You could use the internal ports on each 60C in ' switch mode' , and connect each FGT to both switches. The switches should be linked to each other as well. But this setup, as well as your proposal, requires Spanning Tree protocol to be active on the switches. If available, Rapid STP is preferable as it converges more quickly. Basically, a HA cluster is ONE device, with one IP address and only one MAC address. Any additional connection after the first between the cluster and the switches must be put into the ' blocked' state by the Spanning Tree protocol, or you will experience a broadcast storm. So I don' t see why you shouldn' t configure a full mesh (4 connections) of which only 1 will be active/forwarding at any time. This is called resiliency, second best to ' full mesh active' . The latter would require that your switches form a cluster like the FGTs, called ' virtual cluster' (Juniper) or IRF (HP). IMHO a bit oversized for a pair of 60Cs.

You could use the internal ports on each 60C in ' switch mode' , and connect each FGT to both switches. The switches should be linked to each other as well. But this setup, as well as your proposal, requires Spanning Tree protocol to be active on the switches. If available, Rapid STP is preferable as it converges more quickly.

This is exactly what i have done, use the " built-in-switch" of the 60C.

I know you know, and I' m glad you figured it out previously and tested it in practice. I just wanted to point out that you' d have to configure STP on the switch(es), or create network loops otherwise.

Hi guys, Yep I' m with you... with my setup it' s a bit trickier than that because I have 3 VLANs to worry about (LAN WAN DMZ), so I can' t get away with using only the internal switch. I' d have to enable interface mode and create software switches to accommodate all 3 VLANS. However, I read this: http://kb.fortinet.com/kb/viewContent.do?externalId=FD31769&sliceId=1 Which indicates " soft switch interfaces cannot be monitored by HA or used as HA heartbeat interfaces." So end of the day I won' t be able to go that route if I can' t use HA monitoring on the software switches. So still thinking my only option is just to go with one FGT hooked up to each switch and use FGT fail-over in case of switch failure

em, the 60C has got 4 independent interfaces even in switch mode - switch, WAN1, WAN2, DMZ. One of them would be your HA link, the switch for the VLANs. Should suffice.

Thing is - I have 2 FGTS and 3 VLANs: WAN, LAN, DMZ on 2 trunked switches. I want each VLAN to have a redundant connection to each switch. So that' s 6 cables to each firewall, 12 cables total. That' d mean something like (for each of fw01 and fw02): WAN VLAN on switch01 connected to WAN1 WAN VLAN on switch 02 connected to WAN2 LAN VLAN on switch 01 connected to internal 1 LAN VLAN on switch 02 connected to internal 2 DMZ VLAN on switch 01 connected to DMZ DMZ VLAN on switch 02 connected to internal 3 internal 5 for heartbeat between fw01/fw02 But the part I' ve been talking about above is how I can link those interfaces internally in the FGT. E.g. I want WAN1 and WAN2 in this example to be like a single interface with a single IP address. Same for internal1/2 and DMZ/internal3. As per the subject of the thread, the best way is link aggregation or interface redundancy.. but those aren' t available... and a software switch is an option, but it' s not HA monitorable, doesn' t fail over as quickly, and has some downsides in performance I think.

I think this is overly complicated, i.e. a bit theoretical. If you just connect each FGT to one switch you will have redundancy at 100% - if one switch dies, the disconnected FGT will fail over to it' s sibling, and traffic continues to flow. Only in A-A mode you' d notice less throughput. Just make sure you monitor at least one connection to the switch so that a switch failure gets noticed.

Yep, that' s also what I was saying above the last couple posts.. I' ve also decided to do it that way instead since otherwise I' d need a 200B with link aggregation to " do it the right way" with link aggregation and a full mesh setup. Thanks for all the help guys, think I' ve got this settled