Fortinet black logo

Administration Guide

Configuring HA settings specifically for active-passive and standard active-active modes

Configuring HA settings specifically for active-passive and standard active-active modes

In addition to the basic settings, you can set the following configurations as desired for active-passive HA group and standard active-active HA group. For Load-balancing algorithm and HA Health Check, you only need to configure them on the primary node because they can be synchronized to all the members in the HA group.

Settings

active-passive HA

standard active-active HA

HA Static Route Yes Yes
HA Policy Route Yes Yes
load-balancing algorithm No Yes
HA Health Check No Yes

HA Static Route and Policy Route

Unlike the Static Route and Policy Route in System > Network > Route which are synchronized to all the HA members, the configurations in HA Static Route or HA Policy route are applied only to this specific member.

This is useful when you want to set a next-hop gateway that is used only for this member and not shared by the HA group. The Reserved Management Interface is typically used together with this feature.

The parameters in this feature are the same with the ones in Static Route and Policy Route in System > Network > Route, so we will not elaborate on the parameter descriptions here. For detailed information on the parameters, refer to Adding a gateway and Creating a policy route

Static route priority

In FortiWeb, there are three types of static routes including the system static route in network settings, DHCP route, and HA static route. In releases earlier than 7.0, the system doesn't perform duplication check, so routes with the same destination may exist. The HA static route by default has the highest priority, but an exception is that when you execute config system network-option/set route-priority {system | dhcp} to set DHCP route with the highest priority.

When the route-priority is set as system (default setting), the route priority from the highest to the lowest is:

  • HA static route

  • system static route

  • DHCP route

When the route-priority is set as dhcp , the route priority from the highest to the lowest is:

  • DHCP route

  • HA static route

  • system static route

From 7.0, FortiWeb introduces route duplication check. The system won't allow two static routes with the same destination. Error message will be prompted if you are adding a static route which has the same destination with an existing one. This applies only to system static route and HA static route, because the DHCP route is not configured in FortiWeb thus can't be controlled by FortiWeb. After upgrading to 7.0, the already existing duplicate static routes are kept as is, but if you ever remove them, you won't be able to add them back because the system will report duplication error.

Load-balancing algorithm

you might want to change the load-balancing algorithm for a standard active-active HA group. You can change the algorithm by configuring set schedule {ip | leastconnection | round-robin} in CLI command config system ha. For details, see the FortiWeb CLI Reference:

HTTPs://docs.fortinet.com/product/fortiweb/

Note:FortiWeb's Configuring a protection profile for inline topologies is not supported in a standard Active-Active HA deployment when the algorithm By connections or Round-robin is used for the load-balancing.

HA Health Check

Server policy health check is only available if the operation mode is Reverse Proxy, and the HA mode is Standard Active-Active.

To check whether the server policies are running properly on the HA group, you can configure server policy heath check. The configurations are synchronized to all members in the group. The system sends an HTTP or HTTPS request, and waits for a response that matches the values required by the health check rule. A timeout indicates that the connection between the HA group member and the back-end server is not available. The system then generates event logs.

You should first enable the HA Health Check option on the HA tab in System > High Availability > Settings, then configure a health check on the HA Health Check tab.

FortiWeb only supports checking the health of server policies in the root administrative domain.

To configure an HA Health Check
  1. Go to System > High Availability > Settings > HA Health Check.
    To access this part of the web UI, your administrator’s account access profile must have Read and Write permission to items in the System Configuration category. For details, see Permissions.
  2. Click Create New to create a health check.
  3. Configure these settings:
  4. Server policy Select the server policy for which you want to run health check.
    HTTPS Enable to use the HTTPS protocol for the health check connections with the back-end server. The systems uses HTTP protocol if this option is disabled.
    Client Certificate If HTTPS is enabled, you can select a Client Certificate for the connection. This is optional.
    The Client Certificate is imported in Server Objects > Certificates > Local.
    Relationship
    • And—FortiWeb considers the server policy to be responsive when it passes all the tests in the list.
    • Or—FortiWeb considers the server policy to be responsive when it passes at least one of the tests in the list.
  5. Click OK.
  6. In the rule list, do one of the following:
  • To add a rule, click Create New.
  • To modify a rule, select it and click Edit.
  • Configure these settings:
  • URL Path

    Type the URL that the HTTP or HTTPS request uses to verify the responsiveness of the server (for example, /index.html).

    If the web server successfully returns this URL, and its content matches your expression in Matched Content, it is considered to be responsive.

    The maximum length is 127 characters.

    Interval

    Type the number of seconds between each server health check.

    Valid values are 1 to 300. Default value is 10.

    Timeout

    Type the maximum number of seconds that can pass after the server health check. If the web server exceeds this limit, it will indicate a failed health check.

    Valid values are 1 to 30. Default value is 3.

    Retry Times

    Type the number of times, if any, that FortiWeb retries a server health check after failure. If the web server fails the server health check this number of times consecutively, it is considered to be unresponsive.

    Valid values are 1 to 10. Default value is 3.

    Method

    Specify whether the health check uses the HEAD, GET, or POST method.

    Match Type
    • Response Code—If the web server successfully returns the URL specified by URL Path and the code specified by Response Code, FortiWeb considers the server to be responsive.
    • Matched Content—If the web server successfully returns the URL specified by URL Path and its content matches the Matched Content value, FortiWeb considers the server to be responsive.
    • All — If the web server successfully returns the URL specified by URL Path and its content matches the Matched Content value, and the code specified by Response Code, FortiWeb considers the server to be responsive.

    Available only if Configuring HA settings specifically for active-passive and standard active-active modes is HTTP or HTTPS.

    Matched Content

    Enter one of the following values:

    • The exact reply that indicates that the server is available.
    • A regular expression that matches the required reply.

    This value prevents the test from falsely indicating that the server is available when it has actually replied with an error page, such as the one produced by Tomcat when a JSP application is not available.

    To create and test a regular expression, click the >> (test) icon. This opens a Regular Expression Validator window where you can fine-tune the expression. For details, see Regular expression syntax

    Available only if Match Type is All or Matched Content.

    Response Code

    Enter the response code that you require the server to return in order to confirm its availability.

    Available only if Match Type is All or Response Code.

  • Click OK to save the settings and close the rule.
  • Add any additional tests you want to include in the health check by adding additional rules.
  • Click OK to save and close the health check.
  • The HA Health Check starts running.
  • In Log&Report > Log Access > Event, use the Action: check-reource filter to check all the event logs of HA Health Check.
  • Configuring HA settings specifically for active-passive and standard active-active modes

    In addition to the basic settings, you can set the following configurations as desired for active-passive HA group and standard active-active HA group. For Load-balancing algorithm and HA Health Check, you only need to configure them on the primary node because they can be synchronized to all the members in the HA group.

    Settings

    active-passive HA

    standard active-active HA

    HA Static Route Yes Yes
    HA Policy Route Yes Yes
    load-balancing algorithm No Yes
    HA Health Check No Yes

    HA Static Route and Policy Route

    Unlike the Static Route and Policy Route in System > Network > Route which are synchronized to all the HA members, the configurations in HA Static Route or HA Policy route are applied only to this specific member.

    This is useful when you want to set a next-hop gateway that is used only for this member and not shared by the HA group. The Reserved Management Interface is typically used together with this feature.

    The parameters in this feature are the same with the ones in Static Route and Policy Route in System > Network > Route, so we will not elaborate on the parameter descriptions here. For detailed information on the parameters, refer to Adding a gateway and Creating a policy route

    Static route priority

    In FortiWeb, there are three types of static routes including the system static route in network settings, DHCP route, and HA static route. In releases earlier than 7.0, the system doesn't perform duplication check, so routes with the same destination may exist. The HA static route by default has the highest priority, but an exception is that when you execute config system network-option/set route-priority {system | dhcp} to set DHCP route with the highest priority.

    When the route-priority is set as system (default setting), the route priority from the highest to the lowest is:

    • HA static route

    • system static route

    • DHCP route

    When the route-priority is set as dhcp , the route priority from the highest to the lowest is:

    • DHCP route

    • HA static route

    • system static route

    From 7.0, FortiWeb introduces route duplication check. The system won't allow two static routes with the same destination. Error message will be prompted if you are adding a static route which has the same destination with an existing one. This applies only to system static route and HA static route, because the DHCP route is not configured in FortiWeb thus can't be controlled by FortiWeb. After upgrading to 7.0, the already existing duplicate static routes are kept as is, but if you ever remove them, you won't be able to add them back because the system will report duplication error.

    Load-balancing algorithm

    you might want to change the load-balancing algorithm for a standard active-active HA group. You can change the algorithm by configuring set schedule {ip | leastconnection | round-robin} in CLI command config system ha. For details, see the FortiWeb CLI Reference:

    HTTPs://docs.fortinet.com/product/fortiweb/

    Note:FortiWeb's Configuring a protection profile for inline topologies is not supported in a standard Active-Active HA deployment when the algorithm By connections or Round-robin is used for the load-balancing.

    HA Health Check

    Server policy health check is only available if the operation mode is Reverse Proxy, and the HA mode is Standard Active-Active.

    To check whether the server policies are running properly on the HA group, you can configure server policy heath check. The configurations are synchronized to all members in the group. The system sends an HTTP or HTTPS request, and waits for a response that matches the values required by the health check rule. A timeout indicates that the connection between the HA group member and the back-end server is not available. The system then generates event logs.

    You should first enable the HA Health Check option on the HA tab in System > High Availability > Settings, then configure a health check on the HA Health Check tab.

    FortiWeb only supports checking the health of server policies in the root administrative domain.

    To configure an HA Health Check
    1. Go to System > High Availability > Settings > HA Health Check.
      To access this part of the web UI, your administrator’s account access profile must have Read and Write permission to items in the System Configuration category. For details, see Permissions.
    2. Click Create New to create a health check.
    3. Configure these settings:
    4. Server policy Select the server policy for which you want to run health check.
      HTTPS Enable to use the HTTPS protocol for the health check connections with the back-end server. The systems uses HTTP protocol if this option is disabled.
      Client Certificate If HTTPS is enabled, you can select a Client Certificate for the connection. This is optional.
      The Client Certificate is imported in Server Objects > Certificates > Local.
      Relationship
      • And—FortiWeb considers the server policy to be responsive when it passes all the tests in the list.
      • Or—FortiWeb considers the server policy to be responsive when it passes at least one of the tests in the list.
    5. Click OK.
    6. In the rule list, do one of the following:
    • To add a rule, click Create New.
    • To modify a rule, select it and click Edit.
  • Configure these settings:
  • URL Path

    Type the URL that the HTTP or HTTPS request uses to verify the responsiveness of the server (for example, /index.html).

    If the web server successfully returns this URL, and its content matches your expression in Matched Content, it is considered to be responsive.

    The maximum length is 127 characters.

    Interval

    Type the number of seconds between each server health check.

    Valid values are 1 to 300. Default value is 10.

    Timeout

    Type the maximum number of seconds that can pass after the server health check. If the web server exceeds this limit, it will indicate a failed health check.

    Valid values are 1 to 30. Default value is 3.

    Retry Times

    Type the number of times, if any, that FortiWeb retries a server health check after failure. If the web server fails the server health check this number of times consecutively, it is considered to be unresponsive.

    Valid values are 1 to 10. Default value is 3.

    Method

    Specify whether the health check uses the HEAD, GET, or POST method.

    Match Type
    • Response Code—If the web server successfully returns the URL specified by URL Path and the code specified by Response Code, FortiWeb considers the server to be responsive.
    • Matched Content—If the web server successfully returns the URL specified by URL Path and its content matches the Matched Content value, FortiWeb considers the server to be responsive.
    • All — If the web server successfully returns the URL specified by URL Path and its content matches the Matched Content value, and the code specified by Response Code, FortiWeb considers the server to be responsive.

    Available only if Configuring HA settings specifically for active-passive and standard active-active modes is HTTP or HTTPS.

    Matched Content

    Enter one of the following values:

    • The exact reply that indicates that the server is available.
    • A regular expression that matches the required reply.

    This value prevents the test from falsely indicating that the server is available when it has actually replied with an error page, such as the one produced by Tomcat when a JSP application is not available.

    To create and test a regular expression, click the >> (test) icon. This opens a Regular Expression Validator window where you can fine-tune the expression. For details, see Regular expression syntax

    Available only if Match Type is All or Matched Content.

    Response Code

    Enter the response code that you require the server to return in order to confirm its availability.

    Available only if Match Type is All or Response Code.

  • Click OK to save the settings and close the rule.
  • Add any additional tests you want to include in the health check by adding additional rules.
  • Click OK to save and close the health check.
  • The HA Health Check starts running.
  • In Log&Report > Log Access > Event, use the Action: check-reource filter to check all the event logs of HA Health Check.