Technical Tip: Design considerations for HA Active-Active cluster load-balancing UTM sessions when using Redundant interfaces

Vbharath_FTNT · ‎02-20-2017

Description

This article provides some design considerations for HA Active-Active cluster load-balancing UTM sessions when using Redundant interfaces.

Scope

FortiGate.

Solution

In Active-Active HA, the Primary unit can load balance Proxy based UTM sessions to the Secondary unit. By doing this, resource intensive UTM operations can be offloaded to other cluster members in HA cluster.

When using Redundant interfaces with Active-Active cluster, primary member of redundant interface on the secondary unit must be connected in order to load balance sessions to the secondary unit.

The first interface in the redundant interface configuration is selected as the primary member in the redundant interface.

For example, in the following configuration, port10 will be the primary member of the Redundant interface 'Red_LAN'.

config system interface
    edit "Red_LAN"
        set vdom "root"
        set ip 10.116.3.207 255.255.240.0
        set type redundant
        set member "port10" "port12"
        set snmp-index 41
    next
end

The example network diagram is provided below. Port10 and Port12 are part of the redundant link.

For the session load balance to work in this Active-Active cluster displayed in the diagram, port10 should be connected and UP on the Secondary FortiGate unit. If Port10 on the slave unit is not connected or the status is 'DOWN', the HA Primary cannot load balance sessions to the secondary.

This does not apply to connectivity on the Primary unit, sessions are load balanced to the secondary unit with any single member of the redundant being connected and UP.

Technical Tip: Design considerations for HA Active-Active cluster load-balancing UTM sessions when using Redundant interfaces

You are leaving our website