Fortinet 5.0 Patch 6

Fortinet 100 FortiWeb 5.0 Patch 6 Administration Guide

3. Physically link the FortiWeb appliances that will be members of the HA cluster.

You must link at least one of their ports (e.g. port4 to port4) for heartbeat and

synchronization traffic between members of the cluster. You can either:

• link two appliances directly via a crossover cable

• link the appliances through a switch

If a switch is used to connect the heartbeat interfaces, the heartbeat interfaces must be

reachable by Layer 2 multicast.

4. Log in to both appliances as the admin administrator account.

Accounts whose access profile includes Read and Write permissions to the System

Configuration area can configure HA, but may not be able to use features that may be

necessary when using HA, such as logs and network configuration.

5. On both appliances, go to System > Config > HA-Config.

To access this part of the web UI, your administrator's account access profile must have

Read and Write permission to items in the System Configuration category. For details, see

“Permissions” on page 47.

By default, each FortiWeb appliance operates as a single, standalone appliance: only the

Configured HA mode drop-down list appears, with the Standalone option selected.

6. From Configured HA mode, select Active-Passive.

Additional options appear that enable you to configure HA.

Maintain the heartbeat link(s). If the heartbeat is accidentally interrupted for an

active-passive HA group, such as when a network cable is temporarily disconnected, the

secondary appliance will assume that the primary unit has failed, and become the new

primary appliance. If no failure has actually occurred, both FortiWeb appliances will be

operating as primary appliances simultaneously.

To avoid unintentional failovers due to accidental detachment or hardware failure of a single

heartbeat link, make two heartbeat links.

For example, you might link port3 to port3 on the other appliance, and link port4 to

port4 on the other appliance, then configure both appliances to use those network

interfaces for heartbeat and synchronization.

If you link HA appliances through switches, to improve fault tolerance and reliability, link the

ports through two separate switches. Do not connect these switches to your overall

network, which could introduce a potential attack point, and could also allow network load

to cause latency in the heartbeat, which could cause an unintentional failover.

Fail-open is disabled when the FortiWeb appliance is configured as part of an HA pair. For

information on fail-to-wire, see “Fail-to-wire for power loss/reboots” on page 520.