gateway

    Enter the IPv6 address for the remote gateway.

    Destination subnet

    Enter the destination subnet.

    Unicast Status

    Enable the unicast HA heartbeat in virtual machine (VM) environments that do not support broadcast communication.

    Note: The option is disabled by default.

    Note: The pane is only available when the Mode is Active-Passive.

    When disabling this option to change from HA unicast to multicast, you must reboot all units in the cluster for the change to take effect.

    Peer IP

    Enter the IP address of the HA heartbeat interface of the other FortiPAM-VM in the HA cluster.

    Note: The option is only available when Unicast Heartbeat is enabled.

    Override

    Enable to use the primary server by default whenever it is available.

    Note: The option is enabled by default.

  3. Click OK.

HA failover

When primary FortiPAM is down, secondary will take the primary role and permanently enter maintenance mode. Under maintenance mode, all critical processes will be temporarily suspended. Admin can bring up the original primary device or disable maintenance mode on the new primary device to resume all FortiPAM features.

Previous
Next

High availability

Multiple FortiPAM units can operate as an high availability (HA) cluster to provide even higher reliability.

FortiPAM can operate in Active-Passive HA mode.

Active-Passive: Clustered fail-over mode where all of the configuration is synchronized between the devices.

PAM configurations, such as users and secrets, are automatically synced to secondary devices to ensure PAM services can be operated or recovered when the primary device is down. All tasks are handled by the primary device as long as system events and logs are only recorded on the primary device.

Your FortiPAM device can be configured as a standalone unit, or you can configure up to three FortiPAM devices in HA, one Active and up to two Passive mode devices, for failover protection and/or disaster recovery.

HA requires an additional license for each cluster unit with the same number of seats as you have for the primary FortiPAM. Each FortiPAM device in HA must be the same device model and version number.

The following shows FortiPAM devices in Active-Passive mode:

Status, priority, hostname, serial number, role, system uptime, sessions, and throughput are displayed for each unit in the HA cluster.

  • Click Refresh to fetch the latest information on the HA topology in use.

  • Select a FortiPAM unit and select Remove device from HA cluster to remove the FortiPAM unit from the HA cluster.

  • To edit a FortiPAM unit in an HA cluster, select the FortiPAM unit and then select Edit.

The primary unit in an Active-Passive cluster cannot be removed from the cluster.

Before configuring an HA cluster, ensure that interfaces are not using the DHCP mode to get IP addresses.

Configuring HA and cluster settings

To configure HA and cluster settings:
  1. Go to System > HA.
  2. Configure the following settings:

    Mode

    From the dropdown, select Standalone or Active-Passive.

    If you select Standalone, no other options are displayed.

    Device priority

    You can set a different device priority for each cluster member to control the order in which cluster units become the primary unit (HA primary) when the primary unit fails. The device with the highest device priority becomes the primary unit (default = 128, 0 - 255).

    Since all videos and logs are only stored on the primary device, one FortiPAM should be configured with higher priority.

    And with override enabled, the primary unit with the highest device priority will always become the primary unit.

    The override setting and device priority value are not synchronized to all cluster units. You must enable override and adjust device priority manually and separately for each cluster unit.

    Cluster Settings

    Group name

    Enter a name to identify the cluster.

    Password

    Select Change to enter a password to identify the HA cluster. The maximum password length is 15 characters. The password must be the same for all cluster FortiPAM units before the FortiPAM units can form the HA cluster.

    It is suggested that you add a password to protect the HA cluster.

    Each HA cluster device on the same network must have different passwords.

    Monitor interfaces

    Select the specific ports to monitor or create new interfaces.

    Use the search bar to look for an interface.

    Use the pen icon next to the interface to edit it.

    If a monitored interface fails or is disconnected from its network, the interface leaves the cluster and a link failover occurs. The link failover causes the cluster to reroute the traffic being processed by that interface to the same interface of another cluster that still has a connection to the network. This other cluster becomes the new primary unit.

    Heartbeat interfaces

    Select to enable or disable the HA heartbeat communication for each interface in the cluster and then set the heartbeat interface priority.

    You can also create new interfaces.

    Use the search bar to look for an interface.

    Use the pen icon next to the interface to edit it.

    The heartbeat interface with the highest priority processes all heartbeat traffic. You must select at least one heartbeat interface. If the interface functioning as the heartbeat fails, the heartbeat is transferred to another interface configured as a heartbeat interface. If heartbeat communication is interrupted, the cluster stops processing traffic. Priority ranges from 0 to 512.

    Heartbeat interfaces should use dedicated interfaces and not share the VIP interface.

    Management Interface Reservation

    Enable or disable the management interface reservation.

    Note: The option is disabled by default.

    You can provide direct management access to individual cluster units by reserving a management interface as part of the HA configuration. After this management interface is reserved, you can configure a different IP address, administrative access, and other interface settings for this interface for each cluster unit. You can also specify static routing settings for this interface. Then by connecting this interface of each cluster unit to your network, you can manage each cluster unit separately from a different IP address.

    Interface

    Select the management interface or create a new interface.

    Use the search bar to look for an interface.

    Use the pen icon next to the interface to edit it.

    Management interfaces should use dedicated interfaces.

    Gateway

    Enter the IPv4 address for the remote gateway.

    IPv6 gateway

    Enter the IPv6 address for the remote gateway.

    Destination subnet

    Enter the destination subnet.

    Unicast Status

    Enable the unicast HA heartbeat in virtual machine (VM) environments that do not support broadcast communication.

    Note: The option is disabled by default.

    Note: The pane is only available when the Mode is Active-Passive.

    When disabling this option to change from HA unicast to multicast, you must reboot all units in the cluster for the change to take effect.

    Peer IP

    Enter the IP address of the HA heartbeat interface of the other FortiPAM-VM in the HA cluster.

    Note: The option is only available when Unicast Heartbeat is enabled.

    Override

    Enable to use the primary server by default whenever it is available.

    Note: The option is enabled by default.

  3. Click OK.

HA failover

When primary FortiPAM is down, secondary will take the primary role and permanently enter maintenance mode. Under maintenance mode, all critical processes will be temporarily suspended. Admin can bring up the original primary device or disable maintenance mode on the new primary device to resume all FortiPAM features.

Previous
Next