Help
FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
gmanea
Staff
Staff

Created on ‎11-02-2021 06:55 AM

Article Id 194548

Technical Tip: Harelay process

Description
Generally seen in HA clusters, this daemon is running quietly and provides services for the secondary unit or vcluster. 

This article describes the usage of harelay process. 

Solution
High Availability cluster consists of one or more units that provide redundancy in case the Primary fails.
No matter the number of units in HA or the operation mode (a-p/a-a), in any of the cases the Primary unit will handle the local-out connection.

Since the Secondary unit cannot send packets out directly, harelay is used to relay slave daemons' local-out tcp connection to the public network.

It is rarely needed, but to debug this daemon, it is possible to use the following commands:

FG # diag test app harelay 0
1.  Show harelay statistics
2.  Show harelay connections
# diag test app harelay 1
# diag test app harelay 2

These commands should be used repeatedly, because the daemon does not always run, so most times there is no result displayed in the output.

To enable all debug for harelay:

# diag debug app harelay -1

It is possible to see the following output:

harelay_accept[546] pid-247 conn=695537 receied a relay req from ha-2/1645
harelay_on_clt_read_id[276] pid-247 conn=695537 read relay-id: svr=254.253.252.251/514, ha-id=2, vdom=root
harelay_connect_to_server[147] pid-247 conn=695537 read relay-id: svr=254.253.252.251/514, source_ip=0.0.0.0, vdom=root, intf_sel_mode=0, intf_sel_name=
harelay_accept[546] pid-247 conn=695579 receied a relay req from ha-2/1654
harelay_on_clt_read_id[276] pid-247 conn=695578 read relay-id: svr=254.253.252.251/514, ha-id=2, vdom=root
harelay_connect_to_server[147] pid-247 conn=695578 read relay-id: svr=254.253.252.251/514, source_ip=0.0.0.0, vdom=root, intf_sel_mode=0, intf_sel_name=
__set_socket_interface[134] pid-247 Binded interface index: 0
harelay_on_clt_read_udp[335] pid-247 conn=694713 read() failed: num=-1, errno=104
harelay_accept[546] pid-247 conn=695580 receied a relay req from ha-2/1655
harelay_on_clt_read_id[276] pid-247 conn=695579 read relay-id: svr=254.253.252.251/514, ha-id=2, vdom=root
harelay_connect_to_server[147] pid-247 conn=695579 read relay-id: svr=254.253.252.251/514, source_ip=0.0.0.0, vdom=root, intf_sel_mode=0, intf_sel_name=
__set_socket_interface[134] pid-247 Binded interface index: 0

In this case, it is possible to notice that the connections are done to relay logs (port514) to a server (254.253.252.241). 
Process ID is also noticed (pid-247).

It is also possible to see errors, like the one above:  pid-247 conn=694713 read() failed: num=-1, errno=104.

This may be caused by a known issue (ie. 751087), or something completely new. According to the error code, this is something to be investigated by TAC support or the development.
Depending on type of traffic that is sent by harelay, one may further investigate what process creates that traffic (in this case, as the port 514 is visible, the process to check is miglogd).

Related Articles

Technical Tip: How to list processes in FortiOS

Labels:
1080
0 Kudos
Submit Article Idea
Contributors
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2024 Fortinet, Inc. All Rights Reserved.