HA Active-Active Setup with redundant ISP, Switch, FSSO agent
Need some advice for our new upcoming setup & configuration.
I'd like to know if this setup is OK and would not cause any problems, especially things like lost internet connection, sessions issues, loops, spanning tree issues, failover issues, etc etc. Appreciate for any comments/remarks on the configuration that potentially causes such issues.
Basic configuration details,
Fortigate Configuration Mode: Active-Active Priority: 100/50 Session pickup: enabled Monitor: port1, port2, HA Hearbeat: HA
In addition to the excellent advice by AEK and vponmuraj:
-> Redundant FSSO Collector Agents don't quite act the same as for example a FortiGate cluster
-> They do NOT sync large parts of their config, so you should always verify on each Collector Agent that they have the same config (polling/DC Agent mode; advanced/standard AD mode, same domains, monitoring same domain controllers, etc)
-> The Collector Agents should show the same user logins (the logins do not get synced; both Collector Agents should get the same information and process it the same however)
-> The primary FortiGate will communicate with one Collector Agent; when that one becomes unavailable, it will switch to the second
-> It will stick with the second Collector Agent even if the first becomes available again; FortiGate will remain with the second Collector Agent until that one becomes unavailable, and then the firewall will switch to the next available Collector Agent, and stick with that again, etc
+++ Divide by Cucumber Error. Please Reinstall Universe and Reboot +++
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.