Fortinet 5.0 Patch 6

Fortinet 99 FortiWeb 5.0 Patch 6 Administration Guide

For example, if:

•Detection Interval is 3 (i.e. 0.3 seconds)

•Heartbeat Lost Threshold is 2

•ARP Packet Numbers is 3

•ARP Packet Interval is 1

• Network switches etc. take 2 seconds to acknowledge and redirect traffic flow

then the total time between the first unacknowledged heartbeat and traffic redirection could be

up to 5.6 seconds.

When the former active appliance comes back online, it may or may not assume its former

active role. For an explanation, see “How HA chooses the active appliance” on page 44. (At this

time, when an appliance is rejoining the cluster, FortiWeb will also send gratuitous ARP packets.

This helps to ensure that traffic is not accidentally forwarded to both the current and former

active appliance in cases where the cluster is connected through 2 switches.)

Figure 17 shows an example HA network topology with IP address transfer from the active

appliance to the standby appliance upon failover. In this example, the primary heartbeat link is

formed by a crossover cable between the two port3 physical network ports; the secondary

heartbeat link is formed between the two port4 physical network ports.

To configure FortiWeb appliances that are operating in HA mode, you usually connect only to

the active appliance. The active unit’s configuration is almost entirely synchronized to the

passive appliance, so that changes made to the active appliance are propagated to the standby

appliance, ensuring that it will be prepared for a failover.

Exceptions to this rule include:

• connecting to a standby appliance in order to view log messages recorded about the

standby appliance itself on its own hard disk

• connecting to a standby appliance to configure settings that are not synchronized (see

“Configuration settings that are not synchronized by HA” on page 42)

To configure HA

1. If the HA cluster will use FortiGuard services, license all FortiWeb appliances in the HA

group, and register them with the Fortinet Technical Support web site:

https://support.fortinet.com/

2. Cable both appliances into a redundant network topology.

For an example, see Figure 17 on page 98.

If you license only the primary appliance in an active-passive HA group, after a failover, the

secondary appliance will not be able to use the FortiGuard service. This could cause traffic

to be scanned with out-of-date definitions, potentially allowing newer attacks.