Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
vishal
New Contributor

Active-Actvie FGT 200E

Hi Team,

 

I want to configure new FGT200E as A-A HA with existing working FGT200E in my infrastucture. Can anyone let me know what are the prerequisite and precaution need to follow for this activity. Below are licenses which i had on my existing firewall.

 

1) IPS

2) Antivirus

3) Web filtering

4) log retention

5) fortisandbox cloud.

 

As my New FGT200E would be factory reset, so i want my existing FGT200E should be primary so that configuration would not be effected.

 

Regards,

Vishal

6 REPLIES 6
hubertzw
Contributor III

Hi, is there any specific reason why you decided to select this type of HA? Are you aware of the workload in A-A? Interfaces of the primary unit are bottlenecks. Traffic which is offloaded to the 2nd peer first arrive on the primary unit and then is forwarded on the same interface on the secondary unit. All traffic which will be offloaded has to go through the interface twice. Also remember not all traffic can be offloaded. For example sessions with proxy based inspection. Regarding primary unit - the default settings 'override disabled' prefer unit with: 1) higher number of monitored interfaces 2) HA uptime 3) priority 4) serial number so you should be fine.

vishal

Hi hubertzw,

 

Thanks for your reply.

 

As number of users are very high, i want to achieve load share of that traffic.

 

hubertzw

When you design HA always assume that one day one of these nodes fails and all traffic will be processed by one node. It means you shouldn't see more than 40% of memory/CPU consumption on your nodes, otherwise when it happens, FG will drop sessions or just enter into the conserve mode and start dropping all new sessions. This is something what you should avoid.

Markus
Valued Contributor

Remember: you have also to licencing the UTM features on the second box.


________________________________________________________
--- NSE 4 ---
________________________________________________________

________________________________________________________--- NSE 4 ---________________________________________________________
Ashik_Sheik

Hi,

 

For HA you need the below 

 

[ol]
  • Same Model
  • Same Firmware 
  • Same Licence 
  • If another Fortigate Cluster in the network then keep diffrerent group ID .[/ol]

    Before you begin, make sure that the FortiGates interfaces are not configured to get their addresses from DHCP or PPPoE. Also, you can't use a switch port as an HA heartbeat interface. If necessary, convert the switch port to individual interfaces.

     

    Hope this helps ..

  • Sheik Mahammad Ashik
    Sheik Mahammad Ashik
    vishal

    Hi Everyone,

    Currently im having only one dedicated HA port in my fortigate, so im planning to use any other gigabit ethernet port other than management for 2nd HA port. Can anyone help me on below points 

    1) Configuration need to do on normal gig port for HA 

    2) how to configure interface in monitored so if any link fails trigger will happen

    3) How override enable or disable mode behave in A-A HA mode.

     

    Regards,

    Vishal

     

    Announcements

    Select Forum Responses to become Knowledge Articles!

    Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.

    Labels
    Top Kudoed Authors