we have a FGCP Cluster in A-P mode in our primary site and a standalone Fortigate in our backup site. At the moment we don't have any VDOMs, but we'd like to implement some and then only synchronize the root VDOM to the backup site.
In my head it would look something like this:
The idea is behind this is, to have a backup of our configuration and to be able to move all the services to the backup site, should an unrecoverable disaster struck at the primary site. By default there shouldn't be any cables in the ports of the root VDOM in the backup site and the interfaces of the VDOM root at the backup site should be down.
I've looked at the FGSP but I wasn't able to find out, if it supports the configuration that I wish to implement. I only want to synchronize the configuration of the VDOM root. The sessions should not be synchronized.
What is your recovery plan look like? Is there a lot of manual steps required? If so perhaps just automating your config backup to a remote server in the DR site would be sufficient and when you need DR you can load that config into the FGT at the DR site.
If you want this to be automated and seamless you probably need to redesign your HA config.
Yeah that's too bad but it's what I thought. Thanks for your input.
We replicate our VM's to the backup site and in case of a disaster, we'd like to be able to start everything up and continue the operation in the backup site. We'd like it to be almost fully automated, so that we can only plug in the necessary cables, start the VM's and it works like in the primary site.
The thing is, we use the firewall at the backup site for some services, so only one of the VDOM's should have the config synchronized, as the other VDOM should have configurations specific to its location.
While looking at the possibilities I think I can use Automation scripts to first backup the config of the vdom1 at the primary site and then restore it on the vdom1 at the backup site. The trigger should be daily outside of working hours. Probably something like this:
I'll probably have to modify the config of the cluster, so that almost everything is on the vdom1 except things that I don't want to be synchronized like HA settings, admin users, etc. which should stay in the root VDOM.
I'll see what I have to do, to make this work and I'll post an update in this thread later.
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.