FortiGate 601e MultiSite HA with dissimilar internet connections
Has anyone setup Multisite HA? We have a 10GB dark fiber connection to a remote site that "extends" our broadcast domain and would like to set a secondary Fortigate there for redundancy. We also have an internet connection there and would like to use it should the main site lose the web. My concern is that the main site has an Internet subnet of X.X.X.X and the redundant site has an internet subnet of Y.Y.Y.Y. Would that make the HA have issues as they dont have the same interfaces up?
I've previously set up a multisite a-p HA across 2 datacenters in a big city. Dark fiber is very helpful in this. Lately, as of FortiOS 6.4 and later, HA links do work over Layer 3 networks.
For one, you can (almost) always use the same (private) IP range for the transit network between FGT wan interface and ISP CPE device. That would make the config identical.
But, if you use the public WAN IP(s) for access to internal servers, like for VPN, website etc., then you need to work out WAN address transfer with your ISP. This will probably only work (if available at all) only if both sites are on the same ISP.
We managed to achieve this using VRRP between both access routers. When testing, the FGT failed over within 1-2 seconds, the routers and the WAN address relocation took like 15 minutes...but it worked.
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.