Dear All,
Anyone can advise on this scenario.
My Fortinet appliance will be in HA active active and both will be connected to core switch in stackable. Their will be having LACP configured on the core switch to terminate to fortinet appliance. As i know when we use active and passive in fortinet and with lacp configuration we need to create two separate ether channel group on the core switch one for firewall active and other one for firewall passive where it will not have issues on the traffic.
My question for active active scenario do we need to keep the same configuration on the core switch or we can create only one ether channel.
cable connection will be like follow,
from fw 1= 4 cable ( 2 cable connected to core 1 and 2 cable connected to core 2 )
from fw 2 = 4 cable ( 2 cable connected to core 1 and 2 cable connected to core 2 )
in active passive mode on core 1 and core 2 cable connected to fw1 i was configured alwys into one ether channel group and same for other fw
In active active it will remain the same config or what.
plz advise thanks
Hi
is your switch in Cisco VSS Configuration ?
Regards
Ahead of the Threat. FCNSA v5 / FCNSP v5
Fortigate 1000C / 1000D / 1500D
Hi thank you for your reply. Both my layer 3 switch 3750 in stack able
On my fortinet appliance when i select active active mode. What priority do i need to configure on both unit. both should be having same priority like 255 on unit 1 and 255 on unit 2 or 255 on unit 1 and 128 on unit 2 with mode active active.
Thanks
Hi,
The priority value is one of the factor used in determining a master unit among the cluster members. Ideally, one unit would be provided with a higher priority value which makes it master during an election process. If there is a tie, that is all the units in the cluster have the same priority value, then serial number of the unit is factored in the election. You may use 255 and 1 which would become master and slave respectively under ideal condition.
Regards,
Hi,
Thank you very much for your reply. If i understand in the active active mode we also have one which will act as master in the cluster same as active passive. but here in active active even one unit as master the traffic will pass via both unit as the mode iis active active right. the priority only use to make the unit with highest priority become the master. And per my understand if both priority are equal thus it will look for highest serial number right
With HA override disabled, the cluster uses priority when first electing a master:
1. Health of monitored links (none are monitored by default)
2. Uptime (differences of less than 300 seconds or 5 minutes by default are ignored)
3. Priority (default is 128)
4. Serial number as a tiebreaker (the highest wins)
With override enabled:
1. Health of monitored links
2. Priority
3. Uptime
4. Serial number
In Active-Passive, the master handles all traffic, and [optionally] synchronizes its configuration, and routing, session, and DHCP lease tables with the slave(s). In Active-Active, UTM proxied sessions are load-balanced (others can be as well, but not by default). HOWEVER...proxied sessions do NOT fail over. It's important to remember that.
A good rule of thumb, which sounds very Orwellian, is "master always in, slave sometimes out". The master always receives every packet inbound to the cluster, regardless of whether the session has been offloaded to the slave. If the slave unit(s) are processing the UTM session, then outbound packets would depart from the slave directly.
Regards, Chris McMullan Fortinet Ottawa
I would like to know about the LACP configuration for Active Active, Do we need to configure 2 separate PORT CHANNEL or can use a single PORT channel.
Thanks
To separate port-channels on each cluster unit.
e.g
config system interface edit "FGTAE01" set vdom "1plus1eq2" unset allowaccess set type aggregate set member "port5" "port6" set description "CHL 01 3750-X port 12" config ipv6 set ip6-mode static set ip6-allowaccess https set ip6-address 2001:db8::1/64 end set lacp-mode active set lacp-ha-slave enable set lacp-speed slow set min-links 1 set min-links-down operational set algorithm L4 next end
PCNSE
NSE
StrongSwan
Hi,
Thanks for your reply. But i would to know do we need to create separate port channel for each unit or can use a single port channel for both units.
Thanks
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1849 | |
1133 | |
769 | |
447 | |
262 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2025 Fortinet, Inc. All Rights Reserved.