Curious for a bit of input on how to make this work, as this is our first FortiGate deployment. Due to limitations in ability to use redundant static routes on Meraki, we are looking to set the FortiGates up in an Active-Passive cluster so we can create a VIP and have a single IP to create a static route to on the Meraki MX firewalls (our assumption is that the FortiGates have to be in a cluster to create a VIP). See setup A (attached) The problem is that my understanding is that once clustered, the FortiGate configs have to be identical, and that's an issue because the secondary ExpressRoute link from Azure is on a different /30 space and needs a different IP.
Also looked into configuring WAN 1 and WAN 2 in SD-WAN group with both FortiGates connected to both ExpressRoute circuits, but similarly this is not feasible because both ExpressRoute links are tagged with same VLAN (1003) so we cannot set the VLAN interface for the same VLAN to be both .1 and .5 for the WAN 1 and WAN 2 interfaces (if that makes sense).
Really appreciate any thoughts anyone may have. Also open to suggestions if we are approaching this from the wrong angle altogether.
Nominating a forum post submits a request to create a new Knowledge Article based on the forum post topic. Please ensure your nomination includes a solution within the reply.
Just realized that I may have a fundamental misunderstanding of a VIP in the FortiGate world. Perhaps it would simplify things to not have these clustered at all?
HA especially a-p setup generally requires a switch on both WAN side and LAN side. You can of course use the same set of switches for both sides but separate them by VLANs. In a-p, the standby side is really standby and until it decides to take over the master role. Both needs to have the same VLANs, IPs.
So you need to terminate both primary and secondary circuits on both FGTs on the same ports, split by the switch(es). Then the FGTs can swap over whenever they need to independently from any circuit issues.
Thanks Toshi. This does make sense, I have tried to think of a way to make this work (see attached) but I ran into that issue mentioned related to the way the incoming Azure ExpressRoute circuits are tagged. Both are tagged with same VLAN (1003) so we cannot set the VLAN 1003 L3 interface to .1 for the WAN 1 connections and simultaneously set the VLAN 1003 L3 interface to .5 for the WAN 2 connections...
Since you now have switches in front of FGTs, you can strip the tags.
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1631 | |
1063 | |
749 | |
443 | |
210 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.