Help
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
Infrarium
New Contributor II

Created on ‎01-02-2023 08:30 AM

HA Active-Active and Asymmetric Routing

Hello everyone,

 

I have two fortigate units in standalone mode and both have asymmetric routing enabled. I would like to re-design my network in order to not enable asymmetric routing since enabling it is a (very) bad security practice.

 

dibujo1.png

 

So, here is the diagram of the network. The fortigates are not in cluster.  What happens is that L3 switches load balance the traffic that originates behind them in a round-robin fashion using wan link 1 and wan link 2. Traffic may go using wan link 1 and come back using the other wan link. In order to overcome this, we enabled asymmetric routing (long back ago) and its working since then, no issues. Today we want to re-design the network to avoid the use of asymmetric routing since its a bad security practice.

 

I came with several designs, but in every  one of them i have my doubts:

 

1st design: Active-Pasive cluster, both wan links enter the same fortigate unit so no asym routing enabled. The problem with this is that the master FG unit fails, both wan links fail and i have to go and manually change the cables to the slave FG.

 

2nd design: Active-Pasive cluster, sames as before, but with one wan link in each FG unit. The problem with this is that im wasting a whole wan link, and i MUST use both at the same time.

 

3rd design: Active-Active cluster, but here i have even more doubts, because i do not have real world experience with active active clusters and i dont see how it can address the asymmetric routing problem.

 

Any help would be appreciated, thank you in advance!

Labels:
2053
1 Solution
gfleming
Staff
Staff
In response to Infrarium

Created on ‎01-05-2023 08:49 AM

You can invest in two small 8-port switches for each WAN link. Not a heavy invesetment. And now you have full HA redundancy in a sound design.

Cheers,
Graham

View solution in original post

1970
0 Kudos
11 REPLIES 11
pminarik
Staff
Staff
In response to Infrarium

Created on ‎01-05-2023 07:45 AM Edited on ‎01-05-2023 07:47 AM

Pay attention to this line: "The load balancers should be configured so that all packets for any given session are processed by the same peer, including return packets whenever possible."

 

FGSP needs session-aware load-balancing. If your L3 switches can balance like this, you could try it, but I'd wager a guess and say that it's unlikely.

 

Lastly, the wiring requirements are still the same with FGSP as with FGCP, if you're looking for proper failover between both ISPs and both FortiGates.

[ corrections always welcome ]
309
0 Kudos
Infrarium
New Contributor II

Created on ‎01-09-2023 05:29 AM

Hello everyone, 

 

After all, I believe that the best thing to do here is get two small switches to put in the middle of the FG units and the L3 switch that is far away, in order to solve the problem of the links termination. So if one FG unit fails, the other takes over right away and has both WAN links.

 

Thank you for all the help you gave me on this matter.

 

Cheers.

300
0 Kudos
Labels
Top Kudoed Authors
View all
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2024 Fortinet, Inc. All Rights Reserved.