Help
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
AEK
SuperUser
SuperUser

Created on ‎10-23-2023 03:36 PM

FGCP over FGSP sharing HA ports

Hello

We have 2 pairs of FortiGates, FGCP over FGSP

What can be the side effects of having HA1 & HA2 ports for synchronizing both FGSP and FGCP at the same time?

AEK
AEK
Labels:
477
0 Kudos
1 Solution
xshkurti
Staff
Staff

Created on ‎10-30-2023 08:12 AM

@AEK 


FGCP is a Layer 2 heartbeat that specifies how FortiGate units communicate in an HA cluster and keeps the cluster operating.

Whilst session synchronization between FGSP members uses an L3 connection over the peer IP by default. So HA1 and HA2 can have IP addresses configured and that will be used by FGSP members.

So technically there is no issue using HA1 and HA2 for both type of synch. The problem i see is in the design. If HA1 and HA2 for some reason go down, you will lose both synchronizations, and you will have strange failover situations (probably even split-brain) This is because HA1 and HA2 are recommended to be directly connected between 2 fortigates. But if you use HA1 and HA2 even for FGSP, i thing that you will have to use switch and router devices in between. 

Knowing this, the problem is all design, not technical.

 

View solution in original post

384
3 REPLIES 3
Anthony_E
Community Manager
Community Manager

Created on ‎10-26-2023 02:08 AM

Hello AEK,


Thank you for using the Community Forum. I will seek to get you an answer or help. We will reply to this thread with an update as soon as possible.


Thanks,

Anthony-Fortinet Community Team.
427
0 Kudos
Anthony_E
Community Manager
Community Manager

Created on ‎10-30-2023 01:51 AM

Hello AEK,

 

We are still looking for someone to help you.

We will come back to you ASAP.


Regards,

Anthony-Fortinet Community Team.
392
0 Kudos
xshkurti
Staff
Staff

Created on ‎10-30-2023 08:12 AM

@AEK 


FGCP is a Layer 2 heartbeat that specifies how FortiGate units communicate in an HA cluster and keeps the cluster operating.

Whilst session synchronization between FGSP members uses an L3 connection over the peer IP by default. So HA1 and HA2 can have IP addresses configured and that will be used by FGSP members.

So technically there is no issue using HA1 and HA2 for both type of synch. The problem i see is in the design. If HA1 and HA2 for some reason go down, you will lose both synchronizations, and you will have strange failover situations (probably even split-brain) This is because HA1 and HA2 are recommended to be directly connected between 2 fortigates. But if you use HA1 and HA2 even for FGSP, i thing that you will have to use switch and router devices in between. 

Knowing this, the problem is all design, not technical.

 

385
Labels
Top Kudoed Authors
View all
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2024 Fortinet, Inc. All Rights Reserved.