Explorer

Question

Question regarding Firewall Active-Active Layer 2 HA design

Forum|Forum|1 year ago
December 9, 2024
3 replies
2021 views

Hello all,

I have a question regarding a design like this.

Suppose CheckPoint A is the Master unit for its cluster, while Forgate A and B are in Active-Active HA.

Fortigate A or B comes with one virtual wire and the VW1 is connected between the Checkpoint and Core switch.

No switch is between Fortigate and Checkpoint.

I wonder if Fortigate B receives traffic from a user, can the user stillbe able to use CheckPoint A to access to the internet?

FortiGate

sjoshi

Staff

Hi,

Is there any connection between FGTB and checkpoint A or FGTB is only connected to checkpoint B?

Also in checkpoint is it working as Active-Passive mode?

Thanks, Salon

Potato168Author

Explorer

No connection between FGTB and checkpoint A . Only A to A and B to .

Checkpoint is it working as Active-Active - Clueter mode.

AEK

SuperUser

Hi Potato

I don't think it will work like that, because the FG Master may not see the CheckPoint Master.

Even in AA-HA, FG master is the one who receives the incoming traffic, so you need a switch between the two firewall clusters.

AEK

jakbork

Visitor III

I will also try your advice. Thank you.

sjoshi

Staff

This article describes an example of a simple TCP 3-way-handshake in HA Active-Active cluster where packet distribution between Master and Slave FortiGate occurs.
Refer:-
https://community.fortinet.com/t5/FortiGate/Technical-Tip-FortiGate-HA-A-A-cluster-3-way-TCP-handshake/ta-p/197467

Thanks, Salon

Potato168Author

Explorer

So, what if got drop on Step 3 ?

3) SYN is forwarded from internal interface to External Interface to the external switch connected to the Server

Will the Master FG1 try to resend SYN forward to the Server?

Sign up

Login with SSO

Login to the community

Login with SSO

Scanning file for viruses.

This file cannot be downloaded