Skip to main content
elpg101
elpg101
New Member
July 4, 2021
Question

HA - active-passive with VDOM

  • July 4, 2021
  • 1 reply
  • 6035 views

I would like to deploy two fortigate firewalls (firewall 1 and firewall 2) with each firewall having 3 VDOMs,

[ul]
  • root
  • VDOM_1
  • VDOM_2[/ul]

     

    I don't want virtual clustering (as I only want firewall 2 to kick in action when firewall 1 fails). I'm struggling to understand how this will be possible as the port numbers the subnets for the both VDOM's are connected to are different in firewall 1 and firewall 2. For example, I have 5 ports connected to 5 subnets on each firewall as follows,

     

    Firewall 1

    root

      port 1 - management

      port 3 - HA port

    VDOM_1

       port 2 - subnet 1

       port 4 - subnet 2

    VDOM_2

       port 6 - subnet 3

       port 5 - subnet 4

     

    Firewall 2

    root

      port 1 - management

      port 2 - HA port

    VDOM_1

       port 3 - subnet 1

       port 5 - subnet 2

    VDOM_2

       port 6 - subnet 3

       port 4 - subnet 4

     

    If the configuration is synced, how does the firewall know which port should be connected to with VDOM? Is this not synced?

      • 1 reply

      lobstercreed
      lobstercreed
      New Member
      July 5, 2021

      You won't be able to configure things like that.  That's simply not how HA works.  Once you join a 2nd firewall to the HA cluster, the config syncs, so whatever you have as port 2 and port 4 on firewall 1 must be connected to the same networks as port 2 and 4 on firewall 2.

       

      As far as multiple VDOMs, that config is synced as well and if you don't enable virtual clustering then you'll have the active/passive failover you're looking for.

      elpg101
      elpg101Author
      New Member
      July 5, 2021

      Ok - thank you.

       

      I will re-arrange the ports. Does HA also sync the IP addresses for the interfaces ? i.e - do the IP addresses need to be the same for both firewalls?

      lobstercreed
      lobstercreed
      New Member
      July 5, 2021

      Yes, shared IP addressing is surely the primary purpose of HA in the first place.  You really don't need to configure the secondary FortiGate almost at all.  It is actually recommended that it be in a factory reset state actually when you join it to the primary to avoid any accidental config overwrites. 

       

      I would recommend doing some Googling around specific HA concepts as the documentation abounds, but I'll link this as it may help you get started: https://docs.fortinet.com/document/fortigate/6.0.0/cookbook/161720/high-availability 

      Terms & ConditionsAccessibility statement