Hi Guys,
My company bought a Fortigate 80F a few months back. At that time we had around 85 users and Fortigate technical person suggested that it will handle up to 100 users in our environment. Now, we have around 70 more people who joined our company, so total employees will be around 160. Now I have few questions -
1) If we buy one more 80F firewall and use it in Active-Active HA mode, will it be able to handle the extra employees we have now? Meaning, (one firewall can handle 100 users), if we have two firewalls, will 200 users will be able to work?
2) Will the VPN users connecting to the firewall will also increase after adding the second firewall?
3) In the future if we get more employees (eg. 500), what is the best practice to handle the load?
Solved! Go to Solution.
Nominating a forum post submits a request to create a new Knowledge Article based on the forum post topic. Please ensure your nomination includes a solution within the reply.
Satyam wrote:1) If we buy one more 80F firewall and use it in Active-Active HA mode, will it be able to handle the extra employees we have now? Meaning, (one firewall can handle 100 users), if we have two firewalls, will 200 users will be able to work?
2) Will the VPN users connecting to the firewall will also increase after adding the second firewall?
You can't do that by HA A-A cluster, that's not possible, here is why:
The only additional advantage of Active-Active over Active-Passive is that active-active HA load balancing distributes proxy-based security profile processing to all cluster units. Proxy-based security profile processing is CPU and memory-intensive, so FGCP load balancing may result in higher throughput because resource-intensive processing is distributed among all cluster units.
If the sessions are allowed by policy without security profiles enabled then they are not going to be loadbalanced.
Rather than that, In all other ways active-active HA operates the same as active-passive HA.
Satyam wrote:SSL VPN users is limited up to 200 users, alternatively you can use dialup IPsec with FortiClient, then you can connect up to 2500 users.
3) In the future if we get more employees (eg. 500), what is the best practice to handle the load?
This link for 80F datasheet for your reference which shows limitations : https://www.fortinet.com/...rtiwifi-80f-series.pdf
I am L2 TAC - NSE7
it certainly isn't 2 times and for a lot of things it remains the same. fortigate active / active allow for some extra traffic handling on the CPU level. your traffic still goes into one so the limits there still exist. it also complicates troubleshooting so i usually don't advise it.
also the whole firewall x does y users doesn't feel very correct to me. it really depends on what those users do so it probably is a very rough estimate.
i would keep a look at the CPU / mem / sessions and see if those remain within limits.
the better solution if you are seeing bottle necks is to buy a bigger model. you can usually easy enough move the config if you account for the different interfaces.
I think boneyard covered the jest of act-act. I will add to #3, in all networking planning you ned to plan. In some cases that means "consult". If you truly believe 500 users is coming, and have trending to shows increased number of session, ipsec, sslvpn or if you doing or planning sslvpn decrypt, than you need to analyze the hardware requirement now and get the right hardware.
Also look bcp for ha and with act-act for the gotchas and things to consider
https://docs.fortinet.com/document/fortigate/6.0.0/best-practices/972663/fgcp-high-availability
And lastly, in my 16 years of doing act-act , I've only see it used 4 times.
Ken Felix
PCNSE
NSE
StrongSwan
Satyam wrote:1) If we buy one more 80F firewall and use it in Active-Active HA mode, will it be able to handle the extra employees we have now? Meaning, (one firewall can handle 100 users), if we have two firewalls, will 200 users will be able to work?
2) Will the VPN users connecting to the firewall will also increase after adding the second firewall?
You can't do that by HA A-A cluster, that's not possible, here is why:
The only additional advantage of Active-Active over Active-Passive is that active-active HA load balancing distributes proxy-based security profile processing to all cluster units. Proxy-based security profile processing is CPU and memory-intensive, so FGCP load balancing may result in higher throughput because resource-intensive processing is distributed among all cluster units.
If the sessions are allowed by policy without security profiles enabled then they are not going to be loadbalanced.
Rather than that, In all other ways active-active HA operates the same as active-passive HA.
Satyam wrote:SSL VPN users is limited up to 200 users, alternatively you can use dialup IPsec with FortiClient, then you can connect up to 2500 users.
3) In the future if we get more employees (eg. 500), what is the best practice to handle the load?
This link for 80F datasheet for your reference which shows limitations : https://www.fortinet.com/...rtiwifi-80f-series.pdf
I am L2 TAC - NSE7
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1688 | |
1087 | |
752 | |
446 | |
226 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.