Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
farahtung
New Contributor

FortiGate HA questions.

I am setting up HA on a pair of 101F's and this is first time doing HA. I will do standard active/passive with FGCP. This FortiGate connects using the 10G links to a pair of 548D's configured for MCLAG with one 10G link to each switch. There are 200 series switches connected to the 548D's (but no MCLAG on the 200 series). All servers connect to 548D with static LAG across them.

I have the active firewall configured, it has static IP's for WAN1 and WAN2 (two different ISPs) in SDWAN. I have IPSec tunnels with some in SDWAN and some not. All FortSwitch VLANs/ports are configured.

The docs say to factory reset the passive FortiGate and join to cluster using matching settings. Is there really nothing else I need to do whatsoever? The passive FortiGate is connected to the same ISP connections on WAN1/WAN2, do I need to set unique static IP's on those interfaces (by default they will pull DHCP off the ISP modems which will be LAN IP's and not public IPs)

Should I use out of band management with dedicated interfaces, in band, or both?

Is there anything else i need to do or should set outside of how the defaults are defined?

10.0.0.0.1 192.168.1.254
1 REPLY 1
distillednetwork
Contributor III

When setting up HA, the fortigate will use a virtual mac address instead of the physical mac address.  If the unit fails over it will move the mac address so the network talks with the new device.

 

When setting up HA make sure all the ha settings match and have different priorities.  When you first connect the HA unit, I would not connect it to the switches right away, allow the HA to sync before making the necessary connections.  Be patient this could take a few minutes for the first sync to complete.

 

Labels
Top Kudoed Authors