Using high availability (HA)
Go to System > High Availability to configure the FortiMail unit to act as a member of a high availability (HA) cluster in order to increase processing capacity or availability.
For the general procedure of how to enable and configure HA, see “How to use HA” on page 312.
This section contains the following topics:
- About high availability
- About the heartbeat and synchronization
- About logging, alert email and SNMP in HA
- How to use HA
- Monitoring the HA status
- Configuring the HA mode and group
- Configuring service-based failover
- Example: Failover scenarios
- Example: Active-passive HA group in gateway mode
About high availability
FortiMail units can operate in one of two HA modes, active-passive or config-only.
Table 31:Comparison of HA modes
|Active-passive HA||Config-only HA|
|2 FortiMail units in the HA group||2-25 FortiMail units in the HA group|
|Typically deployed behind a switch||Typically deployed behind a load balancer|
|Both configuration* and data synchronized||Only configuration* synchronized|
|Only primary unit processes email||All units process email|
Table 31:Comparison of HA modes
|No data loss when hardware fails||Data loss when hardware fails|
|Failover protection, but no increased processing capacity||Increased processing capacity, but no failover protection|
* For exceptions to synchronized configuration items, see “Configuration settings that are not synchronized” on page 309.
Figure 126:Active-passive HA group operating in gateway mode
Figure 127:Config-only HA group operating in gateway mode
If the config-only HA group is installed behind a load balancer, the load balancer stops sending email to failed FortiMail units. All sessions being processed by the failed FortiMail unit must be restarted and will be re-directed by the load balancer to other FortiMail units in the config-only HA group.
You can mix different FortiMail models in the same HA group. However, all units in the HA group must have the same firmware version.
Communications between HA cluster members occur through the heartbeat and synchronization connection. For details, see “About the heartbeat and synchronization” on page 307.
To configure FortiMail units operating in HA mode, you usually connect only to the primary unit (master). The primary unit’s configuration is almost entirely synchronized to secondary units (slave), so that changes made to the primary unit are propagated to the secondary units.
Exceptions to this rule include connecting to a secondary unit in order to view log messages recorded about the secondary unit itself on its own hard disk, and connecting to a secondary unit to configure settings that are not synchronized. For details, see “Configuration settings that are not synchronized” on page 309.
To use FortiGuard Antivirus or FortiGuard Antispam with HA, license all FortiMail units in the cluster. If you license only the primary unit in an active-passive HA group, after a failover, the secondary unit cannot connect to the FortiGuard Antispam service. For FortiMail units in a config-only HA group, only the licensed unit can use the subscription services.
For instructions of how to enable and configure HA, see “How to use HA” on page 312.
Having trouble configuring your Fortinet hardware or have some questions you need answered? Check Out The Fortinet Guru Youtube Channel! Want someone else to deal with it for you? Get some consulting from Fortinet GURU!
Don't Forget To visit the YouTube Channel for the latest Fortinet Training Videos and Question / Answer sessions!
- FortinetGuru YouTube Channel
- FortiSwitch Training Videos
Cybersecurity Videos and Training Available Via: Office of The CISO Security Training Videos