Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
SecurityPlus
Contributor II

Firewall Failure - Spare Firewall

We work with a number of offices that use some version of the 50 to 100 series FortiGate firewall. One worry I have is a hardware failure. Though I have only seen 1 failure ever of an in-production firewall, the risk is still a factor. Waiting 1 or 2 days to receive a replacement unit could be costly to the users. I realize that we could run with High Availability (HA) but this would amount to a 2x the firewall purchase and support bundle cost. Is there a way to keep a spare firewall in house and to replace a failed firewall with the spare in the event of a failure? If this is done I presume that the configuration could be imported from the last backup of the failed firewall. Could the support bundle be transferred to the replacement firewall? If not I presume that the replacement firewall could run temporarily without these services. Are there any other considerations that I am overlooking?

1 Solution
sw2090
Honored Contributor

Licenses can be transferred in support portal. If you RMA a Fortigate you can have Fortinet transferring them to the new unit automatically even.

 

If the spare is the same model you can also transfer the config 1:1. Just create a backup fro the current FGT and restore it there.

 

On Models that are very close (like 100D and 100E) it may work by replacing the first lines in the backup (they contain model and serial etc) with those from a backup from the spare one and then restore this on the spare one.

Did that several times when I migrated from 100D to 100E.

 

In other cases you will have to edit your config to make it fit because there may be different port names/layout. Some Port may not exist (a 300E e.g. has no physical WAN1/2 Interface). Also some config option may not exist on different MOdels.

-- 

"It is a mistake to think you can solve any major problems just with potatoes." - Douglas Adams

View solution in original post

-- "It is a mistake to think you can solve any major problems just with potatoes." - Douglas Adams
3 REPLIES 3
sw2090
Honored Contributor

Licenses can be transferred in support portal. If you RMA a Fortigate you can have Fortinet transferring them to the new unit automatically even.

 

If the spare is the same model you can also transfer the config 1:1. Just create a backup fro the current FGT and restore it there.

 

On Models that are very close (like 100D and 100E) it may work by replacing the first lines in the backup (they contain model and serial etc) with those from a backup from the spare one and then restore this on the spare one.

Did that several times when I migrated from 100D to 100E.

 

In other cases you will have to edit your config to make it fit because there may be different port names/layout. Some Port may not exist (a 300E e.g. has no physical WAN1/2 Interface). Also some config option may not exist on different MOdels.

-- 

"It is a mistake to think you can solve any major problems just with potatoes." - Douglas Adams

-- "It is a mistake to think you can solve any major problems just with potatoes." - Douglas Adams
SecurityPlus

Thank you. This is very helpful.
lobstercreed

I would also point out that the cost of HA (where even a brief failure is unacceptable) is not necessarily 2x everything. 

 

 

If your sales team knows you're buying them for HA, they should give you more of a price break on hardware + support of the 2nd unit--at least if you buy them at the same time.  I've seen it be closer to 50% more for the 2nd unit than what it would have been with just 1. 

 

Something to keep in mind where uptime is critical and there's some wiggle room for cost.

Labels
Top Kudoed Authors