Hi
About to deploy FGSP between 2 existing clusters, both clusters in a new environment with only test networks connected to them
I have 2 things I'm not clear on
1. I will be syncing a couple of VDOMS, is there any issue using the root VDOM for the sync link? Other options I have are create a new one for just this purpose, or finally use the test VDOM which has very little going on, and will be the least busy once the real network is connected.
2. In each cluster, the 2 firewalls are connected in usual fashion, 2 direct links. The FGSP link will be a lot higher bandwidth port. Do you normally leave it like that? Is session pickup on HA failover still running over the direct ports?
thanks
Solved! Go to Solution.
Hi Badger
Just in my experience I used HA ports for FGSP because they are not connected to NPU. I'm not sure and I don't remember if using a NPU connected port is 100% safe for FGSP, you'll need to check.
Hi Badger
Just in my experience I used HA ports for FGSP because they are not connected to NPU. I'm not sure and I don't remember if using a NPU connected port is 100% safe for FGSP, you'll need to check.
Hi
thanks for the response....so yes to clarify...
In each FGCP cluster, FW1 and FW2 have 2 direct connection via HA and another copper port.
The ports that are currently planned for FGSP, are going to be higher speed due to the fibres required on the LAN network that will connect the clusters across the site to site link.
So I just wanted to confirm
1. is that normal/ok?
2. When a FGCP HA failover happens, the sessions just failover using the direct links as normal - which I think you confirmed is the case
thanks
That said you need to fine tune your FGSP and test it well with all possible scenarios before go prod.
1. I'm actually thinking of doing the same as you for the sync links, I already have the fibre links in place that I can do 2 x 10G for FGSP into each FW. I couldn't see much info on FGSP bandwidth vs the main traffic links. But if I do 2X10 its more than enough for sure. I've seen people say they've used quite varied speeds for the sync link
2. yep correct, thanks
Created on 03-21-2024 12:18 PM Edited on 03-22-2024 07:52 AM
If you need more support on FGSP feel free to post your questions and we'll be happy to help.
Using the root VDOM for synchronization is not problematic, but may be a smart choice if that VDOM is the least loaded or has the largest resource available. However, creating a separate VDOM for synchronization may also be a smart solution to isolate this function from the main operations
great, thanks
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1737 | |
1108 | |
752 | |
447 | |
240 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.