Fortinet FortiGate FortiGate-5001 Administration Manual page 91

System Config
FortiGate-5000 series Administration Guide
A second HA feature, called load balancing, can be used to increase firewall
performance. A cluster of FortiGate units can increase overall network performance
by sharing the load of processing network traffic and providing security services. The
cluster appears to your network to be a single device, adding increased performance
without changing your network configuration.
The FortiGate Clustering Protocol (FGCP)
Fortinet achieves high availability (HA) using redundant hardware and the FortiGate
Clustering Protocol (FGCP). Each FortiGate unit in an HA cluster enforces the same
overall security policy and shares the same configuration settings. You can add up to
32 FortiGate units to an HA cluster. Each FortiGate unit in an HA cluster must be the
same model and must be running the same FortiOS firmware image.
The FortiGate units in the cluster use ethernet interfaces to communicate cluster
session information, synchronize the cluster configuration, synchronize the cluster
routing table, and report individual cluster member status. In the cluster, these
ethernet interfaces are called heartbeat devices and the communication between
cluster units is called the HA heartbeat. Using the HA heartbeat, cluster units are
constantly communicating HA status information to make sure that the cluster is
operating properly.
FortiGate HA and the FGCP support link failover, device failover, and HA heartbeat
failover.
Link failover If one of the links to a FortiGate unit in an HA cluster fails, all functions, all
established firewall connections, and all IPSec VPN sessions
by the other FortiGate units in the HA cluster. For information about link
failover, see
Device failover If one of the FortiGate units in an HA cluster fails, all functions, all established
firewall connections, and all IPSec VPN sessions are maintained by the other
FortiGate units in the HA cluster.
HA heartbeat You can configure multiple interfaces to be HA heartbeat devices. If an
interface functioning as an HA heartbeat device fails, the HA heartbeat is
failover
transferred to another interface also configured as an HA heartbeat device.
a.HA does not provide session failover for PPPoE, DHCP, PPTP, and L2TP services.
HA modes
FortiGate units can be configured to operate in active-passive (A-P) or active-active
(A-A) HA mode. Active-active and active-passive clusters can run in either NAT/Route
or Transparent mode.
An active-passive (A-P) HA cluster, also referred to as failover HA, consists of a
primary unit that processes traffic, and one or more subordinate units. The
subordinate units are connected to the network and to the primary unit but do not
process traffic.
Active-active (A-A) HA load balances network traffic to all of the cluster units. An
active-active HA cluster consists of a primary unit that processes traffic and one or
more subordinate units that also process traffic. The primary unit uses a load
balancing algorithm to distribute processing to all of the cluster units in the HA cluster.
01-28008-0013-20050204
"Monitor priorities" on page
a
are maintained
98.
HA
91