I have two fortigate units in standalone mode and both have asymmetric routing enabled. I would like to re-design my network in order to not enable asymmetric routing since enabling it is a (very) bad security practice.
So, here is the diagram of the network. The fortigates are not in cluster. What happens is that L3 switches load balance the traffic that originates behind them in a round-robin fashion using wan link 1 and wan link 2. Traffic may go using wan link 1 and come back using the other wan link. In order to overcome this, we enabled asymmetric routing (long back ago) and its working since then, no issues. Today we want to re-design the network to avoid the use of asymmetric routing since its a bad security practice.
I came with several designs, but in every one of them i have my doubts:
1st design: Active-Pasive cluster, both wan links enter the same fortigate unit so no asym routing enabled. The problem with this is that the master FG unit fails, both wan links fail and i have to go and manually change the cables to the slave FG.
2nd design: Active-Pasive cluster, sames as before, but with one wan link in each FG unit. The problem with this is that im wasting a whole wan link, and i MUST use both at the same time.
3rd design: Active-Active cluster, but here i have even more doubts, because i do not have real world experience with active active clusters and i dont see how it can address the asymmetric routing problem.
Any help would be appreciated, thank you in advance!
You have some misconceptions about how it works and I will summarize for you:
1. A-P Cluster, both FGT units will have wan1 and wan2 connected. If FGT1 fails, FGT2 takes over automatically and there is no break in connectivity. The FGT uses a virtual MAC address to ensure IP connectivity over either FGT.
Yes, i should try to set up a AP cluster, the only thing that still remains is that both wan links end in the same FG unit, and i must use both of them simultaneosly, so i need to put a switch in between the FG units and the L3 switches so traffic can flow to the slave FG in the case that the primary fails.
You already have switches according to your diagram. Assuming you have free ports in those switches you can use those for the WAN links. You would need three ports per WAN link (one for the WAN link, one for each FGT connection).
Standard A-P/A-A FGCP cluster design assumes that a link is connected from a switch to both units, e.g. Switch connects the ISP1 link to both FGT1 and FGT2, and also connects ISP2 to both FGT1 and FGT2. Same with downstream links. The failover happens on layer2 by the cluster MACs moving from one FGT to the other (GARP, or link flap).
Can you find two additional ports on the L3 switches to wire things up like this standard FGCP design? If not, what's blocking you from doing so?
Could FGSP be useful in this case? The documentation says that: "FGSP is primarily used instead of FGCP when external load balancers are part of the topology, and they are responsible for distributing traffic amongst the downstream FortiGates."
Since my topology consist of two L3 switches that load balance the traffic between the wan links, could this be a case where FGSP is the best option (instead of a FGCP cluster)?
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.