FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
This article provides some design considerations for HA Active-Active cluster load-balancing UTM sessions when using Redundant interfaces.
In Active-Active HA, the Master unit can load balance Proxy based UTM sessions to the slave unit. By doing this, resource intensive UTM operations can be offloaded to other cluster members in HA cluster.
When using Redundant interfaces with Active-Active cluster, primary member of redundant interface on the slave unit must be connected in order to load balance sessions to the slave unit.
The first interface in the redundant interface configuration is selected as the primary member in the redundant interface.
For example, in the following configuration, port10 will be the primary member of the Redundant interface "Red_LAN".
config system interface edit "Red_LAN" set vdom "root" set ip 10.116.3.207 255.255.240.0 set type redundant set member "port10" "port12" set snmp-index 41 next end
The example network diagram is provided below, Port10 and Port12 are part of the redundant link.
For the session load balance to work in this Active-Active cluster displayed in the diagram, port10 should be connected and UP on the Slave FortiGate unit. If Port10 on the slave unit is not connected or status is "DOWN", the HA Master cannot load balance sessions to the slave.
This does not apply to connectivity on the Master unit, sessions are load balanced to the slave unit with any single member of the redundant being connected and UP.