FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
Muhammad_Haiqal
Description
This article describes regarding the HA scenario in active 'passive deployment'.
Connected to two switches without LACP and with LACP (802.3ad) design.

Any HA deployment is highly depending on the network side.
This deployment must be design properly for all HA units in the network to work as expected.


Most of the time, the HA is not working due to the network design itself.
Here is the common practice for the HA design.

Solution
Scenario 1: Without LACP.




SW-A and SW-B are in cluster.
This makes switch as one  brain and consider as one unit logically.
Normally this is called stacking:

One cable from SW-A connect to FGT-A.
One cable from SW-B connect to FGT-B.

Let’s assume SW-A and SW-B as 'Core Switch' for now.
Core switch is connecting to FGT-A and FGT-B.

Basically, HA is about 'copy'.
What ever configured for the master, will be configured the same on the slave.

Let see from the Core switch perspective having ip address 10.10.10.2 to communicate with the FortiGate 10.10.10.1.

SW-A to FGT-A set as VLAN100
SW-B to FGT-B set as VLAN100

In this scenario, Core switch to FGT-A and FGT-B is on same VLAN100.
Core switch VLAN100 Ip address is 10.10.10.2.
Core switch will send to all VLAN100 member to send traffic to FortiGate 10.10.10.1 .
Core switch may send to FGT-A and FGT-B at the same time.
However, only FGT-A will respond the traffic as it is active (master).
Passive unit will not respond or process any traffic.
Failover testing:
Unplug cables on FGT-A port1.
This unit will be considered as down.
FGT-B detects there is a failure on FGT-A(please configure monitoring ports to make this working).
FGT-B will become active and respond to the traffic sends from Core Switch.
Now all traffic is handle by FGT-B.

Scenario 2: With LACP.

This scenario  is almost same that first scenario, but this one configured with LACP for higher redundancy and better performance.
On Core switch side:

LACP Group A = Port23 and port24 of SW-A.
LACP Group B = Port23 and port24 of SW-B.
This LACP group is really important to be configured properly on the switch side.
LACP group is group multiple cable and makes it as one cable logically.
LACP group A is one cable connect to FGT-A.
LACP group B is one cable connect to FGT-B.

Most of the time, port23, port24 at SW-A and SW-B is configured as 1 group. Now 4 cables become 1 cables. And 1 cables only design to connect to one unit.
Common mistake why the HA is not working is due to this LACP grouping.
This one cable is connecting to FGT-A and FGT-B at the same time make its looks like this.
LACP group A (two cables on SW-A) connect to FGT-A.
LACP group A (two cables on SW-B) connect to FGT-B.

From the core switch perspective, LACP group A is one cable.
It not supposed to connect to two different units.
unusual behavior will happens on the Core Switch like LACP keep flapping up and down.
Customer may refer to switch vendor to understand this behavior.
So, to make this work properly, Core Switch need to configure two LACP groups.
One for FGT-A, One for FGT-B.
This two LACP groups will have same VLAN100.
If help on the designing is needed, contact Fortinet support to assist.

Conclusion:
HA deployment require proper design in terms of physical and logical on the network level.
Difference between Switch HA(stacking) and other units HA is, Switch combine the units , act as 1 switch.
Example from twenty-four ports, stack together becoming forty-eight ports.
When FortiGate doing HA, still consider as individual unit, two separate units active and passive depending on the deployment.

Example:
FortiGate eight ports, when doing HA, do not become 16 ports like switch do.
One brain is master and one brain is passive.
Only master will handle the traffic.

Contributors