Help
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
CL1
Contributor

Created on ‎02-09-2025 07:19 AM

Fortimail HA across different sites

Hello everyone,

 

I am exploring better options for configuring FortiMail HA across two different sites—one FortiMail device in Site A and another in Site B. My initial idea is to connect the two devices via an MPLS VPN. However, this approach can be costly for geographically distant sites and requires extremely low latency to function effectively. As an alternative, I am considering using DNS failover...

 

Does anyone have a better suggestion ?

 

Best regards,

CL
CL
Labels:
276
0 Kudos
1 Solution
AEK
SuperUser
SuperUser
In response to CL1

Created on ‎02-11-2025 03:10 AM

Hi CL1

 

The failover here is native to mail servers, and it is not a DNS failover. It means a remote mail server will send to the first MX, and in case it is down it will send immediately to the second MX.

 

Your second concern is the synchronization between the two FML, right? For Active-Active there is no concern regarding the latency because it is just config sync, not data sync. See here:

https://docs.fortinet.com/document/fortimail/7.6.1/administration-guide/846008/using-high-availabili...

Config sync doesn't not need low latency and it uses very low bandwidth. So your MPLS VPN is perfect for that in all cases.

 

Feel free to ask more questions in case it is not clear enough.

AEK

View solution in original post

AEK
184
4 REPLIES 4
AEK
SuperUser
SuperUser

Created on ‎02-09-2025 07:48 AM

Hi CL1

No need for DNS failover. Also a Active-Passive config will put your second FML in a idle state for the whole year. So I think one good idea is to configure Active-Active mode (config sync), and configure 2 MX different entries in your public DNS.

Depending to your case, you can configure one primary MX (1st priority) and one secondary MX, or you can configure them with the same priority so the remote senders will load balance between your 2 MXs.

FML_HA2.png

The failover is native to SMTP servers, it means when a remote server tries to send to your first MX, in case it finds it down then it will automatically send to the second MX.

 

AEK
AEK
266
0 Kudos
CL1
Contributor
In response to AEK

Created on ‎02-11-2025 12:51 AM

Hello AEK,

 

Apologies if I'm mistaken, but what you described sounds like DNS failover, correct? Perhaps I don't fully understand the concept of DNS failover and should do more research on it. My main concern is ensuring connectivity between the two FortiMails, especially if they're separated by a significant distance, say 500km or more. The only solution I'm familiar with is MPLS VPN, which I understand is highly effective but can be quite costly. Do you have any alternative solutions to recommend?

 

I really appreciate your support

 

Best regards,

 

I really appreciate your help 

 

Best regards,

CL
CL
207
0 Kudos
AEK
SuperUser
SuperUser
In response to CL1

Created on ‎02-11-2025 03:10 AM

Hi CL1

 

The failover here is native to mail servers, and it is not a DNS failover. It means a remote mail server will send to the first MX, and in case it is down it will send immediately to the second MX.

 

Your second concern is the synchronization between the two FML, right? For Active-Active there is no concern regarding the latency because it is just config sync, not data sync. See here:

https://docs.fortinet.com/document/fortimail/7.6.1/administration-guide/846008/using-high-availabili...

Config sync doesn't not need low latency and it uses very low bandwidth. So your MPLS VPN is perfect for that in all cases.

 

Feel free to ask more questions in case it is not clear enough.

AEK
AEK
185
CL1
Contributor
In response to AEK

Created on ‎02-11-2025 04:48 AM

Hello AEK,

 

Thank you for your patience and incredibly helpful responses, everything is much clearer now!

 

Kind regards,

CL
CL
176
Announcements
Check out our Community Chatter Blog! Click here to get involved
Labels
Top Kudoed Authors
View all
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2025 Fortinet, Inc. All Rights Reserved.