Hi everyone, I've been going through a full evaluation of the FortiGate product. We are a SonicWALL shop today and have finally made the decision to start moving toward FortiGate. We have about 50 firewalls in our environment and use OSPF for dynamic routing. So far things have been going well, we are even playing with the FortiManager central management platform.
Up to this point, FortiGate has proven to be superior, however one discovery I've just made is that FortiGate HA seems to not offer the stateful HA failover feature that SonicWALL does. The biggest benefit to this is that no IPSec VPNs need to renegotiate during an HA failover event. I was floored. This feature has been a standard with any SonicWALL HA pair we've deployed, happy to pay the additional license to prevent VPN hiccups during an HA event. Can anyone from the forums provide some insight as to why this feature is missing on the FortiGate line?
Regards,
Adam Tyler
Nominating a forum post submits a request to create a new Knowledge Article based on the forum post topic. Please ensure your nomination includes a solution within the reply.
Do you have "set session-pickup enable" configured under "config sys ha"?
Toshi
We haven't implemented an HA pair yet with FortiGate. Simply working with a consultant that mentioned this stateful HA feature was not available on the FortiGate platform. Are you saying that he was mistaken, and this "session-pickup" feature is an apples-to-apples comparison to the SonicWALL HA feature I've described?
Created on 11-03-2023 04:11 PM Edited on 11-03-2023 06:11 PM
Different provider's FWs use different terminology to describe its features.
At least FGT's "sessions" keep states of all TCP, UDP, even ICMP with "5-tupple"(https://www.techopedia.com/definition/28190/5-tuple) for the "stateful" operation.
With FGT, "session pickup" is used to describe seamless (as much as possible) HA failover.
Palo Alto seems to use "session synchronization" for the same feature in HA.
https://live.paloaltonetworks.com/t5/best-practice-assessment-device/high-availability-ha2-session-s...
Since you already decided to get FGTs, get the fist pair and set the HA up with that option and test the fail-over. I believe at least IPsecs would be kept up if the routing/interface IP are statically set up.
If you still have doubts, contact an FTNT SE via the partner sales you're planning to get those FGTs from and ask more detail about HA operation. They would likely let you get a pair of demo units to test with for whatever you need to test before getting 50 of them. Just ask them.
Even if both used the same terminology, that doesn't necessarily mean they would behave the same when HA fail-over happens, while HA is NOT a standardized protocol. You wouldn't know until you test it. I never touched SonicWall so I never tested its behavior. therefore I wouldn't be able to tell if exactly the same.
Toshi
Apologies for the delayed response, I've been sidetracked.
I think the point I am trying to clarify is related to this statement...
"With FGT, "session pickup" is used to describe seamless (as much as possible) HA failover."
SonicWALL has taken this a step further and is able to maintain all VPN states between HA devices. When you failover between units, ALL VPNs remain online and they do not need to renegotiate.
Based on the FG documentation you forwarded; I am seeing this...
"Also included in this category are IPsec VPN, SSL VPN, sessions terminated by the cluster, and explicit proxy sessions. In general, whether or not session-pickup is enabled, these sessions do not failover and have to be restarted."
I am really surprised that FG doesn't offer the same HA protection that the SonicWALL product can. Wild.
or "Session pickup" option in GUI.
Hey atyler555,
there are in fact some settings on FortiGate to ensure IPSec VPN is not interrupted during a failover:
https://community.fortinet.com/t5/FortiGate/Technical-Tip-IPSec-VPN-in-HA-Environment/ta-p/195849
In particular this setting: ha-sync-esp-seqno ensures that active IPSec VPN tunnels are synced between HA nodes; the KB above includes some diagnose commands towards the end you can run on a secondary device to verify that the active IPSec tunnels are synced between the nodes.
Since I didn't know about this setting, I went back to some of our customer's IPSecs to check this "ha-sync-esp-seqno" setting. It appeared that this is enabled by default. All of them had "enable" in the config although we never touched because we didn't know.
Toshi
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1641 | |
1069 | |
751 | |
443 | |
210 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.