High Availability – FortiAnalyzer – FortiOS 6.2.3

High Availability

A FortiAnalyzer high availability (HA) cluster provides the following features:

  • Provide real-time redundancy in case a FortiAnalyzer primary unit fails. If the primary unit fails, another unit in the cluster is selected as the primary unit. See If the primary unit fails on page 254.
  • Synchronize logs and data securely among multiple FortiAnalyzer units. Some system and configuration settings are also synchronized. See Configuration synchronization on page 253. l Alleviate the load on the primary unit by using backup units for processes such as running reports.

A FortiAnalyzer HA cluster can have a maximum of four units: one primary or master unit with up to three backup or slave units. All units in the cluster must be of the same FortiAnalyzer series. All units are visible on the network.

All units must run in the same operation mode: Analyzer or Collector.

Configuring HA options

To configure HA options go to System Settings > HA and configure FortiAnalyzer units to create an HA cluster or change cluster configuration.

In System Settings > HA, use the ClusterSettings pane to create or change HA configuration, and use the Cluster Status pane to monitor HA status.

To configure a cluster, set the Operation Mode of the primary unit to High Availability. Then add the IP addresses and serial numbers of each backup unit to primary unit peer list. The IP address and serial number of the primary unit and all backup units must be added to each backup unit’s HA configuration. The primary unit and all backup units must have the same Group Name, Group ID and Password.

You can connect to the primary unit GUI to work with FortiAnalyzer. Using configuration synchronization, you can configure and work with the cluster in the same way as you work with a standalone FortiAnalyzer unit.

Configure the following settings:

Cluster Status  
Operation Mode Select High Availability to configure the FortiAnalyzer unit for HA. Select Standalone to stop operating in HA mode.
Preferred Role Select the preferred role when this unit first joins the HA cluster.

If the preferred role is Master, then this unit becomes the primary unit if it is configured first in a new HA cluster. If there is an existing primary unit, then this unit becomes a backup (slave) unit.

The default is Slave so that the unit can synchronize with the primary unit. A slave or backup unit cannot become a master or primary unit until it is synchronized with the current primary unit.

Cluster Virtual IP  
Interface The interface the FortiAnalyzer HA unit uses to provide redundancy.
IP Address The IP address for which the FortiAnalyzer HA unit is to provide redundancy.
Cluster Settings  
Peer IP Type the IP address of another FortiAnalyzer unit in the cluster.
Peer SN Type the serial number of the FortiAnalyzer unit corresponding to the entered IP address.
Group Name Type a group name that uniquely identifies the FortiAnalyzer HA cluster. All units in a cluster must have the same Group Name, Group ID and Password.
Group ID Type a group ID from 1 to 255 that uniquely identifies the FortiAnalyzer HA cluster.
Password A password for the HA cluster. All members of the HA cluster must have the same password.
Heart Beat Interval The time the primary unit waits between sending heartbeat packets, in seconds. The heartbeat interval is also the amount of time that backup units waits before expecting to receive a heartbeat packet from the primary unit.
Priority The priority or seniority of the backup unit in the cluster.
Log Data Sync This option is on by default. It provides real-time log synchronization among cluster members.

Log synchronization

To ensure logs are synchronized among all HA units, FortiAnalyzer HA synchronizes logs in two states: initial logs synchronization and real-time log synchronization.

Initial Logs Sync

When you add a unit to an HA cluster, the primary unit synchronizes its logs with the new unit. After initial sync is complete, the backup unit automatically reboots. After the reboot, the backup unit rebuilds its log database with the synchronized logs.

You can see the status in the ClusterStatus pane Initial Logs Sync column.

Log Data Sync

After the initial log synchronization, the HA cluster goes into real-time log synchronization state.

Log Data Sync is turned on by default for all units in the HA cluster.

When Log Data Sync is turned on in the primary unit, the primary unit forwards logs in real-time to all backup units. This ensures that the logs in the primary and backup units are synchronized.

Log Data Sync is turned on by default in backup units so that if the primary unit fails, the backup unit selected to be the new primary unit will continue to synchronize logs with backup units.

If you want to use a FortiAnalyzer unit as a standby unit (not as a backup unit), then you don’t need real-time log synchronization so you can turn off Log Data Sync.

Configuration synchronization

Configuration synchronization provides redundancy and load balancing among the cluster units. A FortiAnalyzer HA cluster synchronizes the configuration of the following modules to all cluster units: l Device Manager l Incidents & Events l Reports l Most System Settings

FortiAnalyzer HA synchronizes most System Settings in the HA cluster. The following table shows which System Setting configurations are synchronized:

System Setting Configuration synchronized
Dashboard > System Information Only Administrative Domain is synchronized. All other settings in the System Information widget are not synchronized.
All ADOMs Yes
Storage Info Yes
Network No
HA No
Admin Yes
Certificates > Local Certificates No
Certificates > CA Certificates Yes
Certificates > CRL Yes
Log Forwarding Yes
Fetcher Management Yes
Event Log No
Task Monitor Yes
Advanced > SNMP Yes
Advanced > Mail Server Yes
Advanced > Syslog Server Yes
Advanced > Meta Fields Yes
Advanced > Device Log Settings Yes
Advanced > File Management Yes
Advanced > Advanced Settings Yes

Monitoring HA status

In System Settings > HA, the ClusterStatus pane shows the HA status. This pane displays information about the role of each cluster unit, the HA status of the cluster, and the HA configuration of the cluster.

The ClusterStatus pane displays the following information:

Role Role of each cluster member.
Serial Number Serial number of each cluster member.
IP IP address of each cluster members including the host.
Host Name Host name of the HA cluster.
Uptime/Downtime Uptime or downtime of each cluster member.
Initial Logs Sync Status of the initial logs synchronization.
Configuration Sync Status of synchronizing configuration data.
Message Status or error messages, if any.

If the primary unit fails

If the primary or master unit becomes unavailable, another unit in the cluster is selected as the primary unit using the following rules:

  • All cluster units are assigned a priority from 80 – 120. The default priority is 100. If the primary unit becomes unavailable, an available unit with the highest priority is selected as the new primary unit. For example, a unit with a priority of 110 is selected over a unit with a priority of 100.
  • If multiple units have the same priority, the unit whose primary IP address has the greatest value is selected as the new primary unit. For example, 123.45.67.123 is selected over 123.45.67.124.
  • If a new unit with a higher priority or a greater value IP address joins the cluster, the new unit does not replace (or preempt) the current primary unit.

If the FortiAnalyzer being replaced is the primary, after replacing it, use execute fgfm reclaim-dev-tunnel to force FortiGates to connect to the new FortiAnalyzer.

Load balancing

Because FortiAnalyzer HA synchronizes logs among HA units, the HA cluster can balance the load and improve overall responsiveness. Load balancing enhances the following modules:

  • Reports
  • SOC

When generating multiple reports, the loads are distributed to all HA cluster units in a round-robin fashion. When a report is generated, the report is synchronized with other units so that the report is visible on all HA units.

Similarly, for SOC, cluster units share some of the load when these modules generate output for their widgets.

Upgrading the FortiAnalyzer firmware for an operating cluster

You can upgrade the firmware of an operating FortiAnalyzer cluster in the same way as upgrading the firmware of a standalone FortiAnalyzer unit.

Upgrade the backup units first. Upgrade the primary (master) unit last, after all backup units have been upgraded and have synchronized with the primary unit. When you upgrade the primary unit, one of the backup units is automatically selected to be the primary unit following the rules you set up in If the primary unit fails on page 254. This allows the HA cluster to continue operating through the upgrade process with primary and backup units.

During the upgrade, you might see messages about firmware version mismatch. This is to be expected. When the upgrade is completed and all cluster members are at the same firmware version, you should not see this message.

To upgrade FortiAnalyzer HA cluster firmware:

  1. Log into each backup unit and upgrade the firmware.

See the FortiAnalyzerRelease Notes and FortiAnalyzerUpgrade Guide in the Fortinet Document Library for more information.

  1. Wait for the upgrades to complete and check that the backup units have joined the HA cluster as slaves.
  2. Ensure that logs are synchronized with the primary unit.
  3. Upgrade the primary (master) unit.

When the primary unit is upgraded, it automatically becomes a backup unit and one of the backup units is automatically selected to be the primary unit following the rules you set up in If the primary unit fails on page 254.

This allows the HA cluster to continue operating through the upgrade process with primary and backup units.

 

This entry was posted in Administration Guides, FortiAnalyzer, FortiOS 6.2 on by .

About Mike

Michael Pruett, CISSP has a wide range of cyber-security and network engineering expertise. The plethora of vendors that resell hardware but have zero engineering knowledge resulting in the wrong hardware or configuration being deployed is a major pet peeve of Michael's. This site was started in an effort to spread information while providing the option of quality consulting services at a much lower price than Fortinet Professional Services. Owns PacketLlama.Com (Fortinet Hardware Sales) and Office Of The CISO, LLC (Cybersecurity consulting firm).

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.