HA Incremental Synchronization

‎06-11-2007

Article

Components

FortiGate HA Cluster (FortiOS 3.0)

Description

How FortiOS v3.0 HA incremental synchronization synchronizes HA cluster configuration changes.

Incremental Synchronization

When you log into the cluster web-based manager or CLI to make configuration changes, you are actually logging into the primary unit. All of your configuration changes are first made to the primary unit. Incremental synchronization then immediately synchronizes these changes to all of the subordinate units. When you log into a subordinate unit CLI (for example using execute ha manage) all of the configuration changes that you make to the subordinate unit are also immediately synchronized to all cluster units, including the primary unit, using the same process.

Whenever a change is made to a cluster unit configuration, incremental synchronization sends the same configuration change to all other cluster units over the HA heartbeat link. An HA synchronization process running on the each cluster unit receives the configuration change and applies it to the cluster unit. The HA synchronization process makes the configuration change by entering a CLI command that appears to be entered by the administrator who made the configuration change in the first place.

Synchronization takes place silently, and no log messages are recorded about the synchronization activity. You can see evidence of incremental synchronization if you enable event logging and set the minimum severity level to Information and then check the event log messages written by the cluster units when you make a configuration change.

Example: configuration change synchronized from primary unit to subordinate unit

The following event log message is written by the primary unit when the admin administrator adds firewall policy 3 by connecting to the web-based manager from a management PC with IP address 172.20.120.14 using HTTPS or HTTP:

2006-10-20 09:52:20 log_id=0104032126 type=event subtype=admin pri=notice vd=root user="admin" ui=GUI(172.20.120.14) seq=3 msg="User admin added new firewall policy 3 from GUI(172.20.120.14)"

When incremental synchronization makes the same change to a subordinate unit the subordinate unit writes the following log message:

2006-10-20 09:52:20 log_id=0104032126 type=event subtype=admin pri=notice vd=root user="admin" ui=ha_daemon seq=3 msg="User admin added new firewall policy 3 from ha_daemon"

Notice that the two messages are identical except that on the subordinate unit the ui (user interface) is ha_daemon. ha_daemon is the name of the user interface used by the HA synchronization process to make incremental synchronization configuration changes.

Example: configuration change synchronized from subordinate unit to primary unit

The following event log message is written by a subordinate unit after the admin administrator logs into the subordinate unit CLI using the execute ha manage command and adds firewall policy 6.

2006-10-20 11:29:46 log_id=0104032126 type=event subtype=admin pri=notice vd=root user="admin" ui=telnet(10.0.0.1) seq=6 msg="User admin added new firewall policy 6 from telnet(10.0.0.1)"

Notice the user interface is telnet(10.0.0.1). 10.0.0.1 is the IP address of the HA heartbeat interface of the primary unit. The log message shows that the execute ha manage command sets up a telnet session from the primary unit to the subordinate unit over the HA heartbeat link.

When incremental synchronization makes the same change to the primary unit, the primary unit writes the following log message:

2006-10-20 11:29:47 log_id=0104032126 type=event subtype=admin pri=notice vd=root user="admin" ui=ha_daemon seq=6 msg="User admin added new firewall policy 6 from ha_daemon"

Notice again that the messages are identical except for the user interface.