FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
rmetzger
Staff
Staff
Article Id 194655

Description


This article describes some technical considerations when FortiGate devices in an HA Cluster, Active-Passive mode, are connected to L2 switch(es) with LACP (802.3ad).

 

Scope

 

FortiGate.

 

Solution

The following network diagram is used to illustrate this article :

rmetzger_FD31396 LACP A-A.jpg


The LACP groups (LAG) defined on the L2 switch must be different for each FortiGate (hence creating independent bundles) in order to avoid incoming traffic being sent to the Subordinate.

Note:

For this reason, Nortel devices in SMLT are not supported:

  • if different LAGs cannot be configured on the L2 switch, use the following command to prevent the subordinate units from participating in LACP negotiation with an aggregate interface; note that in this mode, the failover time can be longer as it will include the LACP negotiation between the newly elected Primary Unit and the L2 switch.

 

config system interface

    edit <aggregate_name>
        set lacp-ha-slave disable
    end

It is recommended to set LACP mode to Static on both sides (FortiGate and switch) if the ports are connected with a back-to-back cable.


Note:

Starting from version 7.2.1, lacp-ha-slave has been replaced with lacp-ha-secondary.