advertisement
Chapter 14: High Availability Deployments
Chapter 14: High Availability Deployments
HA feature overview
This chapter includes the following topics: l l l l l l l l l
Updating firmware for an HA cluster
Deploying an active-passive cluster
Deploying an active-active cluster
Deploying an active-active-VRRP cluster
HA feature overview
FortiADC appliances can be deployed as standalone units or as high availability (HA) clusters.
A cluster is two or more nodes. A node is an instance of the appliance/system. In a cluster, one node is the
primary node, also called the master node. The other members of the cluster are secondary nodes, also called
slave nodes.
The primary node has a special role. It has a one-to-many relationship with member nodes. Both configuration updates and software updates are initiated by the primary node and pushed to member nodes.
The system selects the primary node based on the following criteria: l l l l l l l
Link health (if monitor ports links are down, the node is considered down)
Remote IP monitor health check results
Override setting (prefers priority to uptime)
Most available ports
Highest uptime value
Lowest device priority number (1 has greater priority than 2)
Highest-sorting serial number—Serial numbers are sorted by comparing each character from left to right, where 9 and z are the greatest values. The system gives preference to higher values over lower values.
HA solutions depend on two types of communication among cluster members: l l
Synchronization—During initialization, the primary node pushes its configuration (with noted exceptions) to member nodes. After initialization has completed, the nodes synchronize their session tables.
Heartbeats—A cluster node indicates to other nodes in the cluster that it is up and available. The absence of heartbeat traffic indicates the node is not up and is unavailable.
There are three types of HA clusters: l
Active-Passive—Only the primary node is active, so it is the only node that receives traffic from adjacent routers.
Typically, there is one other node that is in standby mode. It assumes active status if the primary node undergoes
335 FortiADC D-Series Handbook
Fortinet Technologies, Inc.
HA feature overview Chapter 14: High Availability Deployments l l maintenance or otherwise becomes unavailable.
Active-Active—All nodes receive traffic. Active-Active deployments support load balancing and failover among up to eight cluster members.
Active-Active-VRRP —FortiADC's Active-Active-VRRP mode uses a VRRP-like protocol, and can function in both
HA Active-Passive mode and HA Active-Active mode, depending on the number of traffic groups used in the configuration. When only one traffic group is used, it actually functions in Active-Passive mode; when two or more traffic groups are used, it works in Active-Active mode.
In an Active-Passive cluster, only the management IP address for the primary node is active. In an active-passive cluster, you can log into a node only when it has primary node status and its IP address is active. To access the user interface of an appliance in standby status (the active-passive slave), you must use a console port connection.
In an Active-Active cluster, the IP addresses for all interfaces are unique, including the management interface.
When the appliance is in standalone mode, the physical port IP address is active; when it is in HA mode, the address assigned to it in the HA node IP list address is active. You can log into any node using the active IP address for its management port.
In an Active-Active-VRRP cluster, FortiADC uses hbdev for members status communication. It also allows you to configure sync+session, persistence sync, and image sync functions via hbdev and dataport, which is essentially the same as the HA-AA/AP mode. Note that FortiADC is unable to communicate with third-party VRRP devices because it actually doesn't use the VRRP protocol at all.
Tip: You can use the execute ha manage command to log into the console of a member node. See the CLI reference.
shows an active-passive cluster in a single network path. In an active-passive cluster, the primary node is the active node that handles all traffic. In the event that the primary node experiences hardware failure or system maintenance, failover takes place. In failover, the standby node becomes the primary node and processes the traffic that is forwarded along the network path. The new primary node sends gratuitous ARP to notify the network to direct traffic for the virtual MAC addresses (vMAC) to its network interfaces. It takes the IP addresses of the unresponsive node.
FortiADC D-Series Handbook
Fortinet Technologies, Inc.
336
Chapter 14: High Availability Deployments
Figure 59: Basic active-passive cluster
HA feature overview
337
shows an active-passive cluster in a redundant path. A topology like this is a best practice because it is fully redundant, with no single point of failure. If the gateway, load balancer, or switch were to fail, the failover path is chosen.
FortiADC D-Series Handbook
Fortinet Technologies, Inc.
HA feature overview
Figure 60: Redundant path active-passive cluster
Chapter 14: High Availability Deployments
shows an active-active cluster. An active-active cluster supports load-balancing and failover among up to eight member nodes. The routers on either side of the cluster must be configured to use equal cost multipath
(ECMP) to distribute traffic to the FortiADC cluster nodes. All nodes actively receive and forward traffic.
The primary node has a special role. It handles all FTP and firewall traffic, and it acts as the failover node for all of the other nodes in the cluster.
The failover mechanism is the same as an active-passive deployment, with the primary node acting as the standby node for all other cluster members. If a member node fails, the primary node takes the IP addresses of the unresponsive node and notifies the network via ARP to redirect traffic for that vMAC to its own network interfaces. For example, in
Figure 61 , node1 is the primary node. If node2 were to fail, its traffic would failover to
node1. If node3 were to fail, its traffic would also failover to node1. If the primary node were to fail, a new primary node would be elected, and it would function as the master in all respects, including its role as the new standby node for failover from all other cluster members.
FortiADC D-Series Handbook
Fortinet Technologies, Inc.
338
advertisement
advertisement
Table of contents
- 13 Features
- 13 Basic network topology
- 14 Scope
- 16 FortiADC 4.6.1
- 16 FortiADC 4.6.0
- 18 FortiADC 4.5.3
- 18 FortiADC 4.5.2
- 18 FortiADC 4.5.1
- 19 FortiADC 4.5.0
- 20 FortiADC 4.4.0
- 21 FortiADC 4.3.1
- 21 FortiADC 4.3.1
- 22 FortiADC 4.3.0
- 23 FortiADC 4.2.3
- 23 FortiADC 4.2.1
- 23 FortiADC 4.2.0
- 24 FortiADC 4.1
- 24 FortiADC 4.0 Patch 2
- 24 FortiADC 4.0 Patch 1
- 24 FortiADC 4.0
- 25 FortiADC 3.2.0
- 25 FortiADC 3.1.0
- 26 FortiADC 3.0.0
- 26 FortiADC 2.1.0
- 27 Server load balancing
- 27 Feature Summary
- 28 Authentication
- 28 Caching
- 29 Compression
- 29 Content rewriting
- 29 Content routing
- 29 Scripting
- 29 SSL transactions
- 30 Link load balancing
- 30 Global load balancing
- 30 Security
- 30 High availability
- 31 Virtual domains
- 32 Step 1: Install the appliance
- 33 Step 2: Configure the management interface
- 36 Step 3: Configure basic network settings
- 40 Step 4: Test connectivity to destination servers
- 40 Step 5: Complete product registration, licensing, and upgrades
- 42 Step 6: Configure a basic server load balancing policy
- 45 Step 7: Test the deployment
- 48 Step 8: Back up the configuration
- 50 Server load balancing basics
- 53 Server load balancing configuration overview
- 56 Configuring real server SSL profiles
- 61 Using real server pools
- 61 Configuring real server pools
- 66 Example: Using port ranges and the port 0 configuration
- 67 Configuring persistence rules
- 73 Configuring content routes
- 75 Using content rewriting rules
- 75 Overview
- 76 Configuring content rewriting rules
- 78 Example: Redirecting HTTP to HTTPS
- 86 Example: Rewriting the HTTP response when using content routing
- 88 Example: Rewriting the HTTP request and response to mask application details
- 90 Example: Rewriting the HTTP request to harmonize port numbers
- 91 Configuring compression rules
- 93 Using caching features
- 93 Static caching
- 95 Dynamic caching
- 95 Configuring caching rules
- 97 Configuring Application profiles
- 121 Configuring error pages
- 121 Using source pools
- 122 Configuring source pools
- 124 Example: DNAT
- 125 Example: full NAT
- 126 Example: NAT46 (Layer 4 virtual servers)
- 128 Example: NAT64 (Layer 4 virtual servers)
- 130 Example: NAT46 (Layer 7 virtual servers)
- 132 Example: NAT64 (Layer 7 virtual servers)
- 133 Configuring auth policies
- 135 Configuring methods
- 136 Configuring an L2 exception list
- 137 Using the Web Category tab
- 138 Creating a Web Filter Profile configuration
- 138 Configuring virtual servers
- 144 TCP multiplexing
- 145 Using scripts
- 146 Create a script object
- 146 Import a script
- 146 Export a script
- 147 Delete a script
- 148 Link load balancing basics
- 148 Using link groups
- 149 Using virtual tunnels
- 151 Link load balancing configuration overview
- 153 Configuring gateway links
- 154 Configuring persistence rules
- 156 Configuring proximity route settings
- 158 Configuring a link group
- 160 Configuring a virtual tunnel group
- 162 Configuring link policies
- 164 Global load balancing basics
- 166 Global load balancing configuration overview
- 168 Configuring servers
- 171 Configuring a global load balance link
- 172 Configuring data centers
- 173 Configuring hosts
- 174 Configuring virtual server pools
- 176 Configuring dynamic proximity
- 177 Configuring persistence
- 178 Configuring an address group
- 179 Configuring remote DNS servers
- 180 Configuring the DSSET list
- 180 Configuring DNS zones
- 184 Configuring DNS64
- 185 Configuring the response rate limit
- 186 onfiguring a Global DNS policy
- 187 Configuring general settings
- 189 Configuring the trust anchor key
- 190 Security features basics
- 190 Managing IP Reputation policy settings
- 192 Configure IP reputation exception
- 193 Using the Geo IP block list
- 194 Using the Geo IP whitelist
- 195 Enabling denial of service protection
- 196 Configuring a firewall policy
- 197 Configuring the firewall connection limit
- 199 Web application firewall basics
- 200 Web application firewall configuration overview
- 201 Predefined configuration elements
- 201 Severity
- 201 Exceptions
- 201 Configuring a WAF Profile
- 203 Configuring a Web Attack Signature policy
- 208 Configuring a URL Protection policy
- 209 Configuring an HTTP Protocol Constraint policy
- 213 Configuring an SQL/XSS Injection Detection policy
- 215 Configuring WAF Exception objects
- 216 Configuring a Bot Detection policy
- 219 Configuring user groups
- 220 Using the local authentication server
- 221 Using an LDAP authentication server
- 222 Using a RADIUS authentication server
- 223 Using Kerberos Authentication Relay
- 223 Authentication Workflow
- 223 Step 1: Client authentication
- 224 Step 2: Client service authorization
- 224 Step 3: Client service request
- 224 FortiADC Kerberos authentication implementation
- 225 Configure Authentication Relay (Kerberos)
- 225 Configure SAML authentication
- 226 Import IDP metadata
- 226 Configure SAML authentication
- 228 Configuring health checks
- 235 Creating schedule groups
- 236 Creating IPv4 address objects
- 237 Configuring IPv4 address groups
- 238 Creating IPv6 address objects
- 239 Configuring IPv6 address groups
- 240 Managing ISP address books
- 242 Create an ISP address book object
- 243 Creating service objects
- 244 Creating service groups
- 246 Configuring network interfaces
- 246 Using physical interfaces
- 247 Using VLAN interfaces
- 247 Using aggregate interfaces
- 248 Configuring network interfaces
- 253 Configuring static routes
- 254 Configuring policy routes
- 256 Configuring basic system settings
- 257 Configuring system time
- 259 Configuring an SMTP mail server
- 259 Configuring FortiGuard service settings
- 261 Pushing/pulling configurations
- 262 Backing up and restoring the configuration
- 263 Updating firmware
- 264 Upgrade considerations
- 264 Updating firmware using the web UI
- 266 Updating firmware using the CLI
- 267 Rebooting, resetting, and shutting down the system
- 268 Create a traffic group
- 269 Create a traffic group via the command line interface
- 269 Create a traffic group from the Web GUI
- 270 Create administrator users
- 272 Configure access profiles
- 275 Enable password policies
- 276 Configuring SNMP
- 277 Download SNMP MIBs
- 278 Configure SNMP threshold
- 278 Configure SNMP v1/v2
- 280 Configure SNMP v3
- 281 Manage and validate certificates
- 282 Overview
- 282 Prerequisite tasks
- 283 Manage certificates
- 284 Generating a certificate signing request
- 286 Importing local certificates
- 288 Creating a local certificate group
- 288 Importing intermediate CAs
- 289 Creating an intermediate CA group
- 290 Validating certificates
- 290 Configure a certificate verification object
- 293 Importing CRLs
- 294 Adding OCSPs
- 296 Importing remote certificates
- 297 Importing CAs
- 298 Creating a CA group
- 300 Using the event log
- 307 Using the security log
- 313 Using the *traffic log
- 321 Configuring local log settings
- 323 Configuring syslog settings
- 325 Configuring high speed logging
- 326 Enabling real-time statistics
- 327 Configuring alert email settings
- 328 Configuring an alert email recipient
- 328 Configuring reports
- 329 Configuring Report Queries
- 332 Configuring fast reports
- 333 Using reports
- 334 Display logs via CLI
- 335 HA feature overview
- 339 HA system requirements
- 340 HA synchronization
- 341 Configuring HA settings
- 346 Monitoring an HA cluster
- 348 Updating firmware for an HA cluster
- 349 Deploying an active-passive cluster
- 349 Overview
- 351 Basic steps
- 351 Best practice tips
- 351 Deploying an active-active cluster
- 352 Configuration overview
- 353 Basic steps
- 354 Expected behavior
- 354 Traffic to TCP virtual servers
- 358 Traffic to HTTP virtual servers
- 360 FTP traffic and traffic processed by firewall rules
- 363 Best practice tips
- 363 Advantages of HA Active-Active-VRRP
- 363 Deploying an active-active-VRRP cluster
- 364 Configuration overview
- 365 Basic steps
- 366 Best practice tips
- 368 Virtual domain basics
- 368 Enabling the virtual domain feature
- 369 Creating virtual domains
- 369 Assigning network interfaces and admin users to VDOMs
- 370 Virtual domain policies
- 371 Disabling virtual domains
- 372 SSL offloading
- 374 SSL decryption by forward proxy
- 374 Layer 7 deployments
- 376 Layer 2 deployments
- 377 Profile configurations
- 381 Certificate guidelines
- 381 SSL/TLS versions and cipher suites
- 385 Exceptions list
- 385 SSL traffic mirroring
- 387 Configure source NAT
- 389 Configure source NAT
- 392 Configure 1-to-1 NAT
- 394 QoS
- 395 Configuring a QoS queue
- 395 Configuring the QoS filter
- 396 Configuring the QoS IPv6 filter
- 397 ISP routes
- 398 BGP
- 398 How BGP works
- 398 IBGP vs. EBGP
- 402 Access list vs. prefix list
- 403 Configuring an IPv4 access list
- 403 Configuring an IPv6 access list
- 404 Configuring an IPv4 prefix list
- 405 Configuring an IPv6 prefix list
- 405 OSPF
- 409 Reverse path route caching
- 411 Packet capture
- 413 Regular backups
- 413 Security
- 414 Topology
- 414 Administrator access
- 415 Performance tips
- 415 System performance
- 415 Reducing the impact of logging on performance
- 415 Reducing the impact of reports on system performance
- 415 Reducing the impact of packet capture on system performance
- 416 High availability
- 417 Logs
- 417 Tools
- 417 execute commands
- 418 diagnose commands
- 419 System dump
- 420 Packet capture
- 421 Diff
- 422 Solutions by issue type
- 422 Login issues
- 423 Connectivity issues
- 423 Checking hardware connections
- 423 Checking routing
- 427 Examining the routing table
- 427 Examining server daemons
- 427 Checking port assignments
- 427 Performing a packet trace
- 428 Checking the SSL/TLS handshake & encryption
- 428 Resource issues
- 428 Monitoring traffic load
- 429 DoS attacks
- 429 Resetting the configuration
- 429 Restoring firmware (“clean install”)
- 432 Additional resources
- 435 Status
- 436 Data Analytics
- 437 Server load balance
- 437 Select a display option
- 438 Filter virtual servers onscreen
- 439 Add virtual servers
- 439 Link load balance
- 439 Global load balance
- 440 HA status
- 441 Session monitoring
- 446 Events and actions
- 446 Predefined Commands
- 452 Control structures
- 452 Operators
- 453 String library
- 454 Examples
- 454 Select content routes based on URI string matches
- 455 Rewrite the HTTP request host header and path
- 456 Rewrite the HTTP response Location header
- 456 Redirect HTTP to HTTPS using Lua string substitution
- 456 Redirect mobile users to the mobile version of a website