Help
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
aesvntn
New Contributor

Created on ‎05-22-2022 01:59 AM Edited on ‎05-22-2022 02:03 AM

HA Active-Active Setup with redundant ISP, Switch, FSSO agent

Hi there!

Need some advice for our new upcoming setup & configuration.

I'd like to know if this setup is OK and would not cause any problems, especially things like lost internet connection, sessions issues, loops, spanning tree issues, failover issues, etc etc. Appreciate for any comments/remarks on the configuration that potentially causes such issues.

 

FG200E_HA.jpg

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

Basic configuration details, 

Fortigate Configuration
Mode: Active-Active
Priority: 100/50
Session pickup: enabled
Monitor: port1, port2, HA
Hearbeat: HA

SDWAN: WAN1, WAN2, Load Balance
FSSO Agent: AD1, AD2 with LDAP

 

Switch Configuration
interface Port-channel1
desc Fortigate1
switchport mode trunk

 

interface Port-channel2
desc Fortigate2
switchport mode trunk

 

interface range Gi1/0/1-2
desc Fortigate-Pair1
switchport mode trunk

channel-group 1 mode active

 

interface range Gi2/0/1-2
desc Fortigate-Pair2
switchport mode trunk
channel-group 2 mode active

 

 

ae
ae
Labels:
1810
0 Kudos
3 REPLIES 3
AEK
SuperUser
SuperUser

Created on ‎05-22-2022 03:05 PM

Hello

My advice:

- Add secondary HA

- Add link monitor for port-1-2

- There is no possible loop here

- Plus a personal advice: Prefer active-passive, unless active-active is really required

AEK
AEK
1747
vponmuniraj
Staff
Staff

Created on ‎05-22-2022 11:00 PM

Hi,

 

If active active configuration is needed, you must look into connecting a switch between the FGT & ISP devices. 

 

Have a look at the traffic flow to help decide: 

https://docs.fortinet.com/document/fortigate/6.0.0/handbook/678636/nat-mode-a-a-packet-flow

 

 

 

Regards,

Vignesh
1742
Debbie_FTNT
Staff
Staff

Created on ‎05-23-2022 12:45 AM

In addition to the excellent advice by AEK and vponmuraj:

-> Redundant FSSO Collector Agents don't quite act the same as for example a FortiGate cluster

-> They do NOT sync large parts of their config, so you should always verify on each Collector Agent that they have the same config (polling/DC Agent mode; advanced/standard AD mode, same domains, monitoring same domain controllers, etc)

-> The Collector Agents should show the same user logins (the logins do not get synced; both Collector Agents should get the same information and process it the same however)

-> The primary FortiGate will communicate with one Collector Agent; when that one becomes unavailable, it will switch to the second

-> It will stick with the second Collector Agent even if the first becomes available again; FortiGate will remain with the second Collector Agent until that one becomes unavailable, and then the firewall will switch to the next available Collector Agent, and stick with that again, etc

+++ Divide by Cucumber Error. Please Reinstall Universe and Reboot +++
1739
Announcements

Select Forum Responses to become Knowledge Articles!

Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.

Labels
Top Kudoed Authors
View all
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2025 Fortinet, Inc. All Rights Reserved.