Using High Availability
Configuring the master configuration IP
If you are configuring the unit as the secondary unit in a config-only group, go to System > High Availability > Configuration to configure the master IP address.
In the Master IP address field, enter the IP of the primary heartbeat network interface of the primary unit. The secondary unit synchronizes only with this primary unit’s IP address.
Configuring the backup options
Go to System > High Availability > Configuration to configure backup options, which appear only when the mode of operation is master or slave.
Table 37:HA backup options
|Backup mail data directories||Synchronize system quarantine, email archives, email users’ mailboxes (server mode only), preferences, and per-recipient quarantines.
Unless the HA cluster stores its mail data on a NAS server, you should configure the HA cluster to synchronize mail directories.
If mail data changes frequently, you can manually initiate a data synchronization when significant changes are complete. For details, see “click HERE to start a configuration/data sync” on page 316.
|Backup MTA queue directories||Synchronize the mail queue of the FortiMail unit. For more information on the mail queue, see “Managing the deferred mail queue” on page 179.
Caution: If the primary unit experiences a hardware failure and you cannot restart it, if Backup MTA queue directories is disabled, MTA queue directory data could be lost.
Note: Enabling Backup MTA queue directories can affect the FortiMail unit’s performance, because periodic synchronization of the mail queue can be processor and bandwidth-intensive. Additionally, because the content of the MTA queue directories is very dynamic, periodically synchronizing MTA queue directories between FortiMail units may not guarantee against loss of all email in those directories. Even if MTA queue directory synchronization is disabled, after a failover, a separate synchronization mechanism may successfully prevent loss of MTA queue data. For details, see “Synchronization of MTA queue directories after a failover” on page 311.
Configuring the advanced options
Go to System > High Availability > Configuration to configure the advanced options. For config-only groups, just the HA base port option appears.
Table 38:HA advanced options
|HA base port||Enter the first of four TCP port numbers that will be used for:
• the heartbeat signal
• synchronization control
• data synchronization
• configuration synchronization
Note: For active-passive groups, in addition to configuring the heartbeat, you can configure service monitoring. For details, see “Configuring service-based failover” on page 328.
Note: In addition to automatic immediate and periodic configuration synchronization, you can also manually initiate synchronization. For details, see “click HERE to start a configuration/data sync” on page 316.
|Heartbeat lost threshold||Enter the total span of time, in seconds, for which the primary unit can be unresponsive before it triggers a failover and the secondary unit assumes the role of the primary unit.
The heartbeat will continue to check for availability once per second. To prevent premature failover when the primary unit is simply experiencing very heavy load, configure a total threshold of three (3) seconds or more to allow the secondary unit enough time to confirm unresponsiveness by sending additional heartbeat signals.
Note: If the failure detection time is too short, the secondary unit may falsely detect a failure when during periods of high load.
Caution: If the failure detection time is too long the primary unit could fail and a delay in detecting the failure could mean that email is delayed or lost. Decrease the failure detection time if email is delayed or lost because of an HA failover.
services as heartbeat
|Enable to use remote service monitoring as a secondary HA heartbeat. If enabled and both the primary and secondary heartbeat links fail or become disconnected, if remote service monitoring still detects that the primary unit is available, a failover will not occur.
Note: The remote service check is only applicable for temporary heartbeat link fails. If the HA process restarts due to system reboot or HA daemon reboot, physical heartbeat connections will be checked first. If the physical connections are not found, the remote service monitoring does not take effect anymore.
Note: Using remote services as heartbeat provides HA heartbeat only, not synchronization. To avoid synchronization problems, you should not use remote service monitoring as a heartbeat for extended periods. This feature is intended only as a temporary heartbeat solution that operates until you reestablish a normal primary or secondary heartbeat link.
Configuring the slave system options
This section appears only when the mode of operations is set to config master under System > High Availability > Configuration.
Table 39:HA peer options
|Slave IP address||Double-click in order to modify, then enter the IP address of the primary network interface on that secondary unit.|
|Create||Click to add a secondary unit to the list of Peer systems, then double-click its IP address.
The primary unit synchronizes only with secondary units in the list of Peer systems.
|Delete||Click the row corresponding to a peer IP address, then click this button to remove that secondary unit from the HA group.|
Storing mail data on a NAS server
For FortiMail units operating in server mode as a config-only HA group, you must store mail data on a NAS server instead of locally. If mail data is stored locally, email users’ messages and other mail data could be scattered across multiple FortiMail units.
Even if your FortiMail units are not operating in server mode with config-only HA, however, storing mail data on a NAS server may have a number of benefits for your organization. For example, backing up your NAS server regularly can help prevent loss of mail data. Also, if your FortiMail unit experiences a temporary failure, you can still access the mail data on the NAS server. When the FortiMail unit restarts, it can usually continue to access and use the mail data stored on the NAS server.
For config-only HA groups using a network attached storage (NAS) server, only the primary unit sends quarantine reports to email users. The primary unit also acts as a proxy between email users and the NAS server when email users use FortiMail webmail to access quarantined email and to configure their own Bayesian filters.
For a active-passive HA groups, the primary unit reads and writes all mail data to and from the NAS server in the same way as a standalone unit. If a failover occurs, the new primary unit uses the same NAS server for mail data. The new primary unit can access all mail data that the original primary unit stored on the NAS server. So if you are using a NAS server to store mail data, after a failover, the new primary unit continues operating with no loss of mail data.
If the FortiMail unit is a member of an active-passive HA group, and the HA group stores mail data on a remote NAS server, disable mail data synchronization to prevent duplicate mail data traffic. For details, see “Backup mail data directories” on page 323.
For instructions on storing mail data on a NAS server, see “Selecting the mail data storage location” on page 376.
Configuring interface monitoring
In active-passive HA mode, Interface monitor checks the local interfaces on the primary unit. If a malfunctioning interface is detected, a failover will be triggered.
To configure interface monitoring
- Go to System > High Availability > Configuration.
- Select master or slave as the mode of operation.
- Expand the Interface area, if required.
- Click on the port/interface name to configure the interface. For details, see “Configuring the network interfaces” on page 247.
The interface IP address must be different from, but on the same subnet as, the IP addresses of the other heartbeat network interfaces of other members in the HA group.
When configuring other FortiMail units in the HA group, use this value as the:
- Remote peer IP (for active-passive groups)
- Master configuration (for secondary units in config-only groups)
Peer systems (for the primary unit on config-only groups)
- Select a row in the table and click Edit to configure the following HA settings on the interface.
GUI item Description
Port Displays the interface name you’re configuring.
Enable port Enable to monitor a network interface for failure. If the port fails, the primary monitor unit will trigger a failover.
|Heartbeat status||Specify if this interface will be used for HA heartbeat and synchronization.
Do not use this interface for HA heartbeat and synchronization.
Select the primary network interface for heartbeat and synchronization traffic. For more information, see “About the heartbeat and synchronization” on page 307.
This network interface must be connected directly or through a switch to the Primary heartbeat network interface of other members in the HA group.
Select the secondary network interface for heartbeat and synchronization traffic. For more information, see “About the heartbeat and synchronization” on page 307.
The secondary heartbeat interface is the backup heartbeat link between the units in the HA group. If the primary heartbeat link is functioning, the secondary heartbeat link is used for the HA heartbeat. If the primary heartbeat link fails, the secondary link is used for the HA heartbeat and for HA synchronization.
This network interface must be connected directly or through a switch to the Secondary heartbeat network interfaces of other members in the HA group.
Caution: Using the same network interface for both HA synchronization/heartbeat traffic and other network traffic could result in issues with heartbeat and synchronization during times of high traffic load, and is not recommended.
Note: In general, you should isolate the network interfaces that are used for heartbeat traffic from your overall network. Heartbeat and synchronization packets contain sensitive configuration information, are latency-sensitive, and can consume considerable network bandwidth.
|Peer IP address||Enter the IP address of the matching heartbeat network interface of the other member of the HA group.
For example, if you are configuring the primary unit’s primary heartbeat network interface, enter the IP address of the secondary unit’s primary heartbeat network interface.
Similarly, for the secondary heartbeat network interface, enter the IP address of the other unit’s secondary heartbeat network interface.
For information about configuration synchronization and what is not synchronized, see “About the heartbeat and synchronization” on page 307.
This option appears only for active-passive HA.
|Peer IPv6 address||Enter the peer IPv6 address in the active-passive HA group. For IPv6 support, see “About IPv6 Support” on page 244.|
|Virtual IP action||Select whether and how to configure the IP addresses and netmasks of the FortiMail unit whose effective HA mode of operation is currently master.
For example, a primary unit might be configured to receive email traffic through port1 and receive heartbeat and synchronization traffic through port5 and port6. In that case, you would configure the primary unit to set the IP addresses or add virtual IP addresses for port1 of the secondary unit on failover in order to mimic that of the primary unit.
• Ignore: Do not change the network interface configuration on failover, and do not monitor. For details on service monitoring for network interfaces, see “Configuring the network interfaces” on page 247.
• Set: Add the specified virtual IP address and netmask to the network interface on failover. Normally, you will configure your network (MX records, firewall policies, routing and so on) so that clients and mail services use the virtual IP address. Both originating and reply traffic uses the virtual IP address. This option results in the network interface having two IP Addresses: the actual and the virtual. For examples, see “Example: Active-passive HA group in gateway mode” on page 337. In v3.0 MR2 and older releases, the behavior is different — the originating traffic uses the actual IP address, instead of the virtual IP address. For details, see the Fortinet Knowledge Base article at http://kb.fortinet.com.
• Bridge: Include the network interface in the Layer 2 bridge. While the effective HA mode of operation is slave, the interface is deactivated and cannot process traffic, preventing Layer 2 loops. Then, when the effective HA mode of operation becomes master, the interface is activated again and can process traffic. This option appears only if the FortiMail unit is operating in transparent mode. This option is not available for Port1 and the ports not in the bridge group. For information on configuring bridging network interfaces, see “Editing network interfaces” on page 248.
Note: Settings in this section are synchronizable. Configure the primary unit, then synchronize it to the secondary unit. For details, see “click HERE to start a configuration/data sync” on page 316.
|Virtual IP address||Enter the virtual IPv4 address for this interface.|
|Virtual IPv6 address||Enter the virtual IPv6 address for this interface. For IPv6 support, see “About IPv6 Support” on page 244.|
Configuring service-based failover
Go to System > High Availability > Configuration to configure remote service monitoring, local network interface monitoring, and local hard drive monitoring.
HA service monitoring settings are not synchronized and must be configured separately on each primary and secondary unit.
With remote service monitoring, the secondary unit confirms that it can connect to the primary unit over the network using SMTP service, POP service (POP3), and Web service (HTTP) connections. If you configure the HA pair in server mode, the IMAP service can also be checked.
With local network interface monitoring and local hard drive monitoring, the primary unit monitors its own network interfaces and hard drives.
If service monitoring detects a failure, the effective HA operating mode of the primary unit switches to off or failed (depending on the On failure setting) and, if configured, the FortiMail units send HA event alert email, record HA event log messages, and send HA event SNMP traps.A failover then occurs, and the effective HA operating mode of the secondary unit switches to master. For information on the On failure option, see “Configuring the HA mode and group” on page 319. For information on the effective HA operating mode, see “Monitoring the HA status” on page 313.
Remote service monitoring can be effective to configure in addition to, or sometimes as a backup alternative to, the heartbeat. While the heartbeat tests for the general responsiveness of the primary unit, it does not test for the failure of individual services which email users may be using such as POP3 or webmail. The heartbeat also does not monitor for the failure of network interfaces through which non-heartbeat traffic occurs. In this way, configuring remote service monitoring provides more specific failover monitoring. Additionally, if the heartbeat link is briefly disconnected, enabling HA services monitoring can prevent a false failover by acting as a temporary secondary heartbeat. For information on treating service monitoring as a secondary heartbeat, see “Remote services as heartbeat” on page 324.
To access this part of the web UI, your administrator account’s:
- Domain must be System
- access profile must have Read or Read-Write permission to the Others category
For details, see “About administrator account permissions and domains” on page 290.
To configure service monitoring
- Go to System > High Availability > Configuration.
- Select master or slave as the mode of operation.
- Expand the service monitor area, if required.
- Select a row in the table and click Edit to configure it.
- For Remote SMTP, Remote IMAP, Remote POP, and Remote HTTP services, configure the following:
|Enable||Select to enable connection responsiveness tests for SMTP.|
|Name||Displays the service name.|
|Remote IP||Enter the peer IP address.|
|Port||Enter the port number of the peer SMTP service.|
|Timeout||Enter the timeout period for one connection test.|
|Interval||Enter the frequency of the tests.|
|Retries||Enter the number of consecutively failed tests that are allowed before the primary unit is deemed unresponsive and a failover occurs.|
- For interface monitoring and local hard drive monitoring, configure the following:
|Enable||Select to enable local hard drive monitoring. Interface monitoring is enabled when you configure interface monitoring. See “Configuring interface monitoring” on page 325.
Network interface monitoring tests all active network interfaces whose:
• Virtual IP action setting is not Ignore
• Configuring interface monitoring setting is enabled
For details, see “Configuring interface monitoring” on page 325 and “Virtual IP action” on page 328.
|Interval||Enter the frequency of the test.|
|Retries||Specify the number of consecutively failed tests that are allowed before the local interface or hard drive is deemed unresponsive and a failover occurs.
Having trouble configuring your Fortinet hardware or have some questions you need answered? Check Out The Fortinet Guru Youtube Channel! Want someone else to deal with it for you? Get some consulting from Fortinet GURU!
Don't Forget To visit the YouTube Channel for the latest Fortinet Training Videos and Question / Answer sessions!
- FortinetGuru YouTube Channel
- FortiSwitch Training Videos
Cybersecurity Videos and Training Available Via: Office of The CISO Security Training Videos
Leave a Reply