Hi Team,
I want to configure new FGT200E as A-A HA with existing working FGT200E in my infrastucture. Can anyone let me know what are the prerequisite and precaution need to follow for this activity. Below are licenses which i had on my existing firewall.
1) IPS
2) Antivirus
3) Web filtering
4) log retention
5) fortisandbox cloud.
As my New FGT200E would be factory reset, so i want my existing FGT200E should be primary so that configuration would not be effected.
Regards,
Vishal
Nominating a forum post submits a request to create a new Knowledge Article based on the forum post topic. Please ensure your nomination includes a solution within the reply.
Hi, is there any specific reason why you decided to select this type of HA? Are you aware of the workload in A-A? Interfaces of the primary unit are bottlenecks. Traffic which is offloaded to the 2nd peer first arrive on the primary unit and then is forwarded on the same interface on the secondary unit. All traffic which will be offloaded has to go through the interface twice. Also remember not all traffic can be offloaded. For example sessions with proxy based inspection. Regarding primary unit - the default settings 'override disabled' prefer unit with: 1) higher number of monitored interfaces 2) HA uptime 3) priority 4) serial number so you should be fine.
Hi hubertzw,
Thanks for your reply.
As number of users are very high, i want to achieve load share of that traffic.
When you design HA always assume that one day one of these nodes fails and all traffic will be processed by one node. It means you shouldn't see more than 40% of memory/CPU consumption on your nodes, otherwise when it happens, FG will drop sessions or just enter into the conserve mode and start dropping all new sessions. This is something what you should avoid.
Remember: you have also to licencing the UTM features on the second box.
________________________________________________________
--- NSE 4 ---
________________________________________________________
Hi,
For HA you need the below
[ol]
Before you begin, make sure that the FortiGates interfaces are not configured to get their addresses from DHCP or PPPoE. Also, you can't use a switch port as an HA heartbeat interface. If necessary, convert the switch port to individual interfaces.
Hope this helps ..
Hi Everyone,
Currently im having only one dedicated HA port in my fortigate, so im planning to use any other gigabit ethernet port other than management for 2nd HA port. Can anyone help me on below points
1) Configuration need to do on normal gig port for HA
2) how to configure interface in monitored so if any link fails trigger will happen
3) How override enable or disable mode behave in A-A HA mode.
Regards,
Vishal
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1662 | |
1077 | |
752 | |
443 | |
220 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.