Fortinet 41 FortiWeb 5.0 Patch 6 Administration Guide
Failover is triggered by any interruption to either the heartbeat or a port monitored network
interface whose length of time exceeds your configured limits (Detection Interval x Heartbeat
Lost Threshold). When the active (“main”) appliance becomes unresponsive, the standby
appliance:
1. Notifies the network via ARP that the network interface IP addresses (including the IP
address of the bridge, if any) are now associated with its virtual MAC addresses
2. Assumes the role of the active appliance and scans network traffic
To keep the standby appliance ready in case of a failover, HA pairs also use the heartbeat link to
automatically synchronize most of their configuration. Synchronization includes:
core CLI-style configuration file (fwb_system.conf)
• X.509 certificates, certificate request files (CSR), and private keys
HTTP error pages
FortiGuard IRIS Service database
FortiGuard Security Service files (attack signatures, predefined data types & suspicious
URLs, known web crawlers & content scrapers, global white list, vulnerability scan
signatures)
Geography-to-IP database
and occurs immediately when an appliance joins the cluster, and thereafter every 30 seconds.
Although they are not automatically synchronized for performance reasons due to large size and
frequent updates, you can manually force HA to synchronize FortiGuard Antivirus signatures.
For instructions, see execute ha synchronize in the FortiWeb CLI Reference. For a list of
settings and data that are not synchronized, see “Data that is not synchronized by HA” and
“Configuration settings that are not synchronized by HA”.
See also
Configuring a high availability (HA) FortiWeb cluster
Replicating the configuration without FortiWeb HA (external HA)
Data that is not synchronized by HA
In addition to HA configuration, some data is also not synchronized.
FortiWeb HTTP sessions — FortiWeb appliances can use cookies to add and track its own
sessions, functionality that is not inherently provided by HTTP. For more information, see
“HTTP sessions & security” on page 34. This state-tracking data corresponds in a 1:1 ratio
If you do not want to configure HA (perhaps you have a separate network appliance
implementing HA externally), you can still replicate the FortiWeb’s configuration on another
FortiWeb appliance. For more information, see “Replicating the configuration without FortiWeb
HA (external HA)” on page 107