I see the virtual copy running on a single server (physical or VM) behind the Fortigate in a pass-through mode unless it detects a failure of the Fortigate. It can be configured so it has exactly the same configuration and collecting the same logs and is updated automatically when the Fortigate configuration changes.

If the VM senses a failure of the Fortigate, it begins to manage traffic, alerts the IT dept. and starts a countdown clock. I realize there may need to be some physical configuration of switches and/or ethernet ports to manage a complex, multi- interface configuration but at least the network would not go off-line or, at worst, the IT department could have the system back up in minutes while they fix or exchange the Firewall. Fortinet may even be able to re-program one of their small switches to handle the pass-through and full management in the case of a failure.

There are thousands of mid-sized operations that cannot afford a full HA device and this plan would fill that gap.

PS: I don’t charge much for these ideas. ;)

I like this idea. It would really only be a change to the existing HA features that a Fortigate offers now.

Right now, two fortigate units can be in a HA cluster, but they have to be the same exact model. Also the current HA cluster types allows for active-active or active-passive.

I would interpret the suggestion above to mean that Fortinet should expand how HA works to allow for a new cluster type called Active-VM.   This new type would allow dissimilar devices to join a cluster (FGT joined with FGT-VM). The FGT would be the primary (with great performance via ASIC) and the VM would only be used in a failure situation (like active-passive)

*Keep in mind the VM would perform much slower because it would not have an ASIC chip.

I think it would be good to see this change, but I also understand why it isn't there now. Anyone who has a business need for this type of uptime normally has the budget for buying two fortigate units and creating a normal HA cluster.

Certified: Network+, Security+
I enjoy all things related to information security.

In Reply to Paul Spagnola, Sec+:

I think it would be good to see this change, but I also understand why it isn't there now. Anyone who has a business need for this type of uptime normally has the budget for buying two fortigate units and creating a normal HA cluster.

I disagree to a point. Many small to medium sized businesses do need the uptime but cannot afford two FGT along with full subscriptions for both units needed for HA.

With a cost of close to 12K for each, you are looking at 24K for 3 years of service. That’s a huge number for many small businesses and – makes those/me want to look into other, more cost effective solutions.

David,
   I undetstand what you are saying, but I must define "small" or "medium" business differently than you do. Your price $12K per device seems high. I have a two unit HA cluster with hundreds of computers behind it and I paid less than the price you mention for a single unit.

-Paul

Paul,

We are currently using the 300C with 400+ devices behind it and moving to the 300D.  Those are the current retail prices for the device and a three year UTM/daytime support agreements. I do know they sell a second device for HA at a discount but the UTM/support agreement is not discounted for the second device.

 Dave

Here's a little trick that might help with your scenarios David: you can use an off-the-shelf router of any kind that supports VRRP. So long as it has the same number of interfaces as your FortiGate device and can process a decent amount of bandwidth, insert it in parallel with your FortiGate, and establish a VRRP cluster with your FortiGate as the preemptive master to ensure it is always preferred for your traffic. Falling short of having an HA pair, this might meet your requirements for redundancy!

--

Mathieu Nantel - NSE4, CCIE 24349

Principal System Engineer / Consultant Technique Senior, Office of the CTO

I really like the idea of automated configuration backups to the cloud.

In this situation, since the D models are much more capable that the C models, I would suggest looking at backing down to a pair of 200D in an active-active HA pair.