Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
Satyam
New Contributor

Does Active-Active HA supports more users?

Hi Guys,

My company bought a Fortigate 80F a few months back. At that time we had around 85 users and Fortigate technical person suggested that it will handle up to 100 users in our environment. Now, we have around 70 more people who joined our company, so total employees will be around 160. Now I have few questions -

 

1) If we buy one more 80F firewall and use it in Active-Active HA mode, will it be able to handle the extra employees we have now? Meaning, (one firewall can handle 100 users), if we have two firewalls, will 200 users will be able to work?

 

2) Will the VPN users connecting to the firewall will also increase after adding the second firewall?

 

3) In the future if we get more employees (eg. 500), what is the best practice to handle the load?

 

1 Solution
AHMED_E
New Contributor II

Satyam wrote:

1) If we buy one more 80F firewall and use it in Active-Active HA mode, will it be able to handle the extra employees we have now? Meaning, (one firewall can handle 100 users), if we have two firewalls, will 200 users will be able to work?

 

2) Will the VPN users connecting to the firewall will also increase after adding the second firewall?

 

You can't do that by HA A-A cluster, that's not possible, here is why:

The only additional advantage of Active-Active over Active-Passive is that active-active HA load balancing distributes proxy-based security profile processing to all cluster units. Proxy-based security profile processing is CPU and memory-intensive, so FGCP load balancing may result in higher throughput because resource-intensive processing is distributed among all cluster units.

If the sessions are allowed by policy without security profiles enabled then they are not going to be loadbalanced.  

Rather than that,  In all other ways active-active HA operates the same as active-passive HA.

 

Satyam wrote:
 

3) In the future if we get more employees (eg. 500), what is the best practice to handle the load?

SSL VPN users is limited up to 200 users, alternatively you can use dialup IPsec with FortiClient, then you can connect up to 2500 users. 

This link for 80F datasheet for your reference which shows limitations : https://www.fortinet.com/...rtiwifi-80f-series.pdf

 

 

I am L2 TAC - NSE7

View solution in original post

I am L2 TAC - NSE7
3 REPLIES 3
boneyard
Valued Contributor

it certainly isn't 2 times and for a lot of things it remains the same. fortigate active / active allow for some extra traffic handling on the CPU level. your traffic still goes into one so the limits there still exist. it also complicates troubleshooting so i usually don't advise it.

 

also the whole firewall x does y users doesn't feel very correct to me. it really depends on what those users do so it probably is a very rough estimate.

 

i would keep a look at the CPU / mem / sessions and see if those remain within limits.

 

the better solution if you are seeing bottle necks is to buy a bigger model. you can usually easy enough move the config if you account for the different interfaces.

emnoc
Esteemed Contributor III

I think boneyard covered the jest of act-act. I will add to #3, in all networking planning you ned to plan. In some cases that means "consult". If you truly  believe 500 users is coming, and have trending to shows increased number of session, ipsec, sslvpn or if you doing or planning sslvpn decrypt, than you need to analyze the hardware requirement now and get the right hardware.

 

Also look bcp for ha and with act-act for the gotchas and things to consider

 

https://docs.fortinet.com/document/fortigate/6.0.0/best-practices/972663/fgcp-high-availability

 

And lastly, in my 16 years of doing  act-act , I've only see it used 4 times.

 

 

Ken Felix

PCNSE 

NSE 

StrongSwan  

PCNSE NSE StrongSwan
AHMED_E
New Contributor II

Satyam wrote:

1) If we buy one more 80F firewall and use it in Active-Active HA mode, will it be able to handle the extra employees we have now? Meaning, (one firewall can handle 100 users), if we have two firewalls, will 200 users will be able to work?

 

2) Will the VPN users connecting to the firewall will also increase after adding the second firewall?

 

You can't do that by HA A-A cluster, that's not possible, here is why:

The only additional advantage of Active-Active over Active-Passive is that active-active HA load balancing distributes proxy-based security profile processing to all cluster units. Proxy-based security profile processing is CPU and memory-intensive, so FGCP load balancing may result in higher throughput because resource-intensive processing is distributed among all cluster units.

If the sessions are allowed by policy without security profiles enabled then they are not going to be loadbalanced.  

Rather than that,  In all other ways active-active HA operates the same as active-passive HA.

 

Satyam wrote:
 

3) In the future if we get more employees (eg. 500), what is the best practice to handle the load?

SSL VPN users is limited up to 200 users, alternatively you can use dialup IPsec with FortiClient, then you can connect up to 2500 users. 

This link for 80F datasheet for your reference which shows limitations : https://www.fortinet.com/...rtiwifi-80f-series.pdf

 

 

I am L2 TAC - NSE7

I am L2 TAC - NSE7
Top Kudoed Authors