Hello,

we have 2 Fortinet 100d, our plan is now to make a transparent failover via ha.

The Situation is: we get a second isp, backup isp. this backup isp should only come into use when primary isp fails.

plan is to make all components overcross, 2 router (1 isp primary, 2 isp backup) go to 2 switches go to 2 firewalls with ha

Step 1: HA Mode (what is the right one) test-enviroment

Step 2: Switch Stacking and testing HA Failover, (Test Monitoring Port) test-enviroment

Step 4:Change 200A with 100D (cfg files from 200a migration to 100d works already) going to prodoction

Step 3:Configure 2 ISPs on the 100d produktion-enviroment

Step 4: an external provider who managed the two public ip`s with the protokolls like ipsec, smtp etc.

Step 1:

Previously testet in Testenviroment:

Il tried it with the new frup funktion, but this is not the right way for us, ill think. the 2 firewalls is in ha and each is standalone.

there not so much experiences on the function on the web. This option killed...

i talk to our reseller and he says the best way is active-passiv. Ok, ill do it, it looks like it works.

So...

setup ha on both 100d, on the slave i must delete the lan1 config und the factory policy, from then it was possible to turn the interface mode to switch mode

now the 2 units make sync

ha1 und ha2 connected to each unit

for test i plugged port 16 on each to an switch

mgmt port on i configured as an monitoring port on both, these goes to the switch too

failover test unit1 master: i plugged off port 16, ping fails, i plugged out mgmt--> ping ok

the failover seems to work

My first Question to you is now: Is this the right way for us?

have you any tips for me?

This is my first Firewall configuration (and this is really not so easy in this scenario), so i am sorry for errors or patchy background.

And my English is not so good to...:-)

Regards

Xris76