Help
FortiSIEM Discussions
beingarif
New Contributor III

Created on ‎11-04-2025 10:41 PM

FortiSIEM 7.4.2 HA V3: How to Manage Central Access Without VIP?

Hi Community,

I recently upgraded my FortiSIEM deployment from version 7.4.0 to 7.4.2. In 7.4.0, I was using Automated HA (HA V2) with a Virtual IP (VIP) setup, which allowed customers to access the system via a common IP address. This made centralized access and management straightforward.

However, after upgrading to 7.4.2, I noticed that VIP is no longer available as part of the HA configuration. I understand that HA V3, introduced in 7.4.1, improves upon HA V2 and eliminates the need for VIP or DNS configuration.

My questions are:

  1. How can I now provide a centralized access point for customers without VIP?
  2. What is the recommended approach to make this understandable and seamless for customers, especially those used to accessing the system via a single IP?
  3. Is there any best practice or workaround to simulate the previous VIP behavior in HA V3?

Any guidance or shared experience would be greatly appreciated!

@Secusaurus @Anthony_E can you please help here.

Regards,
Arif

arif
arif
56
0 Kudos
1 Solution
Secusaurus
Contributor III

Created on ‎11-04-2025 11:04 PM

Hi @beingarif,

 

The previous "issue" was, that having a shared virtual IP across all Supervisors meant you are required to have a layer-2 network between all of them. This does not scale across datacenters, as they are usually layer-3-connections (different subnets).

On the other hand, if you enable this functionality, a shared virtual IP is not just "not required", but simply not possible. A router would not expect the same Ip in different subnets.

 

So, what you need for your deployment now, is a load balancer in front, which manages a virtual IP (usually a public IP) and DNATs it to the IP of the currently active Supervisor. I am pretty sure that there is a solution for a common loadbalancer to find out the current master (if required at all?).

I must admit that, in our production setups, we don't use top-of-the-edge releases, so I cannot share real-life experience with you about that.

 

Best,

Christian

FCX #003451 | Fortinet Advanced Partner

View solution in original post

FCX #003451 | Fortinet Advanced Partner
46
2 REPLIES 2
Secusaurus
Contributor III

Created on ‎11-04-2025 11:04 PM

Hi @beingarif,

 

The previous "issue" was, that having a shared virtual IP across all Supervisors meant you are required to have a layer-2 network between all of them. This does not scale across datacenters, as they are usually layer-3-connections (different subnets).

On the other hand, if you enable this functionality, a shared virtual IP is not just "not required", but simply not possible. A router would not expect the same Ip in different subnets.

 

So, what you need for your deployment now, is a load balancer in front, which manages a virtual IP (usually a public IP) and DNATs it to the IP of the currently active Supervisor. I am pretty sure that there is a solution for a common loadbalancer to find out the current master (if required at all?).

I must admit that, in our production setups, we don't use top-of-the-edge releases, so I cannot share real-life experience with you about that.

 

Best,

Christian

FCX #003451 | Fortinet Advanced Partner
FCX #003451 | Fortinet Advanced Partner
47
beingarif
New Contributor III
In response to Secusaurus

Created on ‎11-04-2025 11:13 PM

Thank you for clarifying, Christian.

arif
arif
39
0 Kudos
Announcements

Welcome to your new Fortinet Community!

You'll find your previous forum posts under "Forums"

Labels
Top Kudoed Authors
View all
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2025 Fortinet, Inc. All Rights Reserved.