FortiGate 200F HA internet loss

Forum|Forum|1 year ago
September 25, 2024
5 replies
3630 views

I have 2 - FG 200F's. I have HA configured. I have 1 FG WAN connected to a modem going to fiber internet. My 2nd FG WAN is connected to a modem going to COAX internet. So, 2 different internet pipes. "FG1" is primary, "FG2" is secondary. While in this configuration, I can access and ping the internet from each firewall. When I force an HA failover, "FG2" becomes primary as expected, however, once it does, I lose internet access and can no longer ping anything on the internet (from "FG2" via CLI). I am not sure what I am missing.

FW: v7.4.4 build2662 (Feature)

Active-Passive

FortiGate

Best answer by AEK

You can do this and other nice things with SD-WAN.

You may start here:

https://docs.fortinet.com/document/fortigate/7.4.4/administration-guide/19246

Hope it helps.

AEK

SuperUser

Is it active passive HA?

Do you have dedicated management on this HA?

If the passive node still ping internet when it is passive then it is most probably pinging from its mgmt interface.

Why using different WAN links on your nodes. Why don't you use both WAN links in both nodes?

AEK

jmillsappsAuthor

New Member

Yes, I have a dedicated management port on each firewall.

I have one WAN link per firewall.

jmillsappsAuthor

New Member

I just did some testing, and saw that even though I was connected to the "passive" node and pinging the internet, a traceroute showed that I was pinging via the internet that the primary was connected to.

AEK

SuperUser

You should connect modem1 to the same port of each FortiGate (lets say to wan1 port).

And connect modem1 to the same port of each FortiGate (lets say to wan2 port).

In case your modems don't have multiple ports (integrated switch), then you need to use a L2 switch to connect them to your FortiGates.

AEK