System config
HA configuration
FortiGate-100A Administration Guide
01-28007-0068-20041203
89
You can enable heartbeat communications for physical interfaces, but not for VLAN
subinterfaces.
Enabling the HA heartbeat for more interfaces increases reliability. If an interface fails,
the HA heartbeat can be diverted to another interface.
HA heartbeat traffic can use a considerable amount of network bandwidth. If possible,
enable HA heartbeat traffic on interfaces only used for HA heartbeat traffic or on
interfaces connected to less busy networks.
Change the heartbeat device priorities as required to control the interface that is used
for heartbeat traffic and the interface to which heartbeat traffic reverts if the interface
with the highest heartbeat priority fails or is disconnected.
Setting the heartbeat priority for more interfaces increases the reliability of the cluster.
To optimize bandwidth use, you can route most heartbeat traffic to interfaces that
handle less network traffic. You can also create a failover path by setting heartbeat
priorities so that you can control the order in which interfaces are used for heartbeat
traffic.
The heartbeat priority must be set for at least one cluster interface. If heartbeat
communication is interrupted the cluster stops processing traffic.
Heartbeat device IP addresses
You do not need to assign IP addresses to the heartbeat device interfaces for them to
be able to process heartbeat packets. In HA mode the cluster assigns virtual IP
addresses to the heartbeat device interfaces. The primary cluster unit heartbeat
device interface is assigned the IP address 10.0.0.1 and the subordinate unit is
assigned the IP address 10.0.0.2. A third cluster unit would be assigned the IP
address 10.0.0.3 and so on.
For best results, isolate each heartbeat device on its own network. Heartbeat packets
contain sensitive information about the cluster configuration. Also, heartbeat packets
may use a considerable amount of network bandwidth and it is preferable to isolate
this traffic from your user networks. The extra bandwidth used by heartbeat packets
could also reduce the capacity of the interface to process network traffic.
For most FortiGate models if you do not change the heartbeat device configuration,
you would isolate the HA interfaces of all of the cluster units by connecting them all to
the same switch. If the cluster consists of two FortiGate units you can connect the
heartbeat device interfaces directly using a crossover cable.
HA heartbeat and data traffic are supported on the same FortiGate interface. In
NAT/Route mode, if you decide to use the heartbeat device interfaces for processing
network traffic or for a management connection, you can assign the interface any IP
address. This IP address does not affect the heartbeat traffic. In Transparent mode,
you can connect the interface to your network.
Table 5: Default heartbeat device configuration
FortiGate model
Default heartbeat device
Default priority
FortiGate-100A
External
50
DMZ 2
100
Содержание FortiGate 100A
Страница 12: ...Contents 12 01 28007 0068 20041203 Fortinet Inc ...
Страница 24: ...24 01 28007 0068 20041203 Fortinet Inc FortiLog documentation Introduction ...
Страница 46: ...46 01 28007 0068 20041203 Fortinet Inc Installing and using a backup firmware image System status ...
Страница 72: ...72 01 28007 0068 20041203 Fortinet Inc Transparent mode VLAN settings System network ...
Страница 80: ...80 01 28007 0068 20041203 Fortinet Inc DHCP IP MAC binding settings System DHCP ...
Страница 114: ...114 01 28007 0068 20041203 Fortinet Inc Access profile options System administration ...
Страница 232: ...232 01 28007 0068 20041203 Fortinet Inc Profile CLI configuration Firewall ...
Страница 244: ...244 01 28007 0068 20041203 Fortinet Inc peergrp Users and authentication ...
Страница 276: ...276 01 28007 0068 20041203 Fortinet Inc ipsec vip VPN ...
Страница 338: ...338 01 28007 0068 20041203 Fortinet Inc Configuring the banned word list Spam filter ...
Страница 356: ...356 01 28007 0068 20041203 Fortinet Inc syslogd setting Log Report ...
Страница 374: ...374 01 28007 0068 20041203 Fortinet Inc Index ...