Atypical HA config with two ISPs
Howdy,
Perhaps you can shed some light on the following. We have two Fortigate 300Ds (v6.2.3) in an Active-Passive HA cluster. Up to now, only the Primary unit has had the "outside" interface (let's call it WAN1) plugged in; we don't have a switch between the Fortigate and the ISP (ISP1) in order to have WAN1 plugged in on both Primary and Slave.
Now, we have a second internet pipe (ISP2). I know the typical deployment would have a switch between each Fortigate in the HA cluster and the ISP:
[ul]The above would be ideal, but I need to make things work without the upstream switches.
Here are the requirements:
If ISP1 is having issues, which is plugged into Primary WAN1, HA fails over to Secondary which has ISP2 plugged into WAN2.
If I keep ISP1 plugged into Primary WAN1 (Secondary WAN1 has nothing plugged in), and plug ISP2 into Secondary WAN2, is it as easy as setting up link monitoring, adding the default route, and adding the WAN2 interface of the HA cluster to the existing WAN1 policies? Any issues with keeping HA as Active-Passive?
Here's the kicker, we're advertising a /24 to ISP1 via BGP. I won't be able to set the secondary IP address of WAN2 to anything in the /24 advertised by WAN1. This might be a whole different topic, but in order to achieve all of the above *AND* advertise a /24 via BGP, would creating an SD-WAN interface be the way to go (add both WAN1 and WAN2 to the SD-WAN interface)?
Thank, in advance, you for your guidance.