Staff

Technical Tip: Use of HA active-passive FortiGate Cluster instead of two stand-alone FortiGates to avoid asymmetric routing

Forum|Forum|1 year ago
May 16, 2025
0 replies
782 views

Description

This article describes that sometimes, redundancy is required in a network. While two stand-alone firewalls can provide redundancy, asymmetric routing is required in this stand-alone design to ensure no packets are dropped due to session issues.

While asymmetric routing is a good workaround, it is not the best security practice, as some packets are not subjected to UTM checks.

Scope

FortiGate.

Solution

In HA active-passive HA setups, the standby firewall is not actively processing traffic, so asymmetric routing is unlikely.

To configure an HA active-passive HA setup, refer to the relevant documentation.

Change the FortiOS version as required. For example, HA active-passive cluster setup:

Note:

When asymmetric routing is enabled on a FortiGate device, security features such as antivirus and intrusion prevention systems become ineffective because the firewall treats each packet independently without maintaining connection states, leading to a stateless operation.
This configuration prevents the FortiGate from detecting connections, disables offloading capabilities, and disables Reverse Path Forwarding (RPF) checks, which can compromise the security and efficiency of the network by making it more vulnerable to spoofing and other attacks.

Sign up

Login with SSO

Login to the community

Login with SSO

Scanning file for viruses.

This file cannot be downloaded