Skip to main content
Ydejong
Ydejong
New Member
February 22, 2017
Question

FortiGate 100D HA Cluster with VRRP Routers in front

  • February 22, 2017
  • 1 reply
  • 4033 views

Because of a possible migration from the current datacentre to a new datacentre more nearby, I am investigation the possibilities that the new datacentre offers and the FortiGate 100D units supports.

 

Datacentre offers two 1 GB uplinks on copper (UTP) with VRRP for redundancy. So I took a look at the HA guide of FortiOS and see that FortiGates supports VRRP. So my though was as follow see the diagram below.

 

So is it possible to configure the FortiGate 100D in a FSCP cluster with in a VRRP cluster with the routers for redundancy?

What are the advantages or disadvantages?

Are there better solutions to connect the FortiGates in a redundant way?

 

Netwerk diagram in high level                                         Internet

                       /                                             \                    Router A                               Router B               Routers of datacentre                       |                                               |                 FortiGate A =========== FortiGate B              Firewalls                       |                                           |                 Swicth A ============== Switch B              Stack of twoswitches

 

The second thing is that we want to make use of VDOMs, does this have impact on the choices for redundant connections?

I think it should be possible to configure a root / management / internet vdom that have connection to the internet and make interlinks to other VDOMs to facilitate them with internet from the root / management / internet vdom. Do I understood it right?

 

Are there any people who running this kind of setup and can facilitate more information then in the HA guide, like config examples, or complete step by step plan how you have implement this?

 

Kind Regards,

 

Yanick

1 reply

loic
loic
New Member
February 22, 2017

For the VRRP question, you do not need to do VRRP with your FGT, the VRRP is only between router for your gateway.

The best way is to connect each FGT to each router (if it's possible) using hardware or software switch :

 

Router A   Router B

   |       /    \      |

FGT A ==== FGT B

 

For the VDOM sharing the same internet link, here's two options :

- an internet vdom, a vdom for each context and vdom link between them but you have to use NAT a lot

- a transparent internet vdom, a vdom for each context, and a link between them. with this option, each context can setup the public ip configuration

I choose the transparent option because i needed ipsec vpn on each of my vdom and to want to manage VIP

Terms & ConditionsAccessibility statement