Skip to main content
JesperAP
JesperAP
New Member
May 27, 2024
Question

WAN BGP connection from datacenter (HA)

  • May 27, 2024
  • 3 replies
  • 1295 views

Hello,

 

We've got a BGP configuration in the datacenter (see screenshot below) and we have 2 FortiGates (100F).

 

We want to make the FortiGates highly available. But for both ports we have a /30 subnet so our external IP address is different for both ports.

 

Is this even possible (to have different IP addresses on both ports and use HA) or should we switch to a different configuration

 

 
 

dual-bgp-assigned-ip15b.png

3 replies

fricci_FTNT
Staff
fricci_FTNT
Staff
May 27, 2024

Hi @JesperAP ,

 

I am not a design expert. When you configure FGCP you have to configure the WAN interface IP on primary unit and it will be automatically sync'd to secondary unit, so primary and secondary units interfaces have the same IPs. On your WAN interface you may enable/assign a secondary IP (using the IP belonging to the secondary BGP subnet /30). Bear in mind that the BGP configuration/peering will only be active on the current primary unit and I am not sure about the performances of that implementation and consequent BGP peering failover.
https://docs.fortinet.com/document/fortigate/6.4.0/ports-and-protocols/564712/fgcp-fortigate-clustering-protocol

It might be worth contacting your SE and ask for a Professional Services consultancy.

 

Best regards,

    JesperAP
    JesperAPAuthor
    New Member
    May 27, 2024

    Isn't it a option to make a VDOM exception for the WAN interface?

     

    https://docs.fortinet.com/document/fortigate/7.0.5/administration-guide/105611/vdom-exceptions

     

    How do I specify to only have a exception for the WAN interface?

    Toshi_Esumi
    SuperUser
    Toshi_Esumi
    SuperUser
    May 27, 2024

    You can not do HA with those two FGTs because this BGP design assumes two independent routers (FGTs) on the customer end. 

    Toshi

      Terms & ConditionsCookie settingsAccessibility statement