Technical Tip: Use of HA active-passive FortiGate ...

FortiGate

FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.

Article Id 391932

Description

This article describes that sometimes, redundancy is required in a network. While two stand-alone firewalls can provide redundancy, asymmetric routing is required in this stand-alone design to ensure no packets are dropped due to session issues.

While asymmetric routing is a good workaround, it is not the best security practice, as some packets are not subjected to UTM checks.

Scope

FortiGate.

Solution

In HA active-passive HA setups, the standby firewall is not actively processing traffic, so asymmetric routing is unlikely.

To configure an HA active-passive HA setup, refer to the relevant documentation.

Change the FortiOS version as required. For example, HA active-passive cluster setup:

Note:

When asymmetric routing is enabled on a FortiGate device, security features such as antivirus and intrusion prevention systems become ineffective because the firewall treats each packet independently without maintaining connection states, leading to a stateless operation.
This configuration prevents the FortiGate from detecting connections, disables offloading capabilities, and disables Reverse Path Forwarding (RPF) checks, which can compromise the security and efficiency of the network by making it more vulnerable to spoofing and other attacks.

535

Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Technical Tip: Use of HA active-passive FortiGate Cluster instead of two stand-alone FortiGates to avoid asymmetric routing

You are leaving our website