HA and virtual IP addresses

A common FortiMail HA configuration involves selecting add virtual IP/netmask to add a virtual IP address to a primary unit interface. You can then configure your network to send email traffic to the virtual IP address and this email traffic will be received by the primary unit. If a failover occurs, the backup unit inherits the same virtual IP address. The backup unit will then receive the email traffic sent to the virtual IP address.

See the "Configuring and operating FortiMail HA" chapter of the FortiMail Administration Guide for more details about the FortiMail HA virtual IP address configuration.

• FortiMail 2.8
• Active-passive HA configuration

Note: In FortiMail 3.0 MR3 and newer releases, all outgoing sessions that originate from an interface configured with a virtual IP address use the virtual IP address of the interface as the source address and not the actual IP address.

Configuring virtual IP addresses for FortiMail active-passive HA configuration may produce unexpected results. Adding a virtual IP address to a FortiMail interface gives the interface two IP addresses: the virtual IP address and the actual IP address. The interface can receive traffic sent to both of these IP addresses.

Normally you would configure your network (MX records, firewall policies, routing and so on) so that incoming connections from clients and mail services use the virtual IP address. All replies to sessions with the virtual IP address include the virtual IP address as the source address. In this case, no special network configuration is required.

The reason for using the virtual IP configuration, is that after a failover occurs, the backup unit inherits the virtual IP address. After a failover, all traffic to the virtual IP is received and processed by the backup unit; email traffic continues to be processed after a failover.

However, for FortiMail 2.8, all outgoing sessions that originate from this interface use the actual IP address of the interface and not the virtual IP address. This means that for these releases all outbound mail or relayed mail packets sent from a primary FortiMail unit interface, configured with a virtual IP address, will have the actual IP address of the primary unit interface as the source IP address. If you are using this interface to send outgoing email, you should configure your network devices (such as NAT firewalls) to process traffic from the actual primary unit interface IP address, as well as the virtual IP address.

Backup unit interfaces may have different actual IP addresses than primary unit interfaces. After an HA failover, all outbound mail or relayed mail packets sent from a secondary (backup) FortiMail unit interface, configured with a virtual IP address, will use the actual IP address of the backup unit interface as the source IP address. Therefore, in addition to the primary unit actual and virtual IP addresses, you must configure all network devices to also process traffic from the actual backup unit interface IP address.

For FortiMail 3.0 MR3 and newer releases, all outgoing sessions that originate from an interface configured with a virtual IP address use the virtual IP address of the interface as the source address and not the actual IP address. If you are using this interface to send outgoing email, you would configure your network devices (such as NAT firewalls) to process traffic from the virtual IP address. After a failover all outgoing sessions still use the virtual IP address even though traffic is now originating from the backup unit.

Note: If you use the set interface IP/netmask option the interface will only have one IP address. The set interface IP/netmask option replaces the actual IP address with the set IP address.

Spammers cannot use a backup unit for sending spam because the SMTP service is shut down on the FortiMail unit that is operating as a backup unit.

Traffic can only connect to the virtual IP address of the FortiMail unit operating as a primary unit. A single MX record pointing at the virtual IP address is sufficient for all incoming client and SMTP email traffic to connect to this virtual IP address.

For outgoing traffic for FortiMail 2.8, if the FortiMail HA group is configured with public IP addresses and if you are using the virtual IP configuration, you require three public IP addresses. One for the virtual IP address, one for the actual address of the primary unit interface, and one for the actual address of the backup unit.

All these IP addresses must be resolvable. Its especially important that the primary and backup unit actual IP addresses are resolvable. These IP addresses are the source IP addresses for traffic sent to external Mail Transfer Agents (MTAs).

However, if the FortiMail HA group is installed behind a NAT firewall, the virtual IP address and the two actual IP addresses can all be private IP addresses. You can then configure the NAT firewall so that outgoing traffic from all three of these internal IP addresses is mapped to one external IP address. And only this single external IP address needs to be resolvable and only packets from this external IP address are sent to external MTAs.

For outgoing traffic for FortiMail 3.0 MR3 and newer releases, if the FortiMail HA group is configured with public IP addresses and if you are using the virtual IP configuration, you only require one public IP address: the virtual IP address. If the FortiMail 3.0 MR3 and newer releases FortiMail HA group is installed behind a NAT firewall you only have to map one IP address (the virtual IP address) to an external IP address.