The sketch above illustrates a sample topology where FG101F-1(Primary) and FG101F-2(Secondary) are in an Active-Passive HA cluster. Both devices have a VLAN switch configured and a link has been made between them via port15 on both firewalls.
A PC is plugged into port1 on 101F-1 and another FortiGate (FGT1A) to port1 on 101F-2.
FG101F-1 # get sys ha stat ......... Cluster state change time: 2024-06-13 17:06:18 <2024/06/13 17:06:18> vcluster-1: FG101FTK1900AAAA is selected as the primary because its override priority is larger than peer member FG101FTK1900BBBB. <2024/06/13 17:05:44> vcluster-1: FG101FTK1900AAAA is selected as the primary because it's the only member in the cluster. ses_pickup: disable override: disable Configuration Status: FG101FTK1900AAAA(updated 0 seconds ago): in-sync FG101FTK1900AAAA chksum dump: 7d 61 69 4c cb da 58 78 16 9a 41 b4 5e a4 9c 45 FG101FTK1900BBBB(updated 0 seconds ago): in-sync FG101FTK1900BBBB chksum dump: 7d 61 69 4c cb da 58 78 16 9a 41 b4 5e a4 9c 45 ......... Primary : FG101F-1 , FG101FTK1900AAAA, HA cluster index = 1 Secondary : FG101F-2 , FG101FTK1900BBBB, HA cluster index = 0 number of vcluster: 1 vcluster 1: work 169.254.0.2 Primary: FG101FTK1900AAAA, HA operating index = 0 Secondary: FG101FTK1900BBBB, HA operating index = 1
The behavior of the hardware switches is:
- They will respond to ARP requests and therefore allow devices to connect at a Layer 2 level. This is normal for an active or standalone device but the passive device will do the same.
- If there is a link between the hardware switches on FGT101F-1 and FGT101F-2, 101F-2 will forward the information for those connected devices to 101F-1. and they will appear in the ARP table for both FortiGates.
- The devices that connect to 101F-2 can receive IPs via DHCP from 101F-1 and send traffic to any resources on 101F-1 or to the internet if the necessary policies are configured.
Sample output from the arp table and DHCP list:
FG101F-1 # get sys arp Address Age(min) Hardware Addr Interface 10.9.31.254 0 00:09:0f:09:fe:1b mgmt
192.168.100.110 0 00:41:74:6c:2b:03 lan 192.168.100.111 0 00:43:68:61:06:01 lan 10.9.15.254 0 00:09:0f:09:fe:1b wan1 169.254.0.1 - e8:1c:ba:ef:16:f4 ha1
FG101F-2 # get sys arp Address Age(min) Hardware Addr Interface 10.9.15.254 0 00:09:0f:09:fe:1b wan1 192.168.100.110 0 00:41:74:6c:2b:03 lan 192.168.100.111 0 00:43:68:61:06:01 lan 169.254.0.2 - e8:1c:ba:e5:ef:08 ha1
FG101F-1 # exec dhcp lease-list lan IP MAC-Address Hostname VCI SSID AP SERVER-ID Expiry 192.168.100.110 00:41:74:6c:2b:03 FGT1A FortiGate-VM64-KVM 1 Thu Jun 27 17:47:13 2024 192.168.100.111 00:43:68:61:06:01 DESKTOP-OLGFQ84 MSFT 5.0 1 Mon Jul 1 05:46:50 2024
The advantage of this behavior is that the passive device can be used in place of a physical switch if there is no one. This is not recommended though because:
- If one FortiGate is lost, all devices on it are also lost.
- A hardware switch cannot be monitored in HA so any failures on links in the hardware switch will not trigger a failover.
|