Fortinet black logo

Administration Guide

Synchronization

Synchronization

The configurations of the active (or primary ) node is automatically synchronized to all the members in the HA group. Synchronization ensures that all appliances in the group remain ready to process traffic, even if you only change one of the appliances. Synchronization traffic uses TCP on port number 6010 and a reserved IP address.

Configurations synchronized by HA

HA group uses the heartbeat link to automatically synchronize most of their configuration. Synchronization includes:

  • Core CLI-style configuration file (FortiWeb_system.conf)
  • X.509 certificates, certificate request files (CSR), and private keys
  • HTTP error pages
  • FortiGuard IP Reputation Service database
  • FortiGuard Security Service files (attack signatures, predefined data types & suspicious URLs, known web crawlers & content scrapers, global allow list, vulnerability scan signatures)
  • FortiGuard Antivirus signatures
  • Geography-to-IP database

and occurs immediately when an appliance joins the group, and thereafter every 30 seconds.

Although they are not automatically synchronized for performance reasons due to large size and frequent updates, you can manually force HA to synchronize. For instructions, see execute ha synchronize in the FortiWeb CLI Reference (HTTPs://docs.fortinet.com/product/fortiweb/).

If you do not want to configure HA (perhaps you have a separate network appliance implementing HA externally), you can still replicate the FortiWeb’s configuration on another FortiWeb appliance. For details, see Replicating the configuration without FortiWeb HA (external HA)
Configuration comparing tool

HA Diff tool is introduced to compare the configuration difference between the primary and secondary nodes.

If the HA devices are not synchronized as expected, there will be a "Not sync" icon at the top right corner of the Web UI of the primary device.

By clicking the "Not sync" icon, you will see a page displayed showing the configuration differences between the primary and the secondary device. If you have more than one secondary devices which are all not synchronized with the primary device, this tool will show the differences with the secondary devices one by one. After you fix the difference with the first seconday device, it will then show the difference with the next secondary device, and so on.

Data that is not synchronized by HA

In addition to the HA configuration, some data is also not synchronized.

  • FortiWeb HTTP sessionsFortiWeb appliances can use cookies to add and track its own sessions, functionality that is not inherently provided by HTTP. For details, see HTTP sessions & security. This state-tracking data corresponds in a 1:1 ratio to request volume, and therefore can change very rapidly. To minimize the performance impact on an HA group, this data is not synchronized.

Failover will not break web applications’ existing sessions, which do not reside on the FortiWeb, and are not the same thing as FortiWeb’s own HTTP sessions. The new active appliance will allow existing web application sessions to continue. For details, see FortiWeb sessions vs. web application sessions.

FortiWeb sessions are used by some FortiWeb features. After a failover, these features may not work, or may work differently, for existing sessions. (New sessions are not affected.) See the description for each setting that uses session cookies. For details, see Sessions & FortiWeb HA.

Note: All sessions that are shorter than 30 seconds will not be synchronized. Only sessions that have been established for longer than 30 seconds will be synchronized.

  • SSL/TLS sessions—HTTPS connections are stateful in that they must be able to remember states such as the security associations from the SSL/TLS handshake: the mutually supported cipher suite, the agreed parameters, and any certificates involved. Encryption and authentication in SSL/TLS cannot function without this. However, a new primary FortiWeb’s lack of existing HTTPS session information is gracefully handled by re-initializing the SSL/TLS session with the client.This does not impact to the encapsulated HTTP application, has only an initial failover impact during re-negotiation, and therefore is not synchronized.
  • Log messages—These describe events that happened on that specific appliance. After a failover, you may notice that there is a gap in the original active appliance’s log files that corresponds to the period of its downtime. Log messages created during the time when the standby was acting as the active appliance (if you have configured local log storage) are stored there, on the original standby appliance. For details about configuring local log storage, see Configuring logging.
  • Generated reports—Like the log messages that they are based upon, PDF, HTML, RTF, and plain text reports also describe events that happened on that specific appliance. As such, report settings are synchronized, but report output is not. For details about this feature, see Reports.
  • Machine learning data—Machine learning database is synchronized from the primary node to the secondary node in Active-Passive mode. The data is synchronized every 10 minutes.
    In Active-Active mode, only machine learning Anomaly Detection database is synchronized. Bot Detection and API Protection database is not synchronized.

Configuration settings that are not synchronized by HA

All configuration settings on the active FortiWeb are synchronized to the standby or secondary FortiWeb except these settings:

Host name The host name distinguishes each member of the FortiWeb HA group. For details, see Changing the FortiWeb appliance’s host name.
Network interfaces

(Reverse Proxy or Offline Protection mode only)

or

Bridge

(True Transparent Proxy or Transparent Inspection mode only)

In Active-Passsive mode, only the FortiWeb appliance acting as the main appliance, actively scanning web traffic, is configured with IP addresses on its network interfaces (or bridge). The standby appliance only uses the configured IP addresses if a failover occurs, and the standby appliance therefore assumes the role of the main appliance.

In standard Active-Active mode, all the group members actively scan web traffic. The IP address configured for the primary appliance is synchronized to and used by all the group members.

In high volume Active-Active mode, the IPv4 and IPv6 addresses configured for the interfaces on each appliance are not synchronized.

For details, see Configuring the network interfaces or Configuring a bridge (V-zone).

If you have configured reserved management ports for an HA member, that configuration, including administrative access and other settings, is not synchronized.

Firewall

In high volume Active-Active mode, the firewall settings configured in System > Firewall are not synchronized.

In Active-Passive and standard Active-Active modes, the firewall settings are synchronized to all members.

Static Route/Policy Route

In high volume Active-Active mode, the static route and policy route configured in System > Network > Route are not synchronized.

In Active-Passive and standard Active-Active modes, these settings are synchronized to all members.

HA Static Route/HA Policy Route

The HA static route and policy route configured in System > High Availability > Settings > HA Static Route/ System > High Availability > Settings > HA Policy Route are not synchronized to all HA members.

HA static route and policy route are only available in Active-Passive and standard Active-Active modes.

RAID level RAID settings are hardware-dependent and determined at boot time by looking at the drives (for software RAID) or the controller (hardware RAID), and are not stored in the system configuration. Therefore, they are not synchronized. For details, see RAID level & disk statuses.
HA active status and priority The HA configuration, which includes FortiWeb high availability (HA) , is not synchronized because this configuration must be different on the primary and secondary appliances.

Synchronization

Synchronization

The configurations of the active (or primary ) node is automatically synchronized to all the members in the HA group. Synchronization ensures that all appliances in the group remain ready to process traffic, even if you only change one of the appliances. Synchronization traffic uses TCP on port number 6010 and a reserved IP address.

Configurations synchronized by HA

HA group uses the heartbeat link to automatically synchronize most of their configuration. Synchronization includes:

  • Core CLI-style configuration file (FortiWeb_system.conf)
  • X.509 certificates, certificate request files (CSR), and private keys
  • HTTP error pages
  • FortiGuard IP Reputation Service database
  • FortiGuard Security Service files (attack signatures, predefined data types & suspicious URLs, known web crawlers & content scrapers, global allow list, vulnerability scan signatures)
  • FortiGuard Antivirus signatures
  • Geography-to-IP database

and occurs immediately when an appliance joins the group, and thereafter every 30 seconds.

Although they are not automatically synchronized for performance reasons due to large size and frequent updates, you can manually force HA to synchronize. For instructions, see execute ha synchronize in the FortiWeb CLI Reference (HTTPs://docs.fortinet.com/product/fortiweb/).

If you do not want to configure HA (perhaps you have a separate network appliance implementing HA externally), you can still replicate the FortiWeb’s configuration on another FortiWeb appliance. For details, see Replicating the configuration without FortiWeb HA (external HA)
Configuration comparing tool

HA Diff tool is introduced to compare the configuration difference between the primary and secondary nodes.

If the HA devices are not synchronized as expected, there will be a "Not sync" icon at the top right corner of the Web UI of the primary device.

By clicking the "Not sync" icon, you will see a page displayed showing the configuration differences between the primary and the secondary device. If you have more than one secondary devices which are all not synchronized with the primary device, this tool will show the differences with the secondary devices one by one. After you fix the difference with the first seconday device, it will then show the difference with the next secondary device, and so on.

Data that is not synchronized by HA

In addition to the HA configuration, some data is also not synchronized.

  • FortiWeb HTTP sessionsFortiWeb appliances can use cookies to add and track its own sessions, functionality that is not inherently provided by HTTP. For details, see HTTP sessions & security. This state-tracking data corresponds in a 1:1 ratio to request volume, and therefore can change very rapidly. To minimize the performance impact on an HA group, this data is not synchronized.

Failover will not break web applications’ existing sessions, which do not reside on the FortiWeb, and are not the same thing as FortiWeb’s own HTTP sessions. The new active appliance will allow existing web application sessions to continue. For details, see FortiWeb sessions vs. web application sessions.

FortiWeb sessions are used by some FortiWeb features. After a failover, these features may not work, or may work differently, for existing sessions. (New sessions are not affected.) See the description for each setting that uses session cookies. For details, see Sessions & FortiWeb HA.

Note: All sessions that are shorter than 30 seconds will not be synchronized. Only sessions that have been established for longer than 30 seconds will be synchronized.

  • SSL/TLS sessions—HTTPS connections are stateful in that they must be able to remember states such as the security associations from the SSL/TLS handshake: the mutually supported cipher suite, the agreed parameters, and any certificates involved. Encryption and authentication in SSL/TLS cannot function without this. However, a new primary FortiWeb’s lack of existing HTTPS session information is gracefully handled by re-initializing the SSL/TLS session with the client.This does not impact to the encapsulated HTTP application, has only an initial failover impact during re-negotiation, and therefore is not synchronized.
  • Log messages—These describe events that happened on that specific appliance. After a failover, you may notice that there is a gap in the original active appliance’s log files that corresponds to the period of its downtime. Log messages created during the time when the standby was acting as the active appliance (if you have configured local log storage) are stored there, on the original standby appliance. For details about configuring local log storage, see Configuring logging.
  • Generated reports—Like the log messages that they are based upon, PDF, HTML, RTF, and plain text reports also describe events that happened on that specific appliance. As such, report settings are synchronized, but report output is not. For details about this feature, see Reports.
  • Machine learning data—Machine learning database is synchronized from the primary node to the secondary node in Active-Passive mode. The data is synchronized every 10 minutes.
    In Active-Active mode, only machine learning Anomaly Detection database is synchronized. Bot Detection and API Protection database is not synchronized.

Configuration settings that are not synchronized by HA

All configuration settings on the active FortiWeb are synchronized to the standby or secondary FortiWeb except these settings:

Host name The host name distinguishes each member of the FortiWeb HA group. For details, see Changing the FortiWeb appliance’s host name.
Network interfaces

(Reverse Proxy or Offline Protection mode only)

or

Bridge

(True Transparent Proxy or Transparent Inspection mode only)

In Active-Passsive mode, only the FortiWeb appliance acting as the main appliance, actively scanning web traffic, is configured with IP addresses on its network interfaces (or bridge). The standby appliance only uses the configured IP addresses if a failover occurs, and the standby appliance therefore assumes the role of the main appliance.

In standard Active-Active mode, all the group members actively scan web traffic. The IP address configured for the primary appliance is synchronized to and used by all the group members.

In high volume Active-Active mode, the IPv4 and IPv6 addresses configured for the interfaces on each appliance are not synchronized.

For details, see Configuring the network interfaces or Configuring a bridge (V-zone).

If you have configured reserved management ports for an HA member, that configuration, including administrative access and other settings, is not synchronized.

Firewall

In high volume Active-Active mode, the firewall settings configured in System > Firewall are not synchronized.

In Active-Passive and standard Active-Active modes, the firewall settings are synchronized to all members.

Static Route/Policy Route

In high volume Active-Active mode, the static route and policy route configured in System > Network > Route are not synchronized.

In Active-Passive and standard Active-Active modes, these settings are synchronized to all members.

HA Static Route/HA Policy Route

The HA static route and policy route configured in System > High Availability > Settings > HA Static Route/ System > High Availability > Settings > HA Policy Route are not synchronized to all HA members.

HA static route and policy route are only available in Active-Passive and standard Active-Active modes.

RAID level RAID settings are hardware-dependent and determined at boot time by looking at the drives (for software RAID) or the controller (hardware RAID), and are not stored in the system configuration. Therefore, they are not synchronized. For details, see RAID level & disk statuses.
HA active status and priority The HA configuration, which includes FortiWeb high availability (HA) , is not synchronized because this configuration must be different on the primary and secondary appliances.