We are installing a new HA pair of 501E's (v5.6) to replace some older FG's, and we're adding a FAZ 400E (v6.0) to the mix. No FAZ installed previously. I have one FAZ port on our mgmt VLAN and I can access it fine. I plan to use a separate FAZ port to receive the logging from the FG(s). Is there any way to cable the FAZ directly to the HA pair to receive logging? E.g., port10 on first 501E to FAZ port3 and port10 on second 501E to FAZ port4.
I don't see any internal switching capability in the FAZ to put two ports together with a single IP address. I don't see any layer 2 protocol options between FAZ & FG either. I don't have any other bright ideas. Has anyone attempted this with success?
If we use only one FAZ port then whatever switch module that port connects to is a single point of failure. All other devices of this significance in our network have redundant connections to different switch modules. We don't see the need for a 2nd FAZ as we will also be logging to the 501E internal disks and a separate syslog server too. I just want this cabling redundancy if the device design allows for it. Perhaps I should have thought of this before choosing the appliance over the VM license, but let's not dwell on that!
Thanks,
Fred
Solved! Go to Solution.
Nominating a forum post submits a request to create a new Knowledge Article based on the forum post topic. Please ensure your nomination includes a solution within the reply.
I'm still curious too, but last year I did dig around and found no hint of a way to do any sort of link redundancy. We use LACP for virtually every other piece of infrastructure, so that would be ideal but even the simple redundant links feature found on the FortiGates would do the job. I don't like our chances.
...Fred
I believe the hard appliance doesn't do LACP. Since the analyzer is NOT crucial for traffic flow I highly doubt FTNT will add this feature in. Open a Feature Request with sales and see what they say.
Ken Felix
PCNSE
NSE
StrongSwan
My 2 cents on that:
Go for a single connection, and an intermediate switch.
The passive cluster member gets the same FAZ IP address as the active member, always.
I'd guess that a small sturdy, metal case 5- or 8-port switch won't die in the next years. Or partition an existing switch stack. The FAZ isn't redundant anyway. And doesn't need be, not as much as the FGTs.
Back to the point though: is there a way to have redundant cables on one FAZ? I'm presuming no one else knows of a way to do it either. It just doesn't seem to be in the design of the FAZ boxes - like say, configuring redundant interfaces on an FG.
...Fred
Bump. I'd also like to confirm if the FAZ supports link aggregation or separating management NICs from "data" NICs.
I'm still curious too, but last year I did dig around and found no hint of a way to do any sort of link redundancy. We use LACP for virtually every other piece of infrastructure, so that would be ideal but even the simple redundant links feature found on the FortiGates would do the job. I don't like our chances.
...Fred
I believe the hard appliance doesn't do LACP. Since the analyzer is NOT crucial for traffic flow I highly doubt FTNT will add this feature in. Open a Feature Request with sales and see what they say.
Ken Felix
PCNSE
NSE
StrongSwan
Also, it appears that you cannot separate the management & data planes on to separate NICs which is unfortunate.
It is true that LACP is not currently available for FortiAnalyzer hardware appliances. It is being considered for a future maintenance release. By all means, talk to your Fortinet sales team to help prioritize that feature on the roadmap.
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1707 | |
1093 | |
752 | |
446 | |
231 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.