Help
FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
Not applicable

Created on ‎03-27-2008 12:00 AM

Article Id 197001

HA Remote IP Monitoring

Article
Description

HA remote IP monitoring (also called HA ping server) is similar to HA port monitoring. Port monitoring causes a cluster to failover if a monitored primary unit interface fails or is disconnected. Remote IP monitoring uses ping servers configured on FortiGate interfaces on the primary unit to test connectivity with one or more IP addresses of network devices. Usually these would be IP addresses of network devices not directly connected to the cluster. Remote IP monitoring can cause a failover if one or more of these remote IP addresses does not respond to a ping server.

ComponentsFortiOS v3.0 MR6
Steps or Commands

By being able to detect failures in network equipment not connected directly to the cluster, remote IP monitoring can be useful in a number of ways depending on your network configuration. In the simplified example topology shown in Figure 1, the switch connected directly to the primary unit is operating normally but the link on the other side of the switch has failed. As a result of the failure, traffic can no longer connect between the primary unit and the Internet.

To detect this failure you can create a remote IP monitoring configuration consisting of a ping server on port2 of the cluster. The primary unit tests connectivity to 192.168.20.20. If the ping server cannot connect to 192.268.20.20 the cluster to fails over and the subordinate unit becomes the new primary unit. The remote HA monitoring ping server on the new primary unit can connect to 192.168.20.20. As well, the new primary unit can connect to the Internet; so the failover maintains connectivity between the internal network and the Internet through the cluster.

Figure 1: Example HA remote IP monitoring topology

To configure remote IP monitoring

  1. Enter the following commands to configure HA remote IP monitoring for the example topology.

    config system ha
      set pingserver-monitor-interface port2
      set pingserver-failover-threshold 10
      set pingserver-flip-timeout 120
    end

    • Enter the pingserver-monitor-interface keyword to enable HA remote IP monitoring on port2.
    • Enter the pingserver-failover-threshold keyword to set the HA remote IP monitoring failover threshold to 10. If one or more ping servers fails, cluster failover occurs when the priority of all failed ping servers reaches or exceeds this threshold. You set the priority for each ping server using the ha-priority keyword as described in step 2 below.
    • Enter the pingserver-flip-timeout keyword to set the flip timeout to 120 minutes. After a failover, if HA remote IP monitoring on the new primary unit also causes a failover, the flip timeout prevents the failover from occurring until the timer runs out. Setting the pingserver-flip-timeout to 120 means that remote IP monitoring can only cause a failover every 120 minutes. This flip timeout is required to prevent repeating failovers if remote IP monitoring causes a failover from all cluster units because none of the cluster units can connect to the monitored IP addresses.
  2. Enter the following commands to add the ping server to the port2 interface and to set the HA remote IP monitoring priority for this ping server.

    config system interface
      edit port2
        set detectserver 192.168.20.20
        set ha-priority 10
    end

    • Enter the detectserver keyword to add the ping server and set the ping server IP address to 192.168.20.20.
    • Enter the ha-priority keyword to set the HA remote IP monitoring priority of the ping server to 10 so that if this ping server does not connect to 192.168.20.20 the HA remote IP monitoring priority will be high enough to reach the failover threshold and cause a failover.
  3. You can also use the config global command to change the time interval between ping server pings using the interval keyword and to change the number of times that the ping fails before a failure is detected using the failtime keyword.
  4. You can also do the following to configure HA remote IP monitoring to test more IP addresses:
    • Enable HA remote IP monitoring on more interfaces by adding more interface names to the pingserver-monitor-interface keyword.
    • If your FortiGate configuration includes VLAN interfaces, aggregate interfaces and other interface types, you can add the names of these interfaces to the pingserver-monitor-interface keyword to configure HA remote IP monitoring for these interfaces.
    • Add HA ping servers to other interfaces using the detectserver keyword to add the ping server and the ha-priority keyword to make the ping server an HA ping server and configure the priority of the ping server.
    • Add a second IP address to the detectserver keyword to monitor two IP addresses on each interface.

      • Note: If you add two IP addresses to the detectserver keyword the ping will be sent to both at the same time, and only when neither server responds will the ping server fail.

    • Add secondary IPs to any interface and enter detectserver and ha-priority for each of the secondary IPs. You can do this to monitor multiple IP addresses on any interface and set a different HA priority for each one.

Ping server priority and the failover threshold

When one HA ping servers fails, its priority is compared with the failover threshold. If the priority is greater than or equal to the failover threshold, HA remote IP monitoring triggers an HA failover. If the priority is less than the failover threshold, a failover does not occur. If an HA remote IP monitoring configuration includes only one HA ping server, its priority should be the same as or higher than the failover threshold.

When more than one ping server fails, the total of the priorities of the failed ping servers is compared with the failover threshold. An HA failover is triggered only if the total of the priorities is greater than or equal to the failover threshold. If you have configured two HA ping servers both with priorities of 10 and if the failover threshold is 20, an HA failover occurs only when both ping servers fail. If you have configured three ping servers all with priorities of 10 and if the failover threshold is 20, a failover occurs if any two ping servers fail. And so on.

By adding multiple ping servers to the remote HA monitoring configuration and setting the HA priorities for each, you can fine tune remote IP monitoring. For example, if it is more important to maintain connections to some remote IP addresses you can set the HA priorities higher for these important IP addresses. And if it is less important to maintain connections to other remote IP addresses you can set the HA priorities lower for these. You can also adjust the failover threshold so that if the cluster cannot connect to one or two high priority IP addresses a failover occurs. But a failover will not occur if the cluster cannot connect to one or two low priority IP addresses.

Flip timeout

The HA remote IP monitoring configuration also involves setting a flip timeout. The flip timeout is required to reduce the frequency of failovers if, after a failover, HA remote IP monitoring on the new primary unit also causes a failover. This can happen if the new primary unit cannot connect to one or more of the monitored remote IP addresses. The result could be that until you fix the network problem that blocks connections to the remote IP addresses, the cluster will experience repeated failovers. You can control how often the failovers occur by setting the flip timeout. The flip timeout stops HA remote IP monitoring from causing a failover until the primary unit has been operating for the duration of the flip timeout.

If you set the flip timeout to a relatively high number of minutes you can find and repair the network problem that prevented the cluster from connecting to the remote IP address without the cluster experiencing very many failovers. Even if it takes a while to detect the problem, repeated failovers at relatively long time intervals do not usually disrupt network traffic.

Detecting HA remote IP monitoring failovers

Just as with any HA failover, you can detect HA remote IP monitoring failovers by using SNMP to monitor for HA traps. You can also use alert email to receive notifications of HA status changes and monitor log messages for HA failover log messages. In addition, FortiGate units send the critical log message Ping Server is down when a ping server fails. The log message includes the name of the interface that the ping server has been added to.


Labels:
14115
0 Kudos
Submit Article Idea
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2024 Fortinet, Inc. All Rights Reserved.