|
Measures reported by FgFnHaStatusTest
FortiGate high availability (HA) provides a solution for two key requirements of critical enterprise networking components: enhanced reliability and increased performance. FortiGate HA consists of two or more FortiGate units operating as an HA cluster. To the network, the HA cluster appears to function as a single FortiGate unit, processing network traffic and providing normal security services such as firewall, VPN, IPS, virus scanning, web filtering, and spam filtering services.
Inside the cluster the individual FortiGate units are called cluster units. These cluster units share state and configuration information. If one cluster unit fails, the other units in the cluster automatically replace that unit, taking over the work that the failed unit was doing. The cluster continues to process network traffic and provide normal FortiGate services with virtually no interruption. The ability of an HA cluster to continue providing firewall services after a failure, is called failover.
A second HA feature, called load balancing, can be used to increase firewall performance. A cluster of FortiGate units can increase overall network performance by sharing the load of processing network traffic and providing security services. Periodically, you may want to check the network traffic processed by each cluster unit, so as to assess the efficiency with which the HA cluster balances load, isolate overloaded units, and thereby spot load balancing irregularities (if any) early. This test enables you to achieve this end.
This test monitors each Fortigate unit in an HA cluster, reports the resource usage of each unit, and also tracks the network traffic processed by every unit, so that resource-hungry and overloaded units can be quickly identified.
The measures made by this test are as follows:
| Measurement |
Description |
Measurement Unit |
Interpretation |
| Cpu_usage |
This metric represents the current CPU usage of this unit of the firewall cluster. |
Percent |
A value close to 100% indicates a CPU bottleneck on a cluster unit. Compare the value of this measure across cluster units to identify the CPU-hungry unit. |
| Memory_usage |
This metric represents the current memory usage of this firewall cluster unit. |
MB |
A consistent increase in the value of this measure could indicate that a cluster unit is experiencing a memory drain.
Compare the value of this measure across cluster units to identify the memory-hungry unit. |
| Net_usage |
This metric indicates the current network utilization of this firewall cluster unit. |
KB/Sec |
By comparing the value of this measure across cluster units you can accurately isolate overloaded units, and in the process proactively detect load-balancing irregularities in the cluster. |
| Packet_count |
This metric is the rate of packets processed by the firewall cluster unit during the last measurement period. |
Packets/sec |
|
| Bytes_count |
This metric is the data traffic handled by the firewall cluster unit during the last measurement period, expressed in KB. |
KB |
|
| Session_count |
This metric is the current active sessions to the firewall cluster unit. |
Number |
A high value of this measure could indicate a session overload on a cluster unit. |
| Av_count |
This value is the number of viruses the antivirus system detected in the last measurement period. |
Number |
|
| Ids_count |
This value is the number of attacks that the IDS/IPS detected during the last measurement period. |
Number |
An IPS is an Intrusion Prevention System for networks. While early systems focused on intrusion detection, the continuing rapid growth of the Internet, and the potential for the theft of sensitive data, has resulted in the need for not only detection, but prevention. The FortiGate IPS detects intrusions by using attack signatures for known intrusion methods, and detects anomalies in network traffic to identify new or unknown intrusions. Not only can the IPS detect and log attacks, but users can choose actions to take on the session when an attack is detected.
Using sniffer policies you can configure a FortiGate unit interface to operate as a one-arm intrusion detection system (IDS) appliance by sniffing packets for attacks without actually receiving and otherwise processing the packets. |
|