FortiWeb high availability (HA)
By default, FortiWeb appliances are each a single, standalone appliance. They operate independently.
If you have purchased more than one, however, you can configure multiple FortiWeb appliances in active-passive, standard active-active, or high volume active-active HA mode. This improves availability so that you can achieve 99.999% service level agreement (SLA) uptimes regardless of, for example, hardware failure or maintenance periods.
|If you have multiple FortiWeb appliances but do not need failover, you can still synchronize the configuration. This can be useful for cloned network environments and externally load-balanced active-active HA. For details, see Replicating the configuration without FortiWeb HA (external HA).
You can use the FortiWeb WCCP feature to create an active-active HA group. You synchronize the members using FortiWeb's configuration synchronization feature so that each member is ready to act as backup if the other appliance is not available. The WCCP server provides load balancing between the HA pair and redirects all traffic to one member if the other member is unavailable. For details, see Example: Using WCCP with multiple FortiWeb appliances.
In Active-Passive HA, one appliance is elected to be the active appliance (also called the primary or main), applying the policies for all connections. The other is a passive standby (also called the secondary), which assumes the role of the active appliance and begins processing connections only if the active appliance fails.
This is an example of an active-passive HA topology.
Standard Active-Active HA
A standard active-active HA group created in Reverse Proxy and True Transparent Proxy modes can consist of up to eight FortiWebs. One of the member appliances will be selected as the primary appliance, while the others are secondary appliances.
The primary appliance in a standard active-active HA group plays the role as the central controller to receive traffic from clients and send the processed traffic to back-end web servers, and vice versa (the traffic shown in green in the following graph). The primary appliance distributes the traffic to all the HA members (including itself) according to the specified load-balancing algorithm so that each FortiWeb appliance performs the security services to protect the traffic (the traffic shown in red in the following graph).
This is an example of a standard active-active HA group:
The primary node uses the following load-balancing algorithms to distribute received traffic over the available HA members:
- By source IP: consistently distribute the traffic coming from a source to the same HA member (the default algorithm).
- By connections: dynamically distribute traffic to a member who has the fewest connections processing.
- Round-Robin: distribute traffic among the available members in a circular order.
All the HA members, including the primary appliance, are the candidates for the algorithms, unless failure is detected on any of them. Traffic distribution is based on TCP/UDP sessions, which means once the first packet of a TCP/UDP session is assigned to a member, the subsequent packets of the session will be consistently distributed to the same appliance during a time period. For more details, see FortiWeb high availability (HA) .
Although algorithm By source IP distribute the subsequent traffic coming from the same source IP address to a fix HA member, it performs weighted round-robin to determine the member for the first packet coming from the IP address. You can configure the weights between the members through the CLI command
If a secondary failure is detected, the secondary appliance will be ignored by the primary for its traffic distribution. If the primary fails, one of the secondary appliances will take it over as a primary immediately (see How HA chooses the active appliance).
Once the primary appliance fails and a secondary takes it over, subsequent traffic of all sessions that have been established for longer than 30 seconds will be transferred to the new primary for distribution (those sessions distributed to the original primary appliance by itself are not included, since the original primary lost them while it failed). To distribute the original sessions in the original way, the new primary has to know how they are mapped. To provide a seamless takeover for this, a primary appliance must maintain the mapping information (called session information as well) for all the sessions and synchronize it to all the other HA members all the time, so that when a secondary becomes the primary the subsequent traffic of the original sessions can be destined to where they were.
Although session synchronization in active-active HA guarantees a seamless takeover, it brings extra CPU and bandwidth consumption as well. The session synchronization is disabled by default, and you can enable it through the CLI command
High volume active-active HA
A high volume active-active HA group can be created in Reverse Proxy operation mode and supports up to eight FortiWebs. One of the member appliances will be selected as the primary appliance, while the others are secondary appliances (see How HA chooses the active appliance).
In high volume active-active mode, one or more unique virtual IPs are attached to each member. The traffic destined to the virtual IPs is directed to the corresponding member. Once this member is down, its backup appliance can take over the traffic to the virtual IPs.
Unlike the standard active-active HA mode where the primary acts as a traffic distributor, the members in high volume active-active mode don't reply on the primary to distribute traffic, instead, they can directly receive traffic from the clients and process the traffic independently. It significantly increases the traffic throughput of the HA group.
This is an example of a high volume active-active HA group: