FortiSIEM HA/DR with 2 FortiISEM 2000G

Hugues1 · ‎02-06-2025

Hello.

I would like to do HA between two fortisiem 2000g with 7.1.4 version. I deployed the first one in All in One in datacenter1 and I installed collectors on remote sites to collect logs. The second fortisiem (All in One) will be installed in datacenter2.
I looked at the official fortinet documentation but I don't understand how to do it. I also have several questions about the collectors:

In the HA (let's assume it's an Active-Passive), how will the collectors behave when the first FortiSIEM is down? Will they automatically switch the logs to the second FortiISIEM? If so, are there any special configurations to be done on the collectors?

Le Pimo

Secusaurus · ‎02-06-2025

Hi @Hugues1,

Before 7.3.0, the HA-config is more like a backend-data-sync between two devices, referred to as "Desaster Recovery".

The official recommendation for the setup (as far as I know it), is, that you either enter the main Supervisor's FQDN instead of an IP when setting up the collectors, or have a load balancer in front of your Supervisors.

When your main Supervisor fails, you either reconfigure DNS or the load balancer's health check switches over.

In contrast to 7.3.x, there is no virtual ip for both supervisors.

Best,

Christian

FCX #003451 | Fortinet Advanced Partner

Hugues1 · ‎02-06-2025

If I understand correctly I must have a dns server in my dns with an entry (fqdn) that points to the two ip of fortisiem 1 and 2. But what about the registration of collectors? Given that collectors can only be registered on a supervisor. Do I have to deregister the collector on the first Fortisiem and register it on the second fortisiem?

Le Pimo

Secusaurus · ‎02-06-2025

In this setup, you register the collector to the only FQDN of the supervisor. This one points to the primary instance and in case of a failover, you would need to go to the DNS-server and change the resolved IP-address to the secondary.

When using a load balancer or proxy in front, you would register the collectors to that virtual IP which DNATs to the primary supervisor and in case of a failover to the secondary.

Note, that the setup can be made much less complicated on 7.3.0 with the real HA, but that involves 3 supervisors then (you would probably then use the hardware as workers and redesign your whole setup).

Best,

Christian

FCX #003451 | Fortinet Advanced Partner

Hugues1 · ‎02-07-2025

I don't have a load balancer so I chose the solution with a DNS server. I created a FQDN that points to the primary IP. When the primary fails over, I set up a script that will automatically change the primary IP to the secondary IP in the DNS record. Since I only have two Fortissiem appliances, unless I'm mistaken, I think what I need to do is DR and not HA strictly speaking. I have schematized my architecture for setting up DR. Please give me your opinions and suggestions. Is this how I should set up my architecture?

Le Pimo

Hugues1 · ‎02-10-2025

Hi @Secusaurus . I need your opinion regarding this.

I'm waiting your feadback.

Best Regards

Le Pimo

Secusaurus · ‎02-10-2025

Hi @Hugues1,

from my point of view, this looks correct. It's the design I know that should be working.

But note, that this is a community forum and we are sharing thoughts and ideas here. For technical implementation support, a Fortinet Partner (like my company) or Fortinet itself take money; so my answer here comes with no legal binding, since I did not set this up for you in a lab or production environment yet ;)
(we did other deployments with custom backup-schemes or, on 7.3.0, used the other HA-options)

So, if anyone here has something else to say, feel free.

Best,

Christian

FCX #003451 | Fortinet Advanced Partner

FortiSIEM HA/DR with 2 FortiISEM 2000G

Nominate a Forum Post for Knowledge Article Creation

You are leaving our website