Skip to main content
Konnan
Konnan
Explorer II
February 6, 2026
Solved

How to configure two directly connected FG81F HA clusters in full mesh

  • February 6, 2026
  • 3 replies
  • 310 views

Hello community!

 

I know variations of this question have been asked in the past, but it's been a little while so I was wondering if there was anything new on this topic. You can see below the network devices and that's what I need to work with. The network architects designed it this way, even if I read here that the best configuration would be with switches in between both clusters. Now it's too late, project funds are exhausted so we can't order extra hardware.

 

A bit more context, first cluster will be used for SDWAN and IPSEC VPN and to take care of BYOD and other unsecured devices. First cluster will also have two VDOMs, one for guest network and the other for reaching the second cluster. Second cluster will be used to protect a process network.

 

In some specific cases, process network might reach one VDOM or the other. In some specific cases, guest VDOM might reach the other VDOM to get to process network.

 

How can we configure two directly connected FG81F clusters in full mesh?

  • SDWAN? (I know it's not the real use, but "could work" I guess)
  • Link-monitor?
  • 802.3ad LACP?
  • Redundant links?
  • Virtual hardware switch?
  • Active-passive or active-active considering the VDOMs? I think active-passive might make this more simple... but could be wrong.

Is there anyone with a sample configuration or previous experience on this that made it work reasonably well?

 

I'd like to hear my old friend Toshi_Esumi on this hehe!

 

HA_FG81F_Dual_Cluster.png

 

 

 

 

 

 

 

 

 

 

 

 

 

Thanks!

Konnan

Best answer by Konnan

Hello everyone!

 

Just to let you know that some trials with 802.3ad LACP were successful initially for intercluster communication but once you reboot one firewall in the cluster (let say for a firmware update) it seems like both 802.3ad LACP links between the two clusters aren't coming back up by themselves like you would expect it to.

 

We then did some trials with a virtual VLAN Hardware Switch and it works fine for now. Just need to be sure to enable STP on both sides on all ports used for the four links going from cluster to cluster.

 

Thanks!

Konnan

3 replies

Toshi_Esumi
SuperUser
Toshi_Esumi
SuperUser
February 6, 2026

If you have read through those conversations in the past, you must have understook a-p and a-a won't change that the primary unit has to process all new sessions first, then a-p primary continues to process everything after that while a-a seconadries share workload for proxy based session processing with the primary. So, the config between them are exactly the same with a few exception and you won't have to configure any secondary because it's copied/synced over with the primary.
You just need to configure one unit per cluster regardless how they're physically connected each others.

I wouldn't split LACP connections between those FGTs but just use it as a single link in the mesh connection. There was a conversation splitting them would slow down transition of HA you might have read. Unless the other end of LACP is a stacked switches. In that case you of cource want to split it between physical switches.

Just consider those HAed units/cluser as one FW. Then configuration should come naturally.

Toshi

    Konnan
    KonnanAuthor
    Explorer II
    February 6, 2026
    @Toshi_Esumi wrote:

    Just consider those HAed units/cluser as one FW. Then configuration should come naturally.
    Toshi

    Yeah right! You are a natural. I'm more beginner/intermediate hehe!

     

    About a-a vs. a-p: I was thinking it could be easier to troubleshoot a-p since everything happens on one unit, loss in performance but not that much I'd think in this specific case with VDOM and such.

     

    So if I summarize, you would use a virtual hardware switch on each FG81F in each pair to communicate between clusters in full mesh?

     

    Then you would use 802.3ad LACP to communicate between bottom cluster with Process-SW which is two stacked switches?

     

    And then, I guess for top cluster, we could use SDWAN on each FG81F to switch between one WAN or the other, either by running two VLAN subinterfaces on same physical link, or dual physical links, going from WAN-SW to each FG81F?

     

    And finally, for communication between top pair to Guest-SW, just use one physical port per FG81F, nothing fancy?

     

    Hoping everything is OK, if there's anything else, do not hesitate to ask me!

     

    Thanks!

    Konnan

    Konnan
    KonnanAuthor
    Explorer II
    February 10, 2026

    Hello again!

     

    Anyone else has something to say about this topic, on how to wire two firewall clusters together in full mesh? Due to the cost of stacked switches for redundancy, I think it's a setup that could be interesting for several use cases.

     

    Thanks!

    Konnan

    Konnan
    KonnanAuthorAnswer
    Explorer II
    February 13, 2026

    Hello everyone!

     

    Just to let you know that some trials with 802.3ad LACP were successful initially for intercluster communication but once you reboot one firewall in the cluster (let say for a firmware update) it seems like both 802.3ad LACP links between the two clusters aren't coming back up by themselves like you would expect it to.

     

    We then did some trials with a virtual VLAN Hardware Switch and it works fine for now. Just need to be sure to enable STP on both sides on all ports used for the four links going from cluster to cluster.

     

    Thanks!

    Konnan

    Terms & ConditionsAccessibility statement