Fortigate 200 HA conections switch ?

Question

Hello

I have two firewall fortigate 200 and I would like to connect them to the ports HA for the backup and the fact that they are not side by side my question is it possible to connect two firewall between a switch ?

thank you for your support

ede_pfau · Answer

Yes, in principle.HA traffic uses a non-standard Ethernet type ID to distinguish them from IP traffic. Nearly all switches handle that without any problems except for Cisco Nexus - they use this ID internally by coincidence. The good news is that you can reconfigure the ID if you absolutely have to. Cf. the FortiOS Handbook, for instance in v5.2, pg. 1292 and pg. 1365. Now to "best practice": by introducing an active component in the HA link you severely jeopardize your firewall stability. If, for any reason, the switch fails or reboots, both Fortigates will determine that they are 'master' and will act with the same IP and MAC addresses in your network. This is called a 'split-brain' scenario and it regarded as the worst case in a HA setup.Even a simple firmware update on the switch would bring your network down. So, "best practice" recommends1- don't do this2- if you have to, provide for 2 redundant HA links across 2 independent switches (or switch stacks)

Sign up

Login with SSO

Login to the community

Login with SSO

Scanning file for viruses.

This file cannot be downloaded