We recently upgraded from a standalone FortiGate 1500D running FortiOS 7.2.8 to a pair of Fortigate 601Fs running the save version of FortiOS as an Active-Passive HA pair. Our deployment consists of 10 total VDOMs and 8 10G physical interfaces. There are also 2 copper HA links and 1 copper management link per FortiGate.
For this deployment's configuration, we pulled a config from the current FortiGate 1500D, passed it through FortiConverter, and loaded the resulting configuration onto the new FortiGate 601F's without issue. All references and settings were identical to the previous FortiGate.
Each physical interface contains either the inside, dmz, or public vlans for multiple clients that we service. The physical interfaces themselves have no IP assigned to them. Rather, each physical interface holds multiple disjoint subnets corresponding to a client's network.
Although the physical interfaces are grouped by inside, dmz, public, the VDOMs are grouped according to client. For Example, we have a VDOM named district that includes one vlan each from physical interfaces x8,x5, and x4 and another VDOM named Support that includes three vlans from x8, two vlans from x7, three vlans from x5, 2 vlans from x2, and 2 vlans from x1. This means that each physical interface has vlans that are a part of 2 or more separate VDOMs (2 in this example, but some physical interfaces contain vlans spread among as many as 5 VDOMs).
For this deployment, we were hoping to make use of the virtual clustering feature available when deploying 2+ FortiGates in an HA pair. This feature seemed beneficial as it allows the bandwidth per VDOM to be distributed between both FortiGates while maintaining the Active-Passive topology.
Are there any known issues with the same physical interface being a part of multiple VDOMS (and ultimately multiple virtual clusters) when the physical interfaces are not addressed but the vlans within them are?
An initial review of available references resulted in very little explanation for this scenario. I'm hoping somebody has either previously deployed this topology or has a more firm understanding of how HA virtual clustering functions on a per-vlan rather than a per-physical interface basis.
It is important to note that although each physical interface has vlans in at least 2 different vdoms, each vdom contains at least one unique public IP subnet and is a fully functional self contained network. My biggest question is if virtual clustering allows the active-passive topology on a per-vlan basis?
Our goal is to deploy 2 virtual clusters, each as the primary for 5 VDOMs. However, in any group of 5 VDOMs, there will be at least one vlan belonging to each physical interface. This means that each virtual cluster will be primary for some vlans on a physical interface, and passive for other vlans on the same interface.
Thanks for your help!
FortiGate #VirtualClusters #HA #VDOMs
Solved! Go to Solution.
Nominating a forum post submits a request to create a new Knowledge Article based on the forum post topic. Please ensure your nomination includes a solution within the reply.
After calling in to TAC and discussing this issue with them, it was determined that for virtual clustering to function properly no physical interface should be active in both virtual clusters at the same time.
This documentation is available for the FortiGate 7000 series, but not present in the FortiOS administration guide.
As others said, it's not an HA cluster if it's in standalone mode. If you join a secondary to a primary and power on after doing appropriate config, the secondary should adopt the configuration of the primary - they can then serve as the same logical firewall. I would think that would go for VDOMs as well - the secondary, after booting up and syncing to the primary would have the same VDOMs. EDIT: someone mentioned you need to make sure the secondary is in the appropriate mode to accept multi VDOMs before they would even sync. That said, if you ran into this issue and debugged/researched, you'd probably figure it out and then they would sync and have the same VDOMs.
Hi there,
I appreciate your response but you entirely missed the focus of this post. Yes, we are upgrading from an older standalone model to an HA pair. The goal is not to join the new FortiGates to the old one.
My question is about virtual clustering with unaddressed physical interfaces that each contain multiple vlan interfaces, and how virtual clustering functions when one physical interface has multiple vlans in each virtual cluster.
After calling in to TAC and discussing this issue with them, it was determined that for virtual clustering to function properly no physical interface should be active in both virtual clusters at the same time.
This documentation is available for the FortiGate 7000 series, but not present in the FortiOS administration guide.
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1665 | |
1077 | |
752 | |
446 | |
220 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.