Hi!
I have got a fairly simple question, the situation is as following.
We have two core server/network-rooms inside the same building.
Each room has a FortiGate Firewall and a MikroTik or HPE core-switch.
Between these two switches we ran a 10Gbit fiber.
Can I setup HA (Active/Passive) on a Fortigate 70F or 80F over a VLAN between these two sever/network-rooms over the core-switches instead of directly interconnecting the heartbeat interfaces?
The last thing we want is issues like a split brain. How stable is a solution like this?
Best regards,
Tim
Solved! Go to Solution.
Hi @tim86
FortiGate HA setup requirement :
To successfully form an HA cluster, you must ensure that the members have the same:
• Firmware version
Model: the same hardware model or VM model
• Licensing: includes the FortiGuard license, VDOM license, FortiClient license, and so on
• Hard drive configuration: the same number and size of drives and partitions
• Operating mode: the operating mode-NAT mode or transparent mode—of the management VDOM
You can configure HA (Active/Passive) on a FortiGate 70F or 80F using a VLAN over your core-switches. While this is less conventional than a direct connection, it's feasible provided the switches and the fiber link are highly reliable. The main concern is avoiding a split-brain scenario, where both units believe they're active. To mitigate this, ensure the VLAN traffic for HA is prioritized and the connection has low latency. It's crucial to monitor the setup and test failover scenarios before going live. Although this setup adds a layer of complexity, if the underlying network is reliable and you've prioritized HA traffic, it can be a robust solution. Always refer to Fortinet's documentation and consider seeking support if unsure.
Hi @tim86 ,
Please refer to below article on the best practices using Heart Beat interface in FortiGate FGCP cluster
Let me know if you still have some questions.
Best Regards,
Hi @tim86
FortiGate HA setup requirement :
To successfully form an HA cluster, you must ensure that the members have the same:
• Firmware version
Model: the same hardware model or VM model
• Licensing: includes the FortiGuard license, VDOM license, FortiClient license, and so on
• Hard drive configuration: the same number and size of drives and partitions
• Operating mode: the operating mode-NAT mode or transparent mode—of the management VDOM
You can configure HA (Active/Passive) on a FortiGate 70F or 80F using a VLAN over your core-switches. While this is less conventional than a direct connection, it's feasible provided the switches and the fiber link are highly reliable. The main concern is avoiding a split-brain scenario, where both units believe they're active. To mitigate this, ensure the VLAN traffic for HA is prioritized and the connection has low latency. It's crucial to monitor the setup and test failover scenarios before going live. Although this setup adds a layer of complexity, if the underlying network is reliable and you've prioritized HA traffic, it can be a robust solution. Always refer to Fortinet's documentation and consider seeking support if unsure.
My apologies for delayed replies, I did not receive any notifications.
Thanks for all the input!
Best regards,
Tim
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1740 | |
1108 | |
752 | |
447 | |
240 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.