Fortinet black logo

Administration Guide

Home FortiProxy 7.0.0 Administration Guide
7.0.0
7.4.3
7.4.2
7.4.1
7.4.0
7.2.10
7.2.9
7.2.8
7.2.7
7.2.0
7.0.17
7.0.0
2.0.0
1.2.0
1.1.0
1.0.0

HA

HA

NOTE: The HA clustering members must be the same hardware model running the same software version. The seat license does not have to be identical across HA devices but is highly recommended in case of failure.

FortiProxy high availability (HA) provides a system management solution that synchronizes configuration changes among the clustering members. You can fine-tune the performance of the HA cluster to change how a cluster forms and shares information among clustering members.

The HA heartbeat keeps cluster units communicating with each other. The heartbeat consists of hello packets that are sent at regular intervals by the heartbeat interface of all cluster units. These hello packets describe the state of the cluster unit and are used by other cluster units to keep all the units synchronized.

HA heartbeat packets are non-TCP packets that use Ethertype values 0x8890, 0x8891, and 0x8893. The default time interval between HA heartbeats is 200 ms.

Your FortiProxy device can be configured as a standalone unit or you can configure two FortiProxy devices in the Active-Passive mode for failover protection.

NOTE: If you are using vSwitches:

  • In Config-Sync mode, you need to select the promiscuous mode and accept MAC address changes on the VLANs or port groups of the heartbeat vSwitch. For the data interface's vSwitch, you can use the default vSwitch setting.

  • In Active-Passive mode, you need to select the promiscuous mode and accept MAC address changes on the VLANs or port groups of the heartbeat vSwitch. For the data interface's vSwitch, the security setting must be the same as the heartbeat vSwitch.

To configure HA and cluster settings or to view the cluster member list, select System > HA.

Configure the following settings and then click OK:

Mode

Enter the mode. Select Standalone, Config-Sync, or Active-Passive from the drop-down menu. If you select Standalone, no other options are displayed.

Device priority

You can set a different device priority for each cluster member to control the order in which cluster units become the primary unit (HA primary) when the primary unit fails. The device with the highest device priority becomes the primary unit. The default value is 128.

Unicast Heartbeat

Enable the unicast HA heartbeat in virtual machine (VM) environments that do not support broadcast communication.

Note

Starting from 7.0.10, this option is available only when Mode is Active-Passive.

Unicast Heartbeat Peer IP

Enter the IP address of the HA heartbeat interface of the other FortiProxy VM in the HA cluster.

Cluster Settings

Group name

Enter a name to identify the cluster.

Password

Select Change to enter a password to identify the HA cluster. The maximum password length is 15 characters. The password must be the same for all cluster FortiProxy units before the FortiProxy units can form the HA cluster.

When the cluster is operating, you can add a password, if required. Two clusters on the same network must have different passwords.

Monitor interfaces

Select the specific ports to monitor.

If a monitored interface fails or is disconnected from its network, the interface leaves the cluster and a link failover occurs. The link failover causes the cluster to reroute the traffic being processed by that interface to the same interface of another cluster that still has a connection to the network. This other cluster becomes the new primary unit.

Heartbeat Interfaces

Select to enable or disable the HA heartbeat communication for each interface in the cluster and then set the heartbeat interface priority.

The heartbeat interface with the highest priority processes all heartbeat traffic. You must select at least one heartbeat interface. If the interface functioning as the heartbeat fails, the heartbeat is transferred to another interface configured as a heartbeat interface. If heartbeat communication is interrupted, the cluster stops processing traffic. Priority ranges from 0 to 512.

Management Interface Reservation

Enable or disable the management interface reservation.

You can provide direct management access to individual cluster units by reserving a management interface as part of the HA configuration. After this management interface is reserved, you can configure a different IP address, administrative access, and other interface settings for this interface for each cluster unit.

You can also specify static routing settings for this interface. Then by connecting this interface of each cluster unit to your network, you can manage each cluster unit separately from a different IP address.

Refer to HA cluster out-of-band management for detailed instructions about configuring a management interface for an HA cluster.

Interface

Select the management interface.

Gateway

Enter the IPv4 address for the remote gateway.

IPv6 gateway

Enter the IPv6 address for the remote gateway.

Destination subnet

Enter the destination subnet.

+

Select + enter another management interface.

HA multiple unicast peers

Starting in FortiProxy 7.0.1, you can configure up to eight unicast Config-Sync HA clusters. Unicast configuration synchronization is supported on layer 3, allowing peers to be synchronized in cloud environments that do not support layer-2 networking. Configuring a unicast gateway allows peers to be in different subnets.

For example:

config system ha

set mode config-sync-only

set hbdev "port1" 50

set override enable

set unicast-status enable

set unicast-gateway 10.0.0.1

config unicast-peers

edit 1

set peer-ip 192.168.76.13

next

.........

end

end

Note:

  • Use the set unicast-hb enable command for a one-to-one unicast Active-Passive HA cluster or Config-Sync HA cluster.

  • Use the set unicast-status, set unicast-gateway, and config unicast-peers commands for multiple peers in a Config-Sync HA cluster.

Cache Collaboration

When deployed in a cluster, depending on the deployed architecture, requests for the same URL might have hit each cache device and been cached separately on each. Methods are available to mitigate this through load balancing with FortiADC or WCCP.

FortiProxy has the Cache Collaboration feature, where the storage of all devices within the FortiProxy HA Cluster is accessible as a shared entity. This feature allows content cached by one device to be shared by other FortiProxy devices within the cluster, significantly increasing the cache rate.

CLI syntax

config wanopt cache-service

set prefer-senario {balance | prefer-speed | prefer-cache} // Default is balance.

set collaboration {enable | disable} // Default is disable.

set device-id <name>

set acceptable-connections {any | peers} // Default is any.

end

Previous
Next

HA

NOTE: The HA clustering members must be the same hardware model running the same software version. The seat license does not have to be identical across HA devices but is highly recommended in case of failure.

FortiProxy high availability (HA) provides a system management solution that synchronizes configuration changes among the clustering members. You can fine-tune the performance of the HA cluster to change how a cluster forms and shares information among clustering members.

The HA heartbeat keeps cluster units communicating with each other. The heartbeat consists of hello packets that are sent at regular intervals by the heartbeat interface of all cluster units. These hello packets describe the state of the cluster unit and are used by other cluster units to keep all the units synchronized.

HA heartbeat packets are non-TCP packets that use Ethertype values 0x8890, 0x8891, and 0x8893. The default time interval between HA heartbeats is 200 ms.

Your FortiProxy device can be configured as a standalone unit or you can configure two FortiProxy devices in the Active-Passive mode for failover protection.

NOTE: If you are using vSwitches:

  • In Config-Sync mode, you need to select the promiscuous mode and accept MAC address changes on the VLANs or port groups of the heartbeat vSwitch. For the data interface's vSwitch, you can use the default vSwitch setting.

  • In Active-Passive mode, you need to select the promiscuous mode and accept MAC address changes on the VLANs or port groups of the heartbeat vSwitch. For the data interface's vSwitch, the security setting must be the same as the heartbeat vSwitch.

To configure HA and cluster settings or to view the cluster member list, select System > HA.

Configure the following settings and then click OK:

Mode

Enter the mode. Select Standalone, Config-Sync, or Active-Passive from the drop-down menu. If you select Standalone, no other options are displayed.

Device priority

You can set a different device priority for each cluster member to control the order in which cluster units become the primary unit (HA primary) when the primary unit fails. The device with the highest device priority becomes the primary unit. The default value is 128.

Unicast Heartbeat

Enable the unicast HA heartbeat in virtual machine (VM) environments that do not support broadcast communication.

Note

Starting from 7.0.10, this option is available only when Mode is Active-Passive.

Unicast Heartbeat Peer IP

Enter the IP address of the HA heartbeat interface of the other FortiProxy VM in the HA cluster.

Cluster Settings

Group name

Enter a name to identify the cluster.

Password

Select Change to enter a password to identify the HA cluster. The maximum password length is 15 characters. The password must be the same for all cluster FortiProxy units before the FortiProxy units can form the HA cluster.

When the cluster is operating, you can add a password, if required. Two clusters on the same network must have different passwords.

Monitor interfaces

Select the specific ports to monitor.

If a monitored interface fails or is disconnected from its network, the interface leaves the cluster and a link failover occurs. The link failover causes the cluster to reroute the traffic being processed by that interface to the same interface of another cluster that still has a connection to the network. This other cluster becomes the new primary unit.

Heartbeat Interfaces

Select to enable or disable the HA heartbeat communication for each interface in the cluster and then set the heartbeat interface priority.

The heartbeat interface with the highest priority processes all heartbeat traffic. You must select at least one heartbeat interface. If the interface functioning as the heartbeat fails, the heartbeat is transferred to another interface configured as a heartbeat interface. If heartbeat communication is interrupted, the cluster stops processing traffic. Priority ranges from 0 to 512.

Management Interface Reservation

Enable or disable the management interface reservation.

You can provide direct management access to individual cluster units by reserving a management interface as part of the HA configuration. After this management interface is reserved, you can configure a different IP address, administrative access, and other interface settings for this interface for each cluster unit.

You can also specify static routing settings for this interface. Then by connecting this interface of each cluster unit to your network, you can manage each cluster unit separately from a different IP address.

Refer to HA cluster out-of-band management for detailed instructions about configuring a management interface for an HA cluster.

Interface

Select the management interface.

Gateway

Enter the IPv4 address for the remote gateway.

IPv6 gateway

Enter the IPv6 address for the remote gateway.

Destination subnet

Enter the destination subnet.

+

Select + enter another management interface.

HA multiple unicast peers

Starting in FortiProxy 7.0.1, you can configure up to eight unicast Config-Sync HA clusters. Unicast configuration synchronization is supported on layer 3, allowing peers to be synchronized in cloud environments that do not support layer-2 networking. Configuring a unicast gateway allows peers to be in different subnets.

For example:

config system ha

set mode config-sync-only

set hbdev "port1" 50

set override enable

set unicast-status enable

set unicast-gateway 10.0.0.1

config unicast-peers

edit 1

set peer-ip 192.168.76.13

next

.........

end

end

Note:

  • Use the set unicast-hb enable command for a one-to-one unicast Active-Passive HA cluster or Config-Sync HA cluster.

  • Use the set unicast-status, set unicast-gateway, and config unicast-peers commands for multiple peers in a Config-Sync HA cluster.

Cache Collaboration

When deployed in a cluster, depending on the deployed architecture, requests for the same URL might have hit each cache device and been cached separately on each. Methods are available to mitigate this through load balancing with FortiADC or WCCP.

FortiProxy has the Cache Collaboration feature, where the storage of all devices within the FortiProxy HA Cluster is accessible as a shared entity. This feature allows content cached by one device to be shared by other FortiProxy devices within the cluster, significantly increasing the cache rate.

CLI syntax

config wanopt cache-service

set prefer-senario {balance | prefer-speed | prefer-cache} // Default is balance.

set collaboration {enable | disable} // Default is disable.

set device-id <name>

set acceptable-connections {any | peers} // Default is any.

end

Previous
Next