Hello
I have two firewall fortigate 200 and I would like to connect them to the ports HA for the backup and the fact that they are not side by side my question is it possible to connect two firewall between a switch ?
thank you for your support
Yes, in principle.
HA traffic uses a non-standard Ethernet type ID to distinguish them from IP traffic. Nearly all switches handle that without any problems except for Cisco Nexus - they use this ID internally by coincidence.
The good news is that you can reconfigure the ID if you absolutely have to. Cf. the FortiOS Handbook, for instance in v5.2, pg. 1292 and pg. 1365.
Now to "best practice": by introducing an active component in the HA link you severely jeopardize your firewall stability. If, for any reason, the switch fails or reboots, both Fortigates will determine that they are 'master' and will act with the same IP and MAC addresses in your network. This is called a 'split-brain' scenario and it regarded as the worst case in a HA setup.
Even a simple firmware update on the switch would bring your network down.
So, "best practice" recommends
1- don't do this
2- if you have to, provide for 2 redundant HA links across 2 independent switches (or switch stacks)
hi ede
ok thank you for your precisions
Best regards
Yeah, if you are going to do this PLEASE have multiple HA links.
Mike Pruett
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.