Skip to main content
Keeper_of_the_Keys
Keeper_of_the_Keys
New Member
April 7, 2021
Question

[HA] active-active or active-passive

  • April 7, 2021
  • 2 replies
  • 44846 views

Hi everyone,

 

I'm setting up a new cluster for a new location of ours the location will be L2 connected to an existing location but also have it's own Internet connection and Fortigate cluster.

 

At our existing location we have an Active-Passive HA cluster running and now I am considering making the new cluster Acitive-Active to not leave performance on the table.

I reached out to support to ask what the recommended mode was since the documentation does not mention a best practice/recommendation as far as Active-Active vs Active-Passive but was told "we don't make recommendations".

 

So instead asking the community about their experience with this :)

 

We are a single company so not sure how relevant using VDOMs is to us.

 

Thanks!

 

      2 replies

      Keeper_of_the_Keys
      Keeper_of_the_KeysAuthor
      New Member
      April 12, 2021

      Wrong forum to ask?

      Yurisk
      SuperUser
      Yurisk
      SuperUser
      April 12, 2021

      Out of hundreds FGT firewalls I have seen so far - I am yet to see Active-Active cluster in production. This pretty much answers your question I guess, no, if you don't have very specific reason for using A-A, you don't use it.

      When there are enough networks/traffic behind Fortigate HA to warrant load splitting between machines - I advise on vcluster - splitting existing topology into multiple (2) VDOMs when each FGT machine holds as active a different VDOM, this way both boxes work and not idling, but also provide HA for each other.  But this involves next set of decision making as well - how to set up Internet access to both VDOMs or just one of them/SD-WAN? What about routed/advertised subnets ? etc. 

       

      emnoc
      emnoc
      New Member
      April 12, 2021

      To add out of the 1 thousands plus fortigate env I worked,  I only seen a-a just handful of times org that deployed active-active.

       

      1st you need to determine what you really want

       

       do you need fail-over protection ( a-p ) 

       do you need load-balance ( a-a )

       if yes on the 2nd part, why do you think you need load-balance?

       

      On load-balance it'sa joke since it really does NOT load balance trafifc, only session and certain sessions. And when it comes to trouble-shooting it makes it 10x harder looking at traffic is you have some traffic on fgt1 and other on fgt2

       

      Back to vcluster, this is ONLY available if you have 2 or more vdom and again you have restriction ( vdom-links ) and it does absolutely  nothing with load-balancing session|traffic within that vdom. And like above when you do diagnostic, you must know what fgt node is carrying your traffic for that vdom.

       

      think of vcluster like cisco deployment of  fail-over groups fwiw

       

      vcluster 

       

       Fgt1 

           vdom-root.  ACT

           vdom-custA passive

           vdom-custB ACT

       

       Fgt2

           vdom-root.  passive

           vdom-custA ACT

           vdom-custB passive

       

       

      Ken Felix

       

      Tesh
      Tesh
      New Member
      October 15, 2022

      I have trying to.configure HA AA but it's not working odd part when connecting HA interface lower device priority became slave and disconnect....some configuration tip pls I have 2 boxes

      Terms & ConditionsAccessibility statement