Skip to main content
SecurityPlus
SecurityPlus
Explorer III
September 10, 2020
Solved

Firewall Failure - Spare Firewall

  • September 10, 2020
  • 1 reply
  • 5196 views

We work with a number of offices that use some version of the 50 to 100 series FortiGate firewall. One worry I have is a hardware failure. Though I have only seen 1 failure ever of an in-production firewall, the risk is still a factor. Waiting 1 or 2 days to receive a replacement unit could be costly to the users. I realize that we could run with High Availability (HA) but this would amount to a 2x the firewall purchase and support bundle cost. Is there a way to keep a spare firewall in house and to replace a failed firewall with the spare in the event of a failure? If this is done I presume that the configuration could be imported from the last backup of the failed firewall. Could the support bundle be transferred to the replacement firewall? If not I presume that the replacement firewall could run temporarily without these services. Are there any other considerations that I am overlooking?

    Best answer by sw2090

    Licenses can be transferred in support portal. If you RMA a Fortigate you can have Fortinet transferring them to the new unit automatically even.

     

    If the spare is the same model you can also transfer the config 1:1. Just create a backup fro the current FGT and restore it there.

     

    On Models that are very close (like 100D and 100E) it may work by replacing the first lines in the backup (they contain model and serial etc) with those from a backup from the spare one and then restore this on the spare one.

    Did that several times when I migrated from 100D to 100E.

     

    In other cases you will have to edit your config to make it fit because there may be different port names/layout. Some Port may not exist (a 300E e.g. has no physical WAN1/2 Interface). Also some config option may not exist on different MOdels.

    1 reply

    sw2090
    SuperUser
    sw2090Answer
    SuperUser
    September 11, 2020

    Licenses can be transferred in support portal. If you RMA a Fortigate you can have Fortinet transferring them to the new unit automatically even.

     

    If the spare is the same model you can also transfer the config 1:1. Just create a backup fro the current FGT and restore it there.

     

    On Models that are very close (like 100D and 100E) it may work by replacing the first lines in the backup (they contain model and serial etc) with those from a backup from the spare one and then restore this on the spare one.

    Did that several times when I migrated from 100D to 100E.

     

    In other cases you will have to edit your config to make it fit because there may be different port names/layout. Some Port may not exist (a 300E e.g. has no physical WAN1/2 Interface). Also some config option may not exist on different MOdels.

    SecurityPlus
    SecurityPlusAuthor
    Explorer III
    September 11, 2020
    Thank you. This is very helpful.
    lobstercreed
    lobstercreed
    New Member
    September 12, 2020

    I would also point out that the cost of HA (where even a brief failure is unacceptable) is not necessarily 2x everything. 

     

     

    If your sales team knows you're buying them for HA, they should give you more of a price break on hardware + support of the 2nd unit--at least if you buy them at the same time.  I've seen it be closer to 50% more for the 2nd unit than what it would have been with just 1. 

     

    Something to keep in mind where uptime is critical and there's some wiggle room for cost.

    Terms & ConditionsAccessibility statement