Skip to main content
amorales
amorales
New Member
May 14, 2021
Question

FortiGate HA question.

  • May 14, 2021
  • 1 reply
  • 2806 views

Hi, let's supose that I have two FortiGates in HA (Active/Passive). The FortiGates have the following interfaces:

 

- Inside: Both FortiGates connected to Core Switch, Vlan10.

- Outside: Both FortiGates connected to Core Switch, Vlan20.

- Heartbeat: Both FortiGates directly connected. 

 

Then let's suppose that I add a new interface (DMZ interface), but I connect each FortiGate to a different Vlan which has not visibility with each other. Let's supose that FortiGate1 is connected to Core Switch port in Vlan11 and FortiGate2 is connected to Core Switch port in Vlan12. 

 

Asuming that I know what I am doing and the reason because I want this topology, would the FortiGates try to check if they can detect each other in the Vlans 11 and 12?. I think not and all the syncronization and checks are performed using the Hearbeat interfaces, and it is not a problem if there is not visibility between FortiGates on these Vlans, but I would like to confim this 100% for sure.

 

Keeping in mind that I cannot see any MAC/IP in the Core Switch's interfaces connected to the Slave FortiGate, I am pretty sure that the FortiGates do not perform any checks on service vlans to try to detect other cluster members, but maybe I am missing something here. 

 

 

    1 reply

    jorge_americo
    jorge_americo
    New Member
    May 14, 2021

    Initially they would not detect it. Even because of being active / passive.

    Toshi_Esumi
    SuperUser
    Toshi_Esumi
    SuperUser
    May 14, 2021

    It wouldn't cause any problem but the DMZ port on both units still need to have the same config unless "dedicated" management interface. So you must have very specific use/setup with those ports that would be active only when it's "active" unit.

    Terms & ConditionsAccessibility statement