Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
amorales
New Contributor

FortiGate HA question.

Hi, let's supose that I have two FortiGates in HA (Active/Passive). The FortiGates have the following interfaces:

 

- Inside: Both FortiGates connected to Core Switch, Vlan10.

- Outside: Both FortiGates connected to Core Switch, Vlan20.

- Heartbeat: Both FortiGates directly connected. 

 

Then let's suppose that I add a new interface (DMZ interface), but I connect each FortiGate to a different Vlan which has not visibility with each other. Let's supose that FortiGate1 is connected to Core Switch port in Vlan11 and FortiGate2 is connected to Core Switch port in Vlan12. 

 

Asuming that I know what I am doing and the reason because I want this topology, would the FortiGates try to check if they can detect each other in the Vlans 11 and 12?. I think not and all the syncronization and checks are performed using the Hearbeat interfaces, and it is not a problem if there is not visibility between FortiGates on these Vlans, but I would like to confim this 100% for sure.

 

Keeping in mind that I cannot see any MAC/IP in the Core Switch's interfaces connected to the Slave FortiGate, I am pretty sure that the FortiGates do not perform any checks on service vlans to try to detect other cluster members, but maybe I am missing something here. 

 

 

2 REPLIES 2
jorge_americo
Contributor

Initially they would not detect it. Even because of being active / passive.

NSE-4

NSE-4
Toshi_Esumi
Esteemed Contributor III

It wouldn't cause any problem but the DMZ port on both units still need to have the same config unless "dedicated" management interface. So you must have very specific use/setup with those ports that would be active only when it's "active" unit.

Labels
Top Kudoed Authors