Fortinet Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
Necron99
New Contributor

HA and licensing

This question has been answered before in that FortiGate requires one to maintain identical licensing in an HA pair. So my question is more specific. What happens if you don't? I am fine if the secondary [non-licensed] device gets promoted to primary and all the FortiGuard services stop working, I will promote the licensed one to primary or get a replacement if it dies. I can live with the non-licensed device being primary for a little while. Anything else that I might need to think about? I don't need support from FortiCare with the non-licensed device, since any issues will be handled on the licensed one always acting as primary.

 

Thoughts? And by thoughts, I don't need advice like just license both of them you cheapskate or similar. Thanks.

1 Solution
Kenundrum

We decided to go with different support/replacement terms to save some money on our renewals for HA. The primary unit has 24x7 with best available time for replacement, the secondary units have 8x5 with slower hardware replacement terms- standalone devices have 24x7. They both have the same software/fortiguard/etc entitlement so there's no concern with having out of date signatures or fortiguard webfiltering breaking during a failover.

 

For what it's worth (as well), I've worked in budget constrained environments in the past and there were some loopholes you could jump through to minimize what you needed to buy. Also- typically in those environments you don't end up with HA because it literally doubles the costs of everything. I won't go into details, but here are some of the things that might happen in your situation.

If you have a failover, your secondary unit will likely have out of date IPS/AV signatures but IPS/AV will continue to work just with old sigs. If you are running in Active/Active- this may actually already be happening which could be a problem if scanned traffic gets sent to the secondary unit, an attack may not be detected if the signatures are out of date on it. If you have fortiguard webfiltering turned on- any policies using it will begin to block traffic as it can't determine a category. You can't switch fortiguard entitlements willy-nilly so you can't just switch the license from primary to secondary during a failover- typically it's only for RMA replacements. I had to physically move and restore configs on two (thankfully identical) devices that had their support terms swapped by mistake- they wouldn't do it after they were assigned to hardware. If you have a problem on your secondary unit, you will need to buy support for that one. Contracts are retroactive until the date of last coverage or 6 months, whichever is less. So if your secondary device dies and you buy a 1 year contract for it after having been inactive for 2 years- you end up with only 6 months coverage remaining right away. They instituted that policy years ago to prevent people from only buying contracts when they have RMA needs and abusing it.

CISSP, NSE4

 

View solution in original post

11 REPLIES 11
emnoc
Esteemed Contributor III

Will you should have the same subscriptions across the  HA cluster. You ask  " what will happen?"  Simple any  UTM feature not present will fail or fail to work or you will have other configuration issues from cfg-sync.

 

 

e.g 

 

 

A lack of IPS subscription on unit#2 will probably cause a lot of cfg-sync issues if you had the "unit#1 active" and had to fail to unit# with no subscriptions

 

  Why would you ask this question in the 1st place? Purchasing a subscription bundle on one unit and then clustering the 2 together with a non subscription model is not good mojo or smart. Follow the FTNT guidelines and don't worry about anything and know you have a proper HA ( HA == High availability and  that means all  services imho )

 

i would look at what bundle and type & what  you have ,and what your using.

 

 

And yes your a cheapskate

PCNSE 

NSE 

StrongSwan  

ede_pfau
Esteemed Contributor III

We're talking about an essential service for a professional network here. Apparently the firewall's function is so important to you (or your business) that you decide to buy a second FGT and protect your network 24/7, no matter what happens. And then, after all this effort, you shy away from a couple of hundred bucks for the second subscription?

I'd say this is more a matter of business priorities than a technical issue.


Ede

"Kernel panic: Aiee, killing interrupt handler!"
rwpatterson
Valued Contributor III

For what it's worth, I believe if you are going to run in HA mode, 40Net offers a slightly discounted rate for the second device. Don't hold me to that. It's been a while since I had to deal with that.

Bob - self proclaimed posting junkie!
See my Fortigate related scripts at: http://fortigate.camerabob.com

emnoc
Esteemed Contributor III

Bob,

I never seen an official  HA discount , but I know some partners will reduce there take on 2nd license but I 've only seen that  offered at the  initial  purchased and only  with the 3year bundles.

 

I believe the HA protocol might initialized between two different licensed models, but I don't believe a execute ha- ignore-revision  is going  to work here ;)

 

Both units needs to be identical in all aspect ( version, hardware, subscriptions,etc...)

 

just my 2cts

 

Ken

PCNSE 

NSE 

StrongSwan  

Kenundrum

emnoc wrote:

I never seen an official  HA discount , but I know some partners will reduce there take on 2nd license but I 've only seen that  offered at the  initial  purchased and only  with the 3year bundles.

 

I concur with this- it's what happened to me. I got a slight break on the HA devices during the initial buy. No breaks on renewal. I remember hearing about it from various sources, but never have I actually gotten it (for Fortinet equipment). Typically you'll end up with considerations regarding the overall deal rather than specifically for HA.

CISSP, NSE4

 

Kenundrum

We decided to go with different support/replacement terms to save some money on our renewals for HA. The primary unit has 24x7 with best available time for replacement, the secondary units have 8x5 with slower hardware replacement terms- standalone devices have 24x7. They both have the same software/fortiguard/etc entitlement so there's no concern with having out of date signatures or fortiguard webfiltering breaking during a failover.

 

For what it's worth (as well), I've worked in budget constrained environments in the past and there were some loopholes you could jump through to minimize what you needed to buy. Also- typically in those environments you don't end up with HA because it literally doubles the costs of everything. I won't go into details, but here are some of the things that might happen in your situation.

If you have a failover, your secondary unit will likely have out of date IPS/AV signatures but IPS/AV will continue to work just with old sigs. If you are running in Active/Active- this may actually already be happening which could be a problem if scanned traffic gets sent to the secondary unit, an attack may not be detected if the signatures are out of date on it. If you have fortiguard webfiltering turned on- any policies using it will begin to block traffic as it can't determine a category. You can't switch fortiguard entitlements willy-nilly so you can't just switch the license from primary to secondary during a failover- typically it's only for RMA replacements. I had to physically move and restore configs on two (thankfully identical) devices that had their support terms swapped by mistake- they wouldn't do it after they were assigned to hardware. If you have a problem on your secondary unit, you will need to buy support for that one. Contracts are retroactive until the date of last coverage or 6 months, whichever is less. So if your secondary device dies and you buy a 1 year contract for it after having been inactive for 2 years- you end up with only 6 months coverage remaining right away. They instituted that policy years ago to prevent people from only buying contracts when they have RMA needs and abusing it.

CISSP, NSE4

 

Necron99

Kenundrum wrote:

We decided to go with different support/replacement terms to save some money on our renewals for HA. The primary unit has 24x7 with best available time for replacement, the secondary units have 8x5 with slower hardware replacement terms- standalone devices have 24x7. They both have the same software/fortiguard/etc entitlement so there's no concern with having out of date signatures or fortiguard webfiltering breaking during a failover.

 

For what it's worth (as well), I've worked in budget constrained environments in the past and there were some loopholes you could jump through to minimize what you needed to buy. Also- typically in those environments you don't end up with HA because it literally doubles the costs of everything. I won't go into details, but here are some of the things that might happen in your situation.

If you have a failover, your secondary unit will likely have out of date IPS/AV signatures but IPS/AV will continue to work just with old sigs. If you are running in Active/Active- this may actually already be happening which could be a problem if scanned traffic gets sent to the secondary unit, an attack may not be detected if the signatures are out of date on it. If you have fortiguard webfiltering turned on- any policies using it will begin to block traffic as it can't determine a category. You can't switch fortiguard entitlements willy-nilly so you can't just switch the license from primary to secondary during a failover- typically it's only for RMA replacements. I had to physically move and restore configs on two (thankfully identical) devices that had their support terms swapped by mistake- they wouldn't do it after they were assigned to hardware. If you have a problem on your secondary unit, you will need to buy support for that one. Contracts are retroactive until the date of last coverage or 6 months, whichever is less. So if your secondary device dies and you buy a 1 year contract for it after having been inactive for 2 years- you end up with only 6 months coverage remaining right away. They instituted that policy years ago to prevent people from only buying contracts when they have RMA needs and abusing it.

Good point, I forgot about retroactive contracts, they are all the rage with everyone nowadays.

ede_pfau
Esteemed Contributor III

So helpful. Thanks for the sermon which I specifically asked respondents to not post.
If you don't want to hear what others think then don't ask.


Ede

"Kernel panic: Aiee, killing interrupt handler!"
emnoc
Esteemed Contributor III

I have to concur with the other Ken ;)

 

We did the same and saved tons of money  in a 200+  device network. All Standby  units had a 8x5 support  but this has nothing todo per-se with the subscriptions  just from support and RMA cost. Also if you are truly HA do you need a 24x7 support contract?

 

If you shop around, you can  find numerous helpful way to save $$$$.$$$  or Euros.

 

Another trend  is to  use virtual-appliance for internal security segments. How many ORGs really need  physical-hardware.? The price saving  per PHY-VIRT can add up to be  savings if your  looking at TCO numbers.

 

PCNSE 

NSE 

StrongSwan