FortiGate HA active-active doubt

Hello,

Thank you for using the Community Forum. I will seek to get you an answer or help. We will reply to this thread with an update as soon as possible.

Thanks,

Hello,

We are still looking for someone to help you.

We will come back to you ASAP.

Thanks

Hello fjulianom,

I found this solution. Can you tell me if it helps, please?

Yes, your understanding is correct. In an active-active HA setup, the primary unit is responsible for receiving all incoming packets. When the primary unit decides that a subordinate unit should handle a packet, it forwards the packet to the subordinate unit. Here’s a brief explanation:

1. Initial Packet Handling: The primary unit receives the initial packet of a session and decides, based on the load balancing schedule, whether to process it or forward it to a subordinate unit.
   
   
2. Session Consistency: Once a session is assigned to a subordinate unit, all subsequent packets of that session are forwarded to the same subordinate unit by the primary unit.
   
   
3. Traffic Flow: Yes, every packet of the same session will first pass through the primary unit and then be forwarded to the subordinate unit. This means that the link between the primary unit and the subordinate unit (Link 1) will indeed be more loaded compared to the link between the subordinate unit and the external network (Link 2).

This setup ensures that session information is consistent and synchronized across the cluster, but it does mean that the primary unit handles more traffic as it processes or forwards all incoming packets.