Help
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
jmillsapps
New Contributor

Created on ‎09-25-2024 06:58 AM Edited on ‎09-25-2024 07:08 AM

FortiGate 200F HA internet loss

I have 2 - FG 200F's. I have HA configured. I have 1 FG WAN connected to a modem going to fiber internet. My 2nd FG WAN is connected to a modem going to COAX internet. So, 2 different internet pipes. "FG1" is primary, "FG2" is secondary. While in this configuration, I can access and ping the internet from each firewall. When I force an HA failover, "FG2" becomes primary as expected, however, once it does, I lose internet access and can no longer ping anything on the internet (from "FG2" via CLI). I am not sure what I am missing.

 

FW: v7.4.4 build2662 (Feature)

Active-Passive

HA.png

Labels:
838
0 Kudos
1 Solution
AEK
SuperUser
SuperUser
In response to jmillsapps

Created on ‎09-25-2024 08:04 AM

You can do this and other nice things with SD-WAN.

You may start here:

https://docs.fortinet.com/document/fortigate/7.4.4/administration-guide/19246

Hope it helps.

AEK

View solution in original post

AEK
666
0 Kudos
10 REPLIES 10
AEK
SuperUser
SuperUser

Created on ‎09-25-2024 07:10 AM

Is it active passive HA?

Do you have dedicated management on this HA?

If the passive node still ping internet when it is passive then it is most probably pinging from its mgmt interface.

Why using different WAN links on your nodes. Why don't you use both WAN links in both nodes?

AEK
AEK
705
0 Kudos
jmillsapps
New Contributor

Created on ‎09-25-2024 07:15 AM

Yes, I have a dedicated management port on each firewall.

I have one WAN link per firewall.

700
0 Kudos
jmillsapps
New Contributor

Created on ‎09-25-2024 07:21 AM

I just did some testing, and saw that even though I was connected to the "passive" node and pinging the internet, a traceroute showed that I was pinging via the internet that the primary was connected to.

697
0 Kudos
AEK
SuperUser
SuperUser

Created on ‎09-25-2024 07:29 AM

You should connect modem1 to the same port of each FortiGate (lets say to wan1 port).

And connect modem1 to the same port of each FortiGate (lets say to wan2 port).

In case your modems don't have multiple ports (integrated switch), then you need to use a L2 switch to connect them to your FortiGates.

AEK
AEK
692
0 Kudos
jmillsapps
New Contributor
In response to AEK

Created on ‎09-25-2024 07:33 AM

Thanks! I will try this and follow up.

690
0 Kudos
jmillsapps
New Contributor

Created on ‎09-25-2024 07:38 AM

So, in the diagram below, is this the correct configuration? Both firewalls, WAN1 goes to one modem, and WAN2 goes to the backup internet modem?

HA -2.png

 

688
0 Kudos
AEK
SuperUser
SuperUser
In response to jmillsapps

Created on ‎09-25-2024 07:43 AM

Yes that is much better.

AEK
AEK
681
0 Kudos
jmillsapps
New Contributor
In response to AEK

Created on ‎09-25-2024 07:44 AM

Thanks! I will try this after hours over the weekend and follow up with results. Thanks again for the assistance!

677
0 Kudos
jmillsapps
New Contributor
In response to AEK

Created on ‎09-25-2024 07:58 AM

I understand this would work if one firewall goes offline or loses power, but will it still work if one of the internet pipes goes offline. How will the firewall know to switch to the other internet?

654
0 Kudos
Announcements

Select Forum Responses to become Knowledge Articles!

Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.

Labels
Top Kudoed Authors
View all
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2024 Fortinet, Inc. All Rights Reserved.