FortiMail
FortiMail provides advanced, multi-layer protection against the full spectrum of email-borne threats
Not applicable
Article Id 191747
Article
DescriptionUsing the same FortiMail network interface for HA synchronization and other network traffic is not recommended. If other network traffic, HA heartbeat traffic, and HA synchronization traffic all use the same network interface, the operation of the HA group could be interrupted.
Components
  • FortiMail 2.x and v3.0
  • High availability (HA)
Steps or Commands

It is recommended to isolate FortiMail high availability (HA) traffic from other network traffic. Heartbeat and synchronization packets contain sensitive configuration information and can consume considerable network bandwidth. For an active-passive or a config only HA group consisting of only two FortiMail units, directly connect the network interfaces that are being used for HA traffic using a crossover cable. For a config only HA group consisting of more than two FortiMail units, connect the network interfaces that are being used for HA traffic to a switch and do not connect this switch to your overall network.

If you use the same network interface for other types of network traffic, HA heartbeat traffic, and HA synchronization traffic, the HA group could lose HA heartbeat packets. Losing HA heartbeat packets interrupts the operation of the FortiMail HA group. For example, an active-passive HA group can experience a split brain scenario where both of the FortiMail units in the HA group become primary units. Two primary units connected to the same network may cause address conflicts on your network because matching network interfaces will have the same IP addresses. Also, because the HA link is interrupted, the FortiMail units in the HA group cannot synchronize configuration changes or mail data changes.

As a result, in general, you should use the default HA interface for HA heartbeat and HA synchronization traffic, and use network interfaces such as port1 and port2 for other network traffic.