FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
asostizzo_FTNT

Description

While reviewing the FortiGate HA cluster event logs (elogs), the following event examples may be found occasionally:
date=2016-07-15 time=01:30:20 devname=BERCA1FW02 devid=FG100D3G13803210 logid=0108037903 type=event subtype=ha level=information vd=root logdesc="Synchronization status with master" msg="The sync status with the master" sync_type=external-files sync_status="out-of-sync"

...date=2016-07-15 time=01:31:04 devname=BERCA1FW02 devid=FG100D3G13803210 logid=0108037903 type=event subtype=ha level=information vd=root logdesc="Synchronization status with master" msg="The sync status with the master" sync_type=external-files sync_status="in-sync"
The HA System Event log messages seen in the example above indicate that FortiGuard signatures/engines of the Master and Slave FortiGate systems were not the same at time=01:30:20.

This can happen for a period when the Master FortiGate updates its FDS databases and the Slave unit has not yet synchronized its database and/or engine versions via the heartbeat connection between the two units.

Along with the first event above, a difference in HA checksum between the two systems may be noticed when executing the following on CLI:

FortiOS v. 5.2:
# diagnose sys ha showcsum
FortiOS v.5.4:
# diagnose sys ha checksum show


Solution

This event can be more concerning when operating in Active-Active HA mode since the Slave unit is used to offload some of the UTM processing, and the most up-to-date FortiGuard information is desired on both units.

The amount of time that takes to synchronize the two units may vary depending on factors including but no limited to the following:

1. Heartbeat interface connection reliability.

The best practice is the use of a direct (isolated) connection between the clusters or a dedicated switch for clusters with more than two units.

2. Whether session-pickup enabled on highly active HA clusters

When session-pickup is enabled more traffic is transferred via the heartbeat interface which may delay the synchronization of the new FortiGuard information depending on item 1 above and how many sessions are being synchronized. The following options are available to reduce the impact of this feature:
I. Use session-pickup-delay in order to synchronize sessions only if they remain active for more than 30 seconds.

CLI configuration:
# config system ha
# set session-pickup-delay enable
# end

II. Use session-sync-dev option in order to dedicate interface(s) for session synchronization:

CLI configuration for enabling port9 and port11 for session synchronization:
# config system ha
# set session-sync-dev port9 port11
# end

For more details on improving and troubleshooting HA synchronization please review the FortiOS Handbook - High Availability documentation.

 

Reference: FortiOS Handbook - High Availability

 

Contributors