Skip to main content
Tatdes
Tatdes
New Member
April 20, 2024
Question

connect fortigate to 2 sophos at the same time for no down time in case one firewall is down

  • April 20, 2024
  • 3 replies
  • 2251 views

We have our lan connected to a switch then  to 2 Fortigates for intervlanning and dhcp and then 2 sophos for internet

 

THE switch is connected to both fortigate devices

There is HA link between both fortigate in case one is down the connection goes through the other

There is also HA link between Sophos devices

What  we want is  to connect fortigate A to Sophos A and B so that incase one of them is done it goes to the active one

And fortigate B to Sophos A and B for the same purpose

How to do that

3 replies

funkylicious
SuperUser
funkylicious
SuperUser
April 20, 2024

Well, if I understand cirectly the setup, the traffic flow is as following:

clients > switch > FGT in HA > Sophos in HA > Internet

- FGT is DHCP server for clients and does the inter-vlan routing

- FGT has a next-hop for all traffic expect the connected LAN's towards the Sophos

- Sophos have an internet connection

 

Assuming that there is a L3 link between the FGT and Sophos and both have routes with the next hop the cluster IP of each one, then the easiest way to ensure when a FGT fails, that the correct path/sophos device is being used is to connect the Sophos on the same switch at L2.

"jack of all trades, master of none"
AEK
SuperUser
AEK
SuperUser
April 20, 2024

Or just put a L2 switch between your FortiGate cluster and your Sophos cluster.

AEK
Tatdes
TatdesAuthor
New Member
April 20, 2024

we dont want single point of failure , is it ok to add 2 switches in the middle between the sophos cluster and fortigate cluster

also i was thinking to add redundant interface in FG1 one link to sophos 1 the other to sophs 2 and the static route on FG pointing to the sophos 1 ip 
so incase sophos 1 is down , the redundant interface will point to the 2nd sophos , and the 2nd sophos ip will be the ip of the 1st sophos when its down , so the netwrok will be up all time what do you think

AEK
SuperUser
AEK
SuperUser
April 20, 2024

You can also configure "monitored interfaces" in HA configuration, in case one L2 switch is down or one link is down then the cluster fails-over to the second node.

AEK
Tatdes
TatdesAuthor
New Member
April 20, 2024

i have this plan in my mind to implement , what do you think  

AEK
SuperUser
AEK
SuperUser
April 20, 2024

So you opt for L3 link with route fail-over, dynamic or static (with link monitor), sure it is also fine. In this case don't add port3 and port4 to "monitored interfaces" in HA configuration.

AEK
Terms & ConditionsAccessibility statement