Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
AtiT
Valued Contributor

FortiAnalyzer Cluster in 6.0

Hello,

Did anyone tried to configure the cluster feature on the FortiAnalyzer in 6.0 version?

 

I cannot get it work. Only it seems that the two FAZ 1000E are in the cluster for a few minutes and after that the HA cluster DOWN, cause=keepalive failure log appears. They are not in cluster anymore.

Also the hearbeat interval has to be set to 1, other number is not working.

 

Could anyone give me some hint how to get it work?

 

AtiT

AtiT
6 REPLIES 6
mantaransingh_FTNT

Hi AtiT

 

If the keepalive failure messages are getting generated, can you please check if there is any packet loss between peer network.

 

Can you also try disabling the INITIAL Sync on the Master device and then form HA.

 

Regards

Mantaran Singh

Fortinet TAC

 

mantaransingh
AtiT

Hello,

Thank you for your help.

 

I tried to replace the cables and I also connected the 2 FAZs directly but not helped.

I disabled the Initial sync on the both units and I can see in the logs that the both units are in Master mode and they are not synced, HA connection down.

 

Maybe the HA feature has to be licensed...?

AtiT

AtiT
AtiT
Valued Contributor

Hello,

I turned off the two untis yestarday and today when I turned them on I could see tha cluster working with the config sync OK.

So I tried to enable log sync but I was not able to do it from the GUI -> Uknown error.

I did it from the CLI but the situation is the same, logs are not synced.

 

AtiT

AtiT
virtualj
New Contributor

Hello,

what version of FAZ do you use? Did you try the new 6.0.2? Can you tell me what protocol is used to sync the logs between the FAZs? Are they compressed?

The VRRP IP must be in the same L2 I think... It is not possible to do an L3/geographic cluster?

I'm really interested to this feature... If it works! ;)

 

Thank you.

 

Regards.

NSE 7

NSE 7
AtiT
Valued Contributor

Hello,

I had the two FAZ 1000E only for a little time and I have no possibility to test it now as they are in production with 5.6.4 OS.

Probably the best way would be to ask for two eval licenses the Fortinet and test the feature in virtual environment.

AtiT

AtiT
virtualj
New Contributor

Good idea.

I've done two FAZ VM and configured HA.

It seems that the cluster needs an L2 shared because it uses VRRP for cluster IP (to configure in the fortigates).

But the cluster synchronization is done also on geographic L3 link (it requires only the IP of the other FAZ and SN). The configuration sync is done on the port TCP 5199, while log sync is done in TCP 514. It is encrypted, but I don't think it is compressed.

All seems functional and very beautifull! Hope it works well in production too :) Cluster is up from 25 minutes, I've only one devices connected and few logs

NSE 7

NSE 7
Labels
Top Kudoed Authors