Hi, let's supose that I have two FortiGates in HA (Active/Passive). The FortiGates have the following interfaces:
- Inside: Both FortiGates connected to Core Switch, Vlan10.
- Outside: Both FortiGates connected to Core Switch, Vlan20.
- Heartbeat: Both FortiGates directly connected.
Then let's suppose that I add a new interface (DMZ interface), but I connect each FortiGate to a different Vlan which has not visibility with each other. Let's supose that FortiGate1 is connected to Core Switch port in Vlan11 and FortiGate2 is connected to Core Switch port in Vlan12.
Asuming that I know what I am doing and the reason because I want this topology, would the FortiGates try to check if they can detect each other in the Vlans 11 and 12?. I think not and all the syncronization and checks are performed using the Hearbeat interfaces, and it is not a problem if there is not visibility between FortiGates on these Vlans, but I would like to confim this 100% for sure.
Keeping in mind that I cannot see any MAC/IP in the Core Switch's interfaces connected to the Slave FortiGate, I am pretty sure that the FortiGates do not perform any checks on service vlans to try to detect other cluster members, but maybe I am missing something here.
Initially they would not detect it. Even because of being active / passive.
NSE-4
It wouldn't cause any problem but the DMZ port on both units still need to have the same config unless "dedicated" management interface. So you must have very specific use/setup with those ports that would be active only when it's "active" unit.
 
					
				
				
			
		
| User | Count | 
|---|---|
| 2652 | |
| 1407 | |
| 810 | |
| 697 | |
| 455 | 
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2025 Fortinet, Inc. All Rights Reserved.