Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
vasugk
New Contributor III

VRRP configuration on two Fortinet firewall High availability configured

Hi All,

We have two Fortinet firewall currently configured HA between them. We are planning to configure VRRP in order to have L3 redundancy, My question can we have HA and VRRP together?

 

Thank you,

Sr

2 Solutions
akristof

Hi,

Just to add more details. If you will try to configure VRRP on FortiGate that is already in HA Cluster, it will not work, because first that config will be copied to secondary device and second, when secondary device is passive, it will not have vrrp process running. Anyway, HA will provide you L3 redundancy. If primary device will go down, secondary device will be active and will be handling request as your gateway. Similarly, it is using virtual-macs to provide you this.

Adrian

View solution in original post

vasugk
New Contributor III

Hi Shahan / Adrian,

Thank you  for your replies, we will try remove HA and configure VRRP, once its done  I will upload the result.

I check one more thing with you guys can we use port bond for VRRP? I read some where VRRP will not work on port bond.

Thank you

Srini

View solution in original post

7 REPLIES 7
sagha
Staff
Staff

Hi vasugk

 

A few questions here would be helpful: 

 

1. Are you planning to configure FGT devices in VRRP that are already in HA? 

2. Is it a third party devices you are going to use for VRRP with FGT cluster? 

 

Please note that FGTs when in HA act as one device active at a time. With this, there should not be a problem if you are configuring VRRP with some third party device. 

However, if you are planning to implement VRRP between two FGTs that are in cluster, there is a possibility that it might now work. 

 

Please look into this post: https://community.fortinet.com/t5/Fortinet-Forum/VRRP-vs-HA/m-p/80772?m=160969

You can get some answers from here. 

 

Also please look at community article regarding VRRP: 

https://community.fortinet.com/t5/FortiGate/Technical-Tip-FortiGate-VRRP-configuration-and-debug/ta-...

 

Let us know if you have any further questions. 

 

Thanks, 

Shahan

vasugk
New Contributor III

Hi Shahan,

Thank you for reply, 

1. Are you planning to configure FGT devices in VRRP that are already in HA?  Yes

2. Is it a third party devices you are going to use for VRRP with FGT cluster? No we don't have plan to use 3rd party device.

Yeah know that HA one device act as active, we have wrong design at present we want to achieve routing redundancy.

 

Regards,

Sr

sagha

Hi vasugk

 

For that you should look into either active-active HA or break the HA cluster and use FGTs as standalone devices. 

 

Unfortunately, we do not have any examples that highlight such an implementation.

 

Thanks. 

Shahan 

akristof

Hi,

Just to add more details. If you will try to configure VRRP on FortiGate that is already in HA Cluster, it will not work, because first that config will be copied to secondary device and second, when secondary device is passive, it will not have vrrp process running. Anyway, HA will provide you L3 redundancy. If primary device will go down, secondary device will be active and will be handling request as your gateway. Similarly, it is using virtual-macs to provide you this.

Adrian
Toshi_Esumi
Esteemed Contributor III

The concept of HA a-p is a system-wide of VRRP. While VRRP's scope focuses only on interface groups, HA does the fail-over system wide. With VRRP, its members communicate over the interfaces while HA communicates each others over heartbeat connections. 

 

Toshi 

vasugk
New Contributor III

Hi Shahan / Adrian,

Thank you  for your replies, we will try remove HA and configure VRRP, once its done  I will upload the result.

I check one more thing with you guys can we use port bond for VRRP? I read some where VRRP will not work on port bond.

Thank you

Srini

akristof

Hello,

You mean on aggregate port? If yes, then it will work if aggregate port has IP address (or VLAN bounded to that agg port).

Adrian
Labels
Top Kudoed Authors