Help
FortiSIEM Discussions
beingarif
New Contributor III

Created on ‎02-03-2025 02:01 AM Edited on ‎02-03-2025 09:56 PM

FortiSIEM: Multi-Site HA Connectivity & Supervisor Access without Exposing Internal IPs

Version: 7.3.0
Hypervisor: KVM

 

1. Multi-Site HA Configuration (Automatic HA):

We are planning HA with Multi-Site:

Site 1: 2 Supervisors
Site 2: 1 Supervisor

The requirement is to achieve less than 100ms latency for communication between these sites.
Will this communication occur at Layer 2 or Layer 3? Any recommendations on how to establish this connectivity?


2. MSSP Configuration for Supervisor Access:

In an MSSP setup, the customer wants to provide their clients with access to the Supervisors at the Organization level but without exposing their internal IP addresses.
What would be the best approach to achieve this?

arif
arif
Labels:
266
0 Kudos
6 REPLIES 6
beingarif
New Contributor III

Created on ‎02-03-2025 10:23 PM

hi @Anthony_E looking for some help here..

arif
arif
234
0 Kudos
Anthony_E
Community Manager
Community Manager

Created on ‎02-03-2025 10:26 PM

Hi Arif,

 

Let me find a FortiSIEM expert for you :)!

 

Regards,

Anthony-Fortinet Community Team.
230
beingarif
New Contributor III
In response to Anthony_E

Created on ‎02-04-2025 08:31 PM

@Anthony_E any update on this. can you please help...

arif
arif
198
0 Kudos
Anthony_E
Community Manager
Community Manager

Created on ‎02-04-2025 09:52 PM

Hello Arif,

 

Please apologies for the delay. I am still looking for someone to help you.

 

Regards,

Anthony-Fortinet Community Team.
189
0 Kudos
Secusaurus
Contributor II

Created on ‎02-04-2025 10:40 PM

Hi @beingarif,

 

1. Multi-Site-HA:

In general, layer 2 or layer 3 does not really matter for your requirement. The latency is not based on the fact if there is a router in the middle, but on the physical distance, the devices in between or on encryption (e.g. because of VPN-tunnels) between the sites. In case you have VPN, routing (layer 3) usually is easier to set up. For HA-setup with a single virtual IP (instead of using a load-balancer in front), layer 2 might be faster in the setup. It very much depends on more aspects than you wrote here and that's the reason why companies like mine or even Fortinet (Professional Services) take money for deeper consulting.

Anyways, the traffic between workers (you did not mention them?) can be very bandwidth-consuming, so you want to avoid any bottle necks there.

 

2. Supervisor access:

I don't quite understand your requirements here. Are you deploying the supervisor(s) on site of the customer or at a central location - meaning: Do all the tenants need to go through the internet to access the supervisor(s) or is it placed on their local network?

In any case, you can do DNAT as you can do with any server.

On the other hand, if you just want to hide IP-addresses on the GUI for tenants, you can look through user roles, there is an option for that.

 

Best,

Christian

FCX #003451 | Fortinet Advanced Partner
FCX #003451 | Fortinet Advanced Partner
183
beingarif
New Contributor III

Created on ‎02-05-2025 01:07 AM

Thank-you..!!  @Secusaurus @Anthony_E 
Pretty much clear now..

arif
arif
157
0 Kudos
Announcements

Welcome to your new Fortinet Community!

You'll find your previous forum posts under "Forums"

Labels
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2025 Fortinet, Inc. All Rights Reserved.