Skip to main content
vasugk
vasugk
Explorer
August 1, 2022
Solved

VRRP configuration on two Fortinet firewall High availability configured

  • August 1, 2022
  • 2 replies
  • 8833 views

Hi All,

We have two Fortinet firewall currently configured HA between them. We are planning to configure VRRP in order to have L3 redundancy, My question can we have HA and VRRP together?

 

Thank you,

Sr

Best answer by akristof

Hi,

Just to add more details. If you will try to configure VRRP on FortiGate that is already in HA Cluster, it will not work, because first that config will be copied to secondary device and second, when secondary device is passive, it will not have vrrp process running. Anyway, HA will provide you L3 redundancy. If primary device will go down, secondary device will be active and will be handling request as your gateway. Similarly, it is using virtual-macs to provide you this.

2 replies

sagha
Staff
sagha
Staff
August 1, 2022

Hi @vasugk

 

A few questions here would be helpful: 

 

1. Are you planning to configure FGT devices in VRRP that are already in HA? 

2. Is it a third party devices you are going to use for VRRP with FGT cluster? 

 

Please note that FGTs when in HA act as one device active at a time. With this, there should not be a problem if you are configuring VRRP with some third party device. 

However, if you are planning to implement VRRP between two FGTs that are in cluster, there is a possibility that it might now work. 

 

Please look into this post: https://community.fortinet.com/t5/Fortinet-Forum/VRRP-vs-HA/m-p/80772?m=160969

You can get some answers from here. 

 

Also please look at community article regarding VRRP: 

https://community.fortinet.com/t5/FortiGate/Technical-Tip-FortiGate-VRRP-configuration-and-debug/ta-p/197015

 

Let us know if you have any further questions. 

 

Thanks, 

Shahan

    vasugk
    vasugkAuthor
    Explorer
    August 1, 2022

    Hi Shahan,

    Thank you for reply, 

    1. Are you planning to configure FGT devices in VRRP that are already in HA?  Yes

    2. Is it a third party devices you are going to use for VRRP with FGT cluster? No we don't have plan to use 3rd party device.

    Yeah know that HA one device act as active, we have wrong design at present we want to achieve routing redundancy.

     

    Regards,

    Sr

    sagha
    Staff
    sagha
    Staff
    August 1, 2022

    Hi @vasugk

     

    For that you should look into either active-active HA or break the HA cluster and use FGTs as standalone devices. 

     

    Unfortunately, we do not have any examples that highlight such an implementation.

     

    Thanks. 

    Shahan 

      vasugk
      vasugkAuthor
      Explorer
      August 3, 2022

      Hi Shahan / Adrian,

      Thank you  for your replies, we will try remove HA and configure VRRP, once its done  I will upload the result.

      I check one more thing with you guys can we use port bond for VRRP? I read some where VRRP will not work on port bond.

      Thank you

      Srini

      akristof
      Staff
      akristof
      Staff
      August 3, 2022

      Hello,

      You mean on aggregate port? If yes, then it will work if aggregate port has IP address (or VLAN bounded to that agg port).

      Terms & ConditionsAccessibility statement