Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
dyates
New Contributor

FGSP and geographically separated firewalls

Hi all,

I'm hoping someone will be able to help with this query.

I'm looking at implementing a pair of Fortigate 500D firewalls within an MPLS network.

They will be installed in two geographically separate data centres.

 

Two of the key requirements are configuration synchronisation and session pickup, and unfortunately the Fortigate documentation is a little sparse in this area (to say the least!).

 

It would seem that FGSP will meet the requirements but my concern is around the synchronisation link. I can't determine if both ends of this link need to be in the same broadcast / subnet or if is it possible to route this traffic over a layer three network.

If someone could confirm either way I'd be very grateful.

 

Again, there is little documentation around how much traffic session pickup generates over the synchronisation link, so if anyone has got any information at all on this I'd really appreciate it.

 

Thanks

Dave

 

7 REPLIES 7
Toshi_Esumi
Esteemed Contributor III

My understanding is the former. But FortiGate HA seems to assume local connections for heartbeat (see an article I found: http://www.fortinetguru.com/2016/03/fgcp-high-availability-fortios-5-2-best-practices/). I'm not sure if latency over L2 MPLS affects to the HA operation, or not. I would test it carefully before putting it into production.

emnoc
Esteemed Contributor III

How much latency  is involved? With today's modern networks it should not be a issue over MPLS, ethernet or fiber.

 

We did something like this between 2x Chicago  DC that where 30-45miles apart using  layer2 redundant dark fiber path and 2 HB interfaces for ACT-STD units.

 

It worked AS-IS with no issues. Keep in mind the local_lan is a requirement since the HA traffic is not going  have next-hop routing definitions.You can  always adjust the HA  hello HB timers but I don't believe that will be a major concern.

 

 

Ken

 

PCNSE 

NSE 

StrongSwan  

PCNSE NSE StrongSwan
MikePruett
Valued Contributor

Glad my site could be of some assistance to you. As EMNOC has stated this works beautifully over long distances. I have several clients that have HA clusters spread out over miles of real estate in the event of major disaster from weather etc and it works very well.
Mike Pruett Fortinet GURU | Fortinet Training Videos
dyates

Thanks for the input guys.

 

My concern really was around whether the synchronisation link would work over a layer three connection, seems like most people only have experience of layer 2 links for this purpose.

 

Speaking with a co-worker it seems that he has tested this by configuring the sync ports of two Fortigates with IP addresses in different subnets and connecting them together with a router, and the config did in fact seem to sync properly, admittedly in a lab environment.

 

I think that in this case session pickup is a bad idea and I will advise against it.

 

 

karthikrk91

Dear friends,   Actually we are planning to migrate from cisco ASA firewall to Fortinet. so i am using foticonverter for converting those Rules,NAT, VPN and all policies on cisco firewall.   Migration for cisco ASA to Fortinet 1000D:   Will forticonverter will help to migrate all those stuffs to fortigate. Which converter is the best for migration? Do i need to purchase any license for migration? What are all the stuffs will be migrating from Cisco ASA to Fortigate? What stuffs will not be migrating through converter? What the things need to be configured manually? What is the best practices for doing all those things?   Kindly help us for doing those things, Awaiting for your reply.   Regards, karthik

snobs
New Contributor II

Has anyone ever made it to get FGSP running over a "layer 3" connection?

AliDoski
New Contributor

Did you apply FGSP how was it i am about to deploy in our production?

regards,
AliDoski
regards,AliDoski
Top Kudoed Authors