Fortinet Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
yas13899
New Contributor II

using two different fortigate products together

Hello

I have two fortigate devices 500E and 600E ... I know in this case that I can't benefit from HA..

So right now I'm just using 600E in my production network.

Is there any way that I can get the most of these devices together ?

 

Thanks

1 Solution
Toshi_Esumi
Esteemed Contributor

FGCP & FGSP require the same model. Not much integration you can do between two different FGTs. They're simply two different routers. You can of course use one of them for your network segmentation while the other works as a border FW to the internet.

If you have multiple internet circuits, you can split them to two FGTs, then set routing between them splitting the internet into two halves like 0.0.0.0/1 and 128.0.0.0/1. But you have to maintain the same set of policies manually on two FGTs. Also you need to decide if you want to split the LAN side as well, or not.

It would add more work and complication than benefits from it, which I wouldn't try.

 

Toshi

View solution in original post

3 REPLIES 3
AlexC-FTNT
Staff
Staff

You can still have Session Support between these devices, even if not in true HA:

https://docs.fortinet.com/document/fortigate/6.4.0/ports-and-protocols/796662/fgsp-fortigate-session...

This provides some redundancy.

 

Another way to get the best of them is to divide the tasks done by each one of them.
For example, one can do the proxy-based inspection needed in security profiles, or perform the explicit-proxy function (if needed), while the other can work in flow-based mode.


- Toss a 'Like' to your fixxer, oh Valley of Plenty! and chose the solution, too00oo -
yas13899
New Contributor II

Thank you for your reply

The provided link solution states that:


FortiGates in both entities must be the same model and must be running the same firmware.

which also not applicable in my case

Toshi_Esumi
Esteemed Contributor

FGCP & FGSP require the same model. Not much integration you can do between two different FGTs. They're simply two different routers. You can of course use one of them for your network segmentation while the other works as a border FW to the internet.

If you have multiple internet circuits, you can split them to two FGTs, then set routing between them splitting the internet into two halves like 0.0.0.0/1 and 128.0.0.0/1. But you have to maintain the same set of policies manually on two FGTs. Also you need to decide if you want to split the LAN side as well, or not.

It would add more work and complication than benefits from it, which I wouldn't try.

 

Toshi

View solution in original post