5.8 Configuration Examples
The HA function can be deployed in the following typical scenarios:
- Scenario 1: Active/Standby
- Scenario 2: Active/Active
- Scenario 3: N+1
The following sections describe the configuration examples for all the three scenarios.
5.8.1 Scenario 1: Active/Standby
5.8.1.1 Configuration Objectives
The Active/Standby deployment scenario can be used to achieve the following configuration objectives:
- The HA domain contains two HA units, each of which is enabled with the same floating IP group.
- The Floating IP group contains the VIP addresses of two application services.
- Unit 1 provides application services, while unit 2 provides backup for such services. Fast failover is carried out through the FFO link.
The following figure shows the network topology for the preceding configuration objectives.
Figure 5-1 Active/Standby Deployment Scenario
5.8.1.2 Configuration Examples
Ø FortiBalancer1:
- Execute the following commands to complete SLB configurations:
FortiBalancer(config)#slb real tcp “r1” 192.168.100.20 80 65535 tcp 3 3 FortiBalancer(config)#slb real ftp “r2” 192.168.100.21 21 65535 tcp 3 3
FortiBalancer(config)#slb group method “slb_g1” rr
FortiBalancer(config)#slb group method “slb_g2” rr
FortiBalancer(config)#slb group member “slb_g1” “r1” 1 0
FortiBalancer(config)#slb group member “slb_g2” “r2” 1 0
FortiBalancer(config)#slb virtual tcp “v1” 192.168.10.2 80 arp 0
FortiBalancer(config)#slb virtual ftp “v2” 192.168.10.3 21 0
FortiBalancer(config)#slb policy default “v1” “slb_g1”
FortiBalancer(config)#slb policy default “v2” “slb_g2”
FortiBalancer(config)#ip pool p1 192.168.100.2 192.168.100.2
FortiBalancer(config)#ip pool p2 192.168.100.3 192.168.100.3
FortiBalancer(config)#slb proxyip group slb_g1 p1
FortiBalancer(config)#slb proxyip group slb_g2 p2
- Execute the following commands to configure HA units and links:
FortiBalancer(config)#ha unit “unit1” 192.168.6.1 65521
FortiBalancer(config)#ha unit “unit2” 192.168.6.2 65521
FortiBalancer(config)#ha link network on
FortiBalancer(config)#ha link ffo on
- Execute the following commands to configure floating IP group:
FortiBalancer(config)#ha group id 1
FortiBalancer(config)#ha group fip 1 192.168.10.2 port1
FortiBalancer(config)#ha group fip 1 192.168.10.3 port1
FortiBalancer(config)#ha group fip 1 192.168.100.2 port3
FortiBalancer(config)#ha group fip 1 192.168.100.3 port3
FortiBalancer(config)#ha group priority unit1 1 10
FortiBalancer(config)#ha group priority unit2 1 5
FortiBalancer(config)#ha group preempt on 1
FortiBalancer(config)#ha group enable 1
- (Optional) Execute the following commands to configure health check conditions, taking the health check for gateway and CPU utilization as examples.
FortiBalancer(config)#ha hc gateway unit1 192.168.10.1 GATEWAY_1 1000 3 3
FortiBalancer(config)#ha hc gateway unit2 192.168.10.1 GATEWAY_1 1000 3 3
FortiBalancer(config)#ha hc cpu utilization 90 5000 3 3
FortiBalancer(config)#ha hc vcondition name vcondition1 V_1 AND
FortiBalancer(config)#ha hc vcondition member vcondition1 GATEWAY_1
FortiBalancer(config)#ha hc vcondition member vcondition1 CPU_UTIL
- (Optional) Execute the following command to add failover rules:
FortiBalancer(config)#ha decision rule vcondition1 Group_Failover 1
- (Optional) Execute the following commands to enable the SSF function:
FortiBalancer(config)#ha ssf peer 192.168.6.2
FortiBalancer(config)#ha ssf on
- (Optional) Execute the following commands to set the configuration synchronization mode:
FortiBalancer(config)#ha synconfig bootup on
FortiBalancer(config)#ha synconfig runtime on
- (Optional) Execute the following command to enable the HA logging function:
FortiBalancer(config)#ha log on
- Execute the following commands to enable the HA function and save the HA configurations to the memory:
FortiBalancer(config)#ha on
FortiBalancer(config)#write memory
Ø FortiBalancer2:
In the Active/Standby scenario, it is recommended to use the FFO link and primary link to synchronize configuration information from the peer unit.
- Execute the following commands to enable the FFO function and the Bootup Synconfig mode:
FortiBalancer(config)#ha link ffo on
FortiBalancer(config)#ha synconfig bootup on
- (Optional) Execute the following commands to enable the SSF function:
FortiBalancer(config)#ha ssf peer 192.168.6.1
FortiBalancer(config)#ha ssf on
- Execute the following command to enable the HA function:
FortiBalancer(config)#ha on
Once the HA function is enabled, unit2 (FortiBalancer2) will join the HA domain. After unit2 joins the HA domain, it first synchronizes configuration information about HA units, FFO link and network links through the FFO link and then synchronizes other configurations through the primary link from unit1 (FortiBalancer1).
5.8.2 Scenario 2: Active/Active
5.8.2.1 Configuration Objectives
The Active/Active deployment scenario can be used to achieve the following configuration objectives:
- The HA domain contains two HA units and provides two floating IP groups.
- Each floating IP group contains the VIP address of one application service.
- Unit1 provides the application service for group1, while unit2 provides the application service for group2. Unit1 and unit2 provide backup for each other.
- Fast failover is carried out through the FFO link.
The following figure shows the network topology for the preceding configuration objectives.
Figure 5-2 Active/Active Deployment Scenario
5.8.2.2 Configuration Examples
Ø FortiBalancer1:
- Execute the following commands to complete SLB configurations:
FortiBalancer(config)#slb real tcp “r1” 192.168.100.20 80 65535 tcp 3 3
FortiBalancer(config)#slb real ftp “r2” 192.168.100.21 21 65535 tcp 3 3
FortiBalancer(config)#slb group method “slb_g1” rr
FortiBalancer(config)#slb group method “slb_g2” rr
FortiBalancer(config)#slb group member “slb_g1” “r1” 1 0
FortiBalancer(config)#slb group member “slb_g2” “r2” 1 0
FortiBalancer(config)#slb virtual tcp “v1” 192.168.10.2 80 arp 0
FortiBalancer(config)#slb virtual ftp “v2” 192.168.10.3 21 0
FortiBalancer(config)#slb policy default “v1” “slb_g1”
FortiBalancer(config)#slb policy default “v2” “slb_g2”
FortiBalancer(config)#ip pool p1 192.168.100.2 192.168.100.2
FortiBalancer(config)#ip pool p2 192.168.100.3 192.168.100.3
FortiBalancer(config)#slb proxyip group slb_g1 p1
FortiBalancer(config)#slb proxyip group slb_g2 p2
- Execute the following commands to configure HA units and links:
FortiBalancer(config)#ha unit “unit1” 192.168.6.1 65521
FortiBalancer(config)#ha unit “unit2” 192.168.6.2 65521
FortiBalancer(config)#ha link network on
FortiBalancer(config)#ha link ffo on
- Execute the following commands to configure floating IP groups:
FortiBalancer(config)#ha group id 1
FortiBalancer(config)#ha group fip 1 192.168.10.2 port1
FortiBalancer(config)#ha group fip 1 192.168.100.2 port3
FortiBalancer(config)#ha group priority unit1 1 10
FortiBalancer(config)#ha group priority unit2 1 5
FortiBalancer(config)#ha group preempt on 1
FortiBalancer(config)#ha group enable 1
FortiBalancer(config)#ha group id 2
FortiBalancer(config)#ha group fip 2 192.168.10.3 port1
FortiBalancer(config)#ha group fip 2 192.168.100.3 port3
FortiBalancer(config)#ha group priority unit1 2 5
FortiBalancer(config)#ha group priority unit2 2 10
FortiBalancer(config)#ha group preempt on 2
FortiBalancer(config)#ha group enable 2
- (Optional) Execute the following command to configure health check conditions, taking the health check for gateway and CPU utilization as examples.
FortiBalancer(config)#ha hc gateway unit1 192.168.10.1 GATEWAY_1 1000 3 3
FortiBalancer(config)#ha hc gateway unit2 192.168.10.1 GATEWAY_1 1000 3 3
FortiBalancer(config)#ha hc cpu utilization 90 5000 3 3
FortiBalancer(config)#ha hc vcondition name vcondition1 V_1 AND
FortiBalancer(config)#ha hc vcondition member vcondition1 GATEWAY_1
FortiBalancer(config)#ha hc vcondition member vcondition1 CPU_UTIL
- (Optional) Execute the following command to add failover rules:
FortiBalancer(config)#ha decision rule vcondition1 Unit_Failover
- (Optional) Execute the following commands to enable the SSF function:
FortiBalancer(config)#ha ssf peer 192.168.6.2
FortiBalancer(config)#ha ssf on
- (Optional) Execute the following commands to set the configuration synchronization mode:
FortiBalancer(config)#ha synconfig bootup on
FortiBalancer(config)#ha synconfig runtime on
- (Optional) Execute the following command to enable the HA logging function:
FortiBalancer(config)#ha log on
- Execute the following commands to enable the HA function and save the HA configurations to the memory:
FortiBalancer(config)#ha on FortiBalancer(config)#write memory
Ø FortiBalancer2:
In the Active/Active scenario, it is recommended to use the FFO link and primary link to synchronize configuration information from the peer unit.
- Execute the following commands to enable the FFO function and the Bootup Synconfig mode:
FortiBalancer(config)#ha link ffo on
FortiBalancer(config)#ha synconfig bootup on
- (Optional) Execute the following commands to enable the SSF function:
FortiBalancer(config)#ha ssf peer 192.168.6.1
FortiBalancer(config)#ha ssf on
- Execute the following command to enable the HA function:
FortiBalancer(config)#ha on
Once the HA function is enabled, unit2 (FortiBalancer2) will join the HA domain. After unit2 joins the HA domain, it first synchronizes configuration information about HA units, FFO link and network links through the FFO link and then synchronizes other configurations through the primary link from unit1 (FortiBalancer1).
5.8.3 Scenario 3: N+1
In the N+1 deployment scenario, the HA domain contains N+1 units. On N units, the status of the floating IP groups are all “Active”, while on the remaining one unit, the status of the floating IP groups are all “Standby”. This section will introduce the configuration objectives and examples for the “3+1” deployment scenario.
5.8.3.1 Configuration Objectives
The “3+1” deployment scenario can be used to achieve the following configuration objectives:
- The HA domain contains four HA units and provides three floating IP groups.
- Each floating IP group contains the VIP address of a virtual service.
- Unit1 to unit3 provide the virtual services of group1 to group3 respectively, while unit4 provides backup for unit1 to unit3.
The following figure shows the network topology for the preceding configuration objectives.
Figure 5-3 N+1 Deployment Scenario
5.8.3.2 Configuration Examples
Ø FortiBalancer1:
- Execute the following commands to complete SLB configurations:
FortiBalancer(config)#slb real tcp “r1” 192.168.100.20 80 65535 tcp 3 3
FortiBalancer(config)#slb real ftp “r2” 192.168.100.21 21 65535 tcp 3 3
FortiBalancer(config)#slb real udp “r3” 192.168.100.22 53 65535 3 3 60 icmp
FortiBalancer(config)#slb group method “slb_g1” rr
FortiBalancer(config)#slb group method “slb_g2” rr
FortiBalancer(config)#slb group method “slb_g3” rr
FortiBalancer(config)#slb group member “slb_g1” “r1” 1 0
FortiBalancer(config)#slb group member “slb_g2” “r2” 1 0
FortiBalancer(config)#slb group member “slb_g3” “r3” 1 0
FortiBalancer(config)#slb virtual tcp “v1” 192.168.10.2 80 arp 0
FortiBalancer(config)#slb virtual ftp “v2” 192.168.10.3 21 0
FortiBalancer(config)#slb virtual udp “v3” 192.168.10.4 53 arp 0
FortiBalancer(config)#slb policy default “v1” “slb_g1”
FortiBalancer(config)#slb policy default “v2” “slb_g2”
FortiBalancer(config)#slb policy default “v3” “slb_g3”
FortiBalancer(config)#ip pool p1 192.168.100.2 192.168.100.2 FortiBalancer(config)#ip pool p2 192.168.100.3 192.168.100.3 FortiBalancer(config)#ip pool p3 192.168.100.4 192.168.100.4
FortiBalancer(config)#slb proxyip group slb_g1 p1
FortiBalancer(config)#slb proxyip group slb_g2 p2
FortiBalancer(config)#slb proxyip group slb_g3 p3
- Execute the following commands to configure HA units and links:
FortiBalancer(config)#ha unit “unit1” 192.168.6.1 65521
FortiBalancer(config)#ha unit “unit2” 192.168.6.2 65521
FortiBalancer(config)#ha unit “unit3” 192.168.6.3 65521
FortiBalancer(config)#ha unit “unit4” 192.168.6.4 65521
FortiBalancer(config)#ha link network secondary unit1 1 192.168.10.11
FortiBalancer(config)#ha link network secondary unit2 1 192.168.10.21
FortiBalancer(config)#ha link network secondary unit3 1 192.168.10.31
FortiBalancer(config)#ha link network secondary unit4 1 192.168.10.41 FortiBalancer(config)#ha link network on
- Execute the following commands to configure floating IP groups:
FortiBalancer(config)#ha group id 1
FortiBalancer(config)#ha group fip 1 192.168.10.2 port1
FortiBalancer(config)#ha group fip 1 192.168.100.2 port3
FortiBalancer(config)#ha group priority unit1 1 200
FortiBalancer(config)#ha group priority unit2 1 100 FortiBalancer(config)#ha group priority unit3 1 50
FortiBalancer(config)#ha group priority unit4 1 150
FortiBalancer(config)#ha group preempt on 1
FortiBalancer(config)#ha group enable 1
FortiBalancer(config)#ha group id 2
FortiBalancer(config)#ha group fip 2 192.168.10.3 port1
FortiBalancer(config)#ha group fip 2 192.168.100.3 port3
FortiBalancer(config)#ha group priority unit1 2 50
FortiBalancer(config)#ha group priority unit2 2 200
FortiBalancer(config)#ha group priority unit3 2 100
FortiBalancer(config)#ha group priority unit4 2 150
FortiBalancer(config)#ha group preempt on 2
FortiBalancer(config)#ha group enable 2
FortiBalancer(config)#ha group id 3
FortiBalancer(config)#ha group fip 3 192.168.10.4 port1
FortiBalancer(config)#ha group fip 3 192.168.100.4 port3
FortiBalancer(config)#ha group priority unit1 3 100
FortiBalancer(config)#ha group priority unit2 3 50
FortiBalancer(config)#ha group priority unit3 3 200
FortiBalancer(config)#ha group priority unit4 3 150
FortiBalancer(config)#ha group preempt on 3
FortiBalancer(config)#ha group enable 3
- (Optional) Execute the following command to configure health check conditions, taking the health check for gateway and CPU utilization as examples.
FortiBalancer(config)#ha hc gateway unit1 192.168.10.1 GATEWAY_1 1000 3 3 FortiBalancer(config)#ha hc gateway unit2 192.168.10.1 GATEWAY_1 1000 3 3
FortiBalancer(config)#ha hc gateway unit3 192.168.10.1 GATEWAY_1 1000 3 3
FortiBalancer(config)#ha hc gateway unit4 192.168.10.1 GATEWAY_1 1000 3 3
FortiBalancer(config)#ha hc cpu utilization 90 5000 3 3
FortiBalancer(config)#ha hc vcondition name vcondition1 V_1 AND
FortiBalancer(config)#ha hc vcondition member vcondition1 GATEWAY_1
FortiBalancer(config)#ha hc vcondition member vcondition1 CPU_UTIL
- (Optional) Execute the following command to add failover rules:
FortiBalancer(config)#ha decision rule vcondition1 Unit_Failover
- (Optional) Execute the following commands to set the configuration synchronization mode:
FortiBalancer(config)#ha synconfig bootup on
FortiBalancer(config)#ha synconfig runtime on
- (Optional) Execute the following command to enable the HA logging function:
FortiBalancer(config)#ha log on
- Execute the following commands to enable the HA function and save the HA-related configurations to the memory:
FortiBalancer(config)#ha on FortiBalancer(config)#write memory
- FortiBalancer2:
- Execute the following commands to configure HA units and links:
FortiBalancer(config)#ha unit “unit1” 192.168.6.1 65521
FortiBalancer(config)#ha unit “unit2” 192.168.6.2 65521
FortiBalancer(config)#ha unit “unit3” 192.168.6.3 65521
FortiBalancer(config)#ha unit “unit4” 192.168.6.4 65521
FortiBalancer(config)#ha link network secondary unit1 1 192.168.10.11
FortiBalancer(config)#ha link network secondary unit2 1 192.168.10.21
FortiBalancer(config)#ha link network secondary unit3 1 192.168.10.31
FortiBalancer(config)#ha link network secondary unit4 1 192.168.10.41 FortiBalancer(config)#ha link network on
- Execute the following command to enable the Bootup Synconfig mode:
FortiBalancer(config)#ha synconfig bootup on
- Execute the following command to enable the HA function:
FortiBalancer(config)#ha on
Once the HA function is enabled, unit2 (FortiBalancer2) will join the HA domain and start to synchronize configuration information from unit1 (FortiBalancer1).
- FortiBalancer3:
- Execute the following commands to configure HA units and links:
FortiBalancer(config)#ha unit “unit1” 192.168.6.1 65521
FortiBalancer(config)#ha unit “unit2” 192.168.6.2 65521
FortiBalancer(config)#ha unit “unit3” 192.168.6.3 65521
FortiBalancer(config)#ha unit “unit4” 192.168.6.4 65521
FortiBalancer(config)#ha link network secondary unit1 1 192.168.10.11
FortiBalancer(config)#ha link network secondary unit2 1 192.168.10.21
FortiBalancer(config)#ha link network secondary unit3 1 192.168.10.31
FortiBalancer(config)#ha link network secondary unit4 1 192.168.10.41 FortiBalancer(config)#ha link network on
- Execute the following command to enable the Bootup Synconfig mode:
FortiBalancer(config)#ha synconfig bootup on
- Execute the following command to enable the HA function:
FortiBalancer(config)#ha on
Once the HA function is enabled, unit3 (FortiBalancer3) will join the HA domain and start to synchronize configuration information from unit1 (FortiBalancer1).
- FortiBalancer4:
- Execute the following commands to configure HA units and links:
FortiBalancer(config)#ha unit “unit1” 192.168.6.1 65521 FortiBalancer(config)#ha unit “unit2” 192.168.6.2 65521
FortiBalancer(config)#ha unit “unit3” 192.168.6.3 65521
FortiBalancer(config)#ha unit “unit4” 192.168.6.4 65521
FortiBalancer(config)#ha link network secondary unit1 1 192.168.10.11
FortiBalancer(config)#ha link network secondary unit2 1 192.168.10.21
FortiBalancer(config)#ha link network secondary unit3 1 192.168.10.31
FortiBalancer(config)#ha link network secondary unit4 1 192.168.10.41 FortiBalancer(config)#ha link network on
- Execute the following command to enable the Bootup Synconfig mode:
FortiBalancer(config)#ha synconfig bootup on
- Execute the following command to enable the HA function:
FortiBalancer(config)#ha on
Once the HA function is enabled, unit4 (FortiBalancer4) will join the HA domain and start to synchronize configuration information from unit1 (FortiBalancer1).
Having trouble configuring your Fortinet hardware or have some questions you need answered? Check Out The Fortinet Guru Youtube Channel! Want someone else to deal with it for you? Get some consulting from Fortinet GURU!