Help
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
nethori
New Contributor

Created on ‎01-17-2024 10:08 AM Edited on ‎02-26-2024 03:30 AM By Community Manager

FG-100F in HA without using switches

Hi everyone,
I'm relatively new to networking and eager to learn.I would appreciate your input regarding a technical solution. Specifically, in the following architecture, I aim to facilitate communication between zones using two firewalls configured in High Availability (HA) active-passive mode. The challenge lies in achieving complete redundancy without employing intermediate switches between servers and firewalls.

image.png

 

In the scenario where, for instance, FG1 is the active firewall and the connection between SRV1 and FG1 drops for a specific reason, I'm unsure how to achieve full redundancy without using intermediate switches. In such cases, the only solution seems to be manually forcing an HA failover.

 

I'm thinking about using HA active-active, but I haven't used FortiGate devices in this mode before, and I'm uncertain if it's the optimal solution. I understand that having a pair of switches between servers and firewalls is preferable, but due to space and cost constraints, I'm considering this approach as a last resort.

 

I would greatly appreciate any insights or recommendations from the community on this matter. Thank you for your support.

Labels:
1263
0 Kudos
1 Solution
AEK
SuperUser
SuperUser

Created on ‎01-17-2024 10:42 AM

Hi Nethori

I've never thought of such design but I think there might be some useful ideas.

  • I think A-P HA would be more adapted. Could't imagine how can do that with A-A HA
  • From server side you will have to find a suitable IP Multi-Pathing mechanism that work best in such situation. I think about something like old unix A-P L3 based IPMP
  • L2 based IPMP may not work here since the passive FG's interfaces still L2-up
  • Nowadays I guess there should be many IP multipathing mechanisms to choose from
  • The floating IP will be on the server's port that can reach the gateway, and will failover automatically when FG fails over
  • Configure IPMP failover as shortest as possible
  • On FG cluster you should not set the back-end links as HA monitored interfaces, because if one sever goes down, the FG will failover and failback untill the sever comes up again
  • So I think the good solution for link redundancy is to go for LACP from each server to each FG

Once all this done, you need to test all possible scenarios before go prod.

AEK

View solution in original post

AEK
1245
0 Kudos
3 REPLIES 3
AEK
SuperUser
SuperUser

Created on ‎01-17-2024 10:42 AM

Hi Nethori

I've never thought of such design but I think there might be some useful ideas.

  • I think A-P HA would be more adapted. Could't imagine how can do that with A-A HA
  • From server side you will have to find a suitable IP Multi-Pathing mechanism that work best in such situation. I think about something like old unix A-P L3 based IPMP
  • L2 based IPMP may not work here since the passive FG's interfaces still L2-up
  • Nowadays I guess there should be many IP multipathing mechanisms to choose from
  • The floating IP will be on the server's port that can reach the gateway, and will failover automatically when FG fails over
  • Configure IPMP failover as shortest as possible
  • On FG cluster you should not set the back-end links as HA monitored interfaces, because if one sever goes down, the FG will failover and failback untill the sever comes up again
  • So I think the good solution for link redundancy is to go for LACP from each server to each FG

Once all this done, you need to test all possible scenarios before go prod.

AEK
AEK
1246
0 Kudos
Magnitude_8
New Contributor III

Created on ‎01-17-2024 04:39 PM

I don't believe you can achieve complete redundancy without some switches in place. Ideally, you should have a switch stack with connections distributed evenly across them so the system could copy with firewall, switch and NIC failures. At the very least, you'll need a single intermediate switch.

 

I presume that you have an internet service coming into your FG-100F. How will this fail over without a switch?

 

My suggestion would be to find a way to get a switch in there.

1221
BSeklecki_GE
New Contributor III

Created on ‎01-19-2024 09:53 AM

If you're thinking to use the "hard switch" or "Soft switch" function to accomplish a combined Firewall+Switch hardware stack, I recommend "Abandon all hope ye who enter here"

 

For example, even if you could Trunk a Dot1Q link between the chassis, you couldn't maintain a spanning tree instance on the soft switch or hard switch. to support NIC teaming by extending a bridge domain (VLAN) across the chassis, it seems, even if the chassis are active-standby or active-active.

I recently made inquiries here and on Cisco's forums related to FirePower product family, and neither vendor are implementing this.

 

https://community.fortinet.com/t5/Support-Forum/Pre-Sales-Engineering-Question-Bridging-Switching-Ca...

 

Closest thig would still be a Cisco ASR9K or Cisco ISR4K with a Catalyst Switch Module, but then you're not running a stateful inspection engine.  

1158
0 Kudos
Announcements

Select Forum Responses to become Knowledge Articles!

Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.

Labels
Top Kudoed Authors
View all
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2024 Fortinet, Inc. All Rights Reserved.