High Availability – FortiBalancer

Leave a reply

5.2 HA Basics

5.2.1 HA Domain and Unit

The HA domain comprises a group of appliances that provide the HA function. The appliances in the HA domain are called unit. Each HA domain can comprise a maximum of 32 units.

5.2.2 Floating IP Group

Usually, the service Active/Standby failover on a unit is achieved by using the floating IP address. The same floating IP address can be defined on multiple units. However, the floating IP address on only one unit can be in the “Active” state at the same time.

To ensure the consistency and flexibility of service failover, HA technology groups the floating IP addresses and switches floating IP addresses by group. The floating IP addresses can be switched only after they are added to a floating IP group. At the same moment, the status of all floating IP addresses in the same floating IP group are the same. The status is also called the status of the floating IP group.

The status of a floating IP group is determined by the group priority, failover mode, and results of the health checks related to the group. After the floating IP group is configured correctly, the HA module will the check the running environment of the group based on the configured health check conditions. Based the health check results, the group status can be one of the following two types:

  • Active/Standby: The results of all health checks related to the group are “Up”, indicating the group is ready to provide services. In this case, the group status is “Active” or “Standby”. If the group status is “Active”, this unit will obtain all the floating IP addresses of the group and provide services. If the group status is “Standby”, this unit will provides backup for services and will take over services in case of service failover.
  • Init: Initial group status. If the result of any health checks related to the group is “Down”, the group status is “Init”, which indicates that this unit is not qualified for provides services of the group. Even if service failover occurs on the group, this unit cannot take over services.

Note: When the group status is “Init”, check the group configurations or the health check results to make the group status change to “Active” or “Standby” so that the unit will

provide services or backup for services.

On one unit, multiple floating IP groups can be configured. The status of every groups are independent from each other. If all groups on a unit need to be switched over together, the “Unit_Failover” mode (see the section “Failover Rules”) is required.

The floating IP address are configured by using the “ha group fip” or “ha group fiprange” command. For details, please see the FortiBalancer 8.4 CLI Reference.

5.2.3 Group Failover Mode

The HA function supports two group failover modes: non-preempt and preempt modes.

When a floating IP group is enabled on multiple units:

  • If the non-preempt mode is enabled, the group status on the local unit will not change until a failover occurs.
  • In the preempt mode, if the group priority on the local unit is higher than those of all peer units, the group status on the local unit will be forcibly switched to “Active”. If the group status on a peer unit was “Active” before this, its group status will be forcibly switched to “Standby”.

5.2.4 Floating MAC

The HA function supports the floating MAC function. With this function enabled, the floating MAC address (configured by using the command “ha floatmac mac”) is switched to the interface of the new unit on which the group status is “Active”. In this way, after group status switches, the clients will not be aware that the appliance that provides the application services has been changed, because the MAC addresses of the appliances that provide application services before and after group status switch remain unchanged.

Note:

  • By default, the floating MAC function is disabled. Before this function is enabled, the HA function must be first disabled by executing the command “ha off”.
  • The parameter “interface_name” in the command “ha floatmac mac” determines that the floating MAC function takes effect on the floating IP group with which the interface is associated. The floating MAC addresses configured for different floating IP groups cannot be the same.

5.2.5 HA Deployment Scenarios

The HA function can be deployed flexibly. Besides the Active/Active and Active/Standby deployment scenarios, the HA function can be deployed among multiple appliances to achieve mutual-backup.

  • Active/Active deployment scenario: The HA domain comprises two units; on each unit, there are “Active” floating IP groups and “Standby” floating IP groups, the status of which are “Active” on the peer unit. The HA domain comprises two units. On each unit, there is “Active” floating IP groups, and the status of the “Active” group on the peer unit is “Standby”.
  • Active/Standby deployment scenario: The HA domain comprises two units; the status of all floating IP groups are “Active” on one unit and are “Standby” on the other unit.
  • When the HA function is deployed among multiple appliances to achieve mutual-backup, the HA domain comprises multiple units to provide services or backup for services. Among these scenarios, the “N+1” deployment scenario is commonest one. In the “N+1” deployment scenario, the HA domain comprises N+1 units. Among these

units, the group status on N units are all “Active” and all the group status on the remaining one are “Standby”.


Having trouble configuring your Fortinet hardware or have some questions you need answered? Check Out The Fortinet Guru Youtube Channel! Want someone else to deal with it for you? Get some consulting from Fortinet GURU!

Pages: 1 2 3 4 5 6 7 8

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.