How does high-availability work on FortiAnalyzer?
Unpacking the basics of HA on FAZ
💡
This is part of an on-going series in cybersecurity foundations. Check the cyber 101 article tag index from time to time for more content.
Logging is only helpful if logs are available, right?
Depending on the model, an individual (hardware) FortiAnalyzer device could have local RAID features. But what if, say, silicon melts down and the entire device becomes unavailable? How can FortiAnalyzer be architected for high-availability?
Here are some additional details on HA:
- FortiAnalyzer devices can form a cluster (with a max size of four devices).
- All members of the cluster need to be the same series/model, be running the same firmware, and be able to communicate with each other on the network (obviously 😄).
- Within an HA cluster, all logs and data are synchronized.
- Even though the data itself is synchronized, the HA members can have different functions/purposes. For example, secondary devices can be used for running reports etc.
- There are two HA operation modes:
- Active-Active - This allows members to use their heartbeat interface to communicate with one another (and allows the units to be in geographically different locations).
- Active-Passive - This requires a layer-2 connection between the FAZ devices. For this reason, the cluster members need to be closer to one another (typically within the same geographic region).
- HA requires one FAZ unit to be designated as primary. If there isn't already a primary device, the clustering protocol has a few rules (checked in this order):
- Which device has the highest priority integer value? Cluster devices have a default priority number/value of 100. Higher numbers have more priority. Options range from 80 - 120. If all cluster candidate members have the same priority, then the protocol moves on to the other consideration which is...
- Which device has the highest IP address? For example, a device with 1.2.3.5 would be prioritized over a device with an IP of 1.2.3.4.
- Once a cluster is established and there's a primary device, that device will remain primary regardless of whatever else is changing.
- Once HA is established, the following module configurations are synchronized:
- All ADOMs
- Admin
- Certificates > CA Certificates
- Certificates > CRL
- Log Forwarding
- Task Monitor
- Advanced > Mail Server
- Advanced Syslog Server
For additional information, check out these resources:
High Availability | Administration Guide
Configuring HA options | Administration Guide
Monitoring HA status | Administration Guide
