Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
Umesh
Contributor

Best practices to configure HA

Hi All,

 

I would like to know what are the best practices to configure HA and best technics to troubleshoot it.

 

Such as - ACTIVE-PASSIVE mode, ACTIVE mode

 

Please refer me any document or blogs which can boost my tech skills - which will cover interview question as well.

 

Your response will be highly apricated. 

3 REPLIES 3
akristof
Staff
Staff

Hello,

We don't have any document for best practice. From my experience, default settings are usually good (except for some corner cases, for example BGP, ether proto type, etc).

If you want, you can check this link. It is for old release, not supported anymore, but it has information about basic functions that are still relevant:

https://fortinetweb.s3.amazonaws.com/docs.fortinet.com/v2/attachments/8e55781b-1a1c-11e9-9685-f8bc12...

 

Regarding HA mode, A-P or A-A. Active-Active is usually used when you have UTM inspection enabled and primary device is getting to the edge, then you can use A-A so secondary device will do some inspection to help primary device.

A-P is standard, simple scenario, secondary device is sitting there unless failover happened (reason can be anything). If you have any specific question, ask and someone will answer it, for sure.

Adrian
pgautam
Staff
Staff

Hi @Umesh

 

In addition to @akristof reply please check the below cookbook link to understand the HA in Fortigate:-  

 

https://docs.fortinet.com/document/fortigate/6.0.0/cookbook/161720/high-availability

 

Regards

Priyanka

 

- Have you found a solution? Then give your helper a "Kudos" and mark the solution.

 

 

pavankr5
Staff
Staff

Hello @Umesh 

 

Active-Passive Mode: In this mode, one unit is active and handling traffic, while the other unit remains passive and only takes over when the active unit fails.
Active-Active Mode: Both units actively handle traffic simultaneously, providing load balancing and redundancy. Each unit typically handles a subset of the traffic.


Ensure that the two HA units are identical in terms of hardware specifications and firmware versions. Mismatched hardware or firmware can cause compatibility issues.

Use dedicated heartbeat interfaces between the HA units for communication. This ensures efficient communication and reduces the risk of a single point of failure.
HA units should synchronize their configuration settings, security policies, and routing tables. This ensures that failover doesn't cause service disruption due to mismatched settings.

In Active-Active mode, distribute traffic evenly across both units to balance the load and maximize resource utilization.

> Perform failover testing in a controlled environment to ensure that the failover process works as expected.

Monitor system logs for any alerts or error messages related to HA. Logs can provide valuable insights into the cause of issues.

once you configure if you face any issue you can refer below documents for reference
https://community.fortinet.com/t5/FortiGate/Troubleshooting-Tip-HA-synchronization-issue-cluster-out...
https://community.fortinet.com/t5/FortiGate/Troubleshooting-Note-Fortigate-HA-message-quot-HA-master...

Let us know if you have any queries

Thank you

 

 

Labels
Top Kudoed Authors