Fortigate HA Active/Active setup

Mark · ‎12-08-2015

I am trying to achieve a FGT cluster in our DC. Right now we are using just one 60D, but we would like to go to a dual 60D setup. Looking for some input here.

Our DC is giving us two uplinks with VRRP/HSRP configured.

Do I need to insert two switches like in the picture? Or can I leave them out and connect one uplink to one FGT and then setup the cluster? What kind of switches would I need here? Any recommendations?

I probably need to cross the WAN2 lines so that each fortigate has a line to both switches.

The Fortigate HA link will be 2x 1gbit.

I still don't completely understand the VRRP concept. I understand that this means that a DC/ISP backup router is available for us, but what exactly do I configure in the fortigate(s) to make use this feature?

emnoc · ‎12-08-2015

Your diagram is good. You can use any switch as far as that goes so I'm not following your question. The cookbook has various deployment for HA. You might want to review the cookbook.

PCNSE

NSE

StrongSwan

Mark · ‎12-09-2015

The DC uplinks are 100Mb each. I was wondering if I could use any simple/unmanaged switch there? Does not have to be something with dual PSU or Managing features?

And what about VRRP? Is that something I configure in the Fortigate as well? Or do I just point everything to gateway .225 and then if there is a problem with the DC equipment the failover will happen automatically?

emnoc · ‎12-09-2015

yes Managed or Unmanaged ( your choice ) and yes your using the HSRP vip address you don't configure anything vrrp related on your side.

PCNSE

NSE

StrongSwan

a_n_other · ‎12-10-2015

I don't expect Mark to be utilising HSRP as the FHRP as that's Cisco Proprietary.

emnoc · ‎12-10-2015

Yes that'sa typo I seen vrrp and mistakenly saiid hsrp. But his next-hop will be the vrrp vip.

PCNSE

NSE

StrongSwan