- Forums
- Knowledge Base
- Customer Service
- FortiGate
- FortiClient
- FortiAP
- FortiAnalyzer
- FortiADC
- FortiAuthenticator
- FortiBridge
- FortiCache
- FortiCarrier
- FortiCASB
- FortiConnect
- FortiConverter
- FortiCNP
- FortiDAST
- FortiDDoS
- FortiDB
- FortiDNS
- FortiDeceptor
- FortiDevSec
- FortiDirector
- FortiEDR
- FortiExtender
- FortiGate Cloud
- FortiGuard
- FortiHypervisor
- FortiInsight
- FortiIsolator
- FortiMail
- FortiManager
- FortiMonitor
- FortiNAC
- FortiNAC-F
- FortiNDR (on-premise)
- FortiNDRCloud
- FortiPAM
- FortiPortal
- FortiProxy
- FortiRecon
- FortiRecorder
- FortiSandbox
- FortiSASE
- FortiScan
- FortiSIEM
- FortiSOAR
- FortiSwitch
- FortiTester
- FortiToken
- FortiVoice
- FortiWAN
- FortiWeb
- Wireless Controller
- RMA Information and Announcements
- FortiCloud Products
- ZTNA
- 4D Documents
- Customer Service
- Community Groups
- Blogs
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
- Fortinet Community
- Forums
- Support Forum
- HA Configuration with Backup VPN
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Mute
- Printer Friendly Page
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
HA Configuration with Backup VPN
Hi,
After some advice please.
I have 4 firewalls, 2 in active-passive HA at the each ends of a private link. To cater for this private link going down we have a backup VPN configured which is working fine should the primary link fail.
My question is surrounding my HA setup. How do i cater for essentially a total box failover......should my primary private link go down i have my backup VPN, i don't want HA to think the box has failed as this link failure is cater for with the backup VPN - i dont want a renegotiate of the cluster.
What settings do i need on my cluster to just have it monitor total firewall loss and not any type of interface loss.......do i just monitor all interfaces ?
Thanks in advance.
Rob
5 REPLIES 5
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Not sure I got you. Why would the FGT will think of failed box if only the VPN dropped ?
//Chura CCIE, NSE7, CCSE+
//Chura CCIE, NSE7, CCSE+
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
By default complete system failure will always cause the Secondary to become master as it will not receive heartbeats.
You can just monitor the interfaces and interface goes down physically then HA failover will occur (You can also set weights to influence the failover deepening on number of failed interface)
Unless you configure remote ip monitoring the vpn or internet connection failure will not cause HA renegotiation.
So in your case the best option will be only monitor interfaces.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
thanks for the replies.
the way i understand things that is if the interface is set to be monitored and the link goes down and HA failover will occur. this link going down could be due to the ISP and not the firewall failing. So as i say if my primary link goes down my backup VPN kicks in (with remote IP monitoring setup) - i dont want a HA failover at this point as the firewall is still working well and only the primary link has failed.
I think i will have it set up just monitoring one of my interfaces in the LAN which is an SFP so suppose it makes sense to have this monitored as the SFP could fail and i would then want a HA event to take place.
Thanks for the help.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Not sure what you mean by a total firewall failure, but if that happens the HA link would be down also, right ?. So can you explain what you mean by that?
On the monitor interface(s), you should only monitor interfaces that you want HA action to take place on.
Suggestion if you want to ensure a total box is down approach, I would look at a pair of secondary heart-beat interface. This would be use in the last resort take approach if the primary HA heartbeat goes down. Just be smart about it and ensure if your wiring thru a switch, that you don't place it in the same path of the 1st primary HA heartbeat.
Also it's still FTNT approach to place all HA functions on interfaces outside of the normal traffic flow. What I've been doing lately on FGTs and even cisco ASAs, are to run the failover in a etherbundle. This has been very helpful with providing redundancy in the HA heartbeat link.
PCNSE
NSE
StrongSwan
PCNSE
NSE
StrongSwan
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thanks for all the advice,
i've got 2 heartbeats connected via cross over cables from mgmt1 and mgmt2. I'm only monitoring my lan interface so if the wan interfaces go down i dont see a failover.
thanks
Related Posts
- VerifyOTP failed during execution 70 Views
- Connection from VLAN to VIP does... 103 Views
- FMG Revision - Config issues when... 131 Views
- Is there any way to restore... 150 Views
- FORTMAIL EXTERNAL USERS AUTHENTICATION THROUGH FORTIMAIL 135 Views
Labels
-
FortiGate
6,699 -
FortiClient
1,333 -
5.2
801 -
5.4
639 -
FortiManager
578 -
FortiAnalyzer
422 -
6.0
416 -
5.6
362 -
FortiSwitch
343 -
FortiAP
340 -
FortiClient EMS
272 -
FortiMail
260 -
6.2
251 -
FortiAuthenticator v5.5
234 -
5.0
196 -
FortiWeb
159 -
6.4
128 -
FortiNAC
110 -
FortiGuard
106 -
FortiSIEM
92 -
FortiGateCloud
87 -
FortiCloud Products
85 -
IPsec
79 -
FortiToken
73 -
Customer Service
70 -
SSL-VPN
67 -
4.0MR3
64 -
Wireless Controller
59 -
FortiProxy
46 -
FortiADC
44 -
Fortivoice
41 -
FortiEDR
40 -
FortiGate v5.4
34 -
FortiDNS
34 -
FortiExtender
33 -
FortiSandbox
31 -
FortiSwitch v6.4
30 -
Firewall policy
30 -
SD-WAN
30 -
High Availability
24 -
FortiConnect
24 -
VLAN
22 -
FortiWAN
22 -
FortiAuthenticator
21 -
FortiConverter
21 -
ZTNA
20 -
FortiPortal
18 -
FortiSwitch v6.2
16 -
FortiGate v5.2
16 -
FortiMonitor
14 -
SAML
14 -
Interface
14 -
Certificate
14 -
BGP
13 -
DNS
13 -
FortiGate v5.0
13 -
FortiDDoS
13 -
Logging
13 -
LDAP
12 -
Routing
12 -
FortiCASB
12 -
VDOM
12 -
fortilink
11 -
Virtual IP
10 -
FortiRecorder
10 -
RADIUS
9 -
FortiWeb v5.0
9 -
FortiManager v5.0
9 -
NAT
9 -
4.0MR2
9 -
Authentication
8 -
SSL SSH inspection
8 -
Traffic shaping
8 -
SSO
8 -
Application control
8 -
SSID
7 -
RMA Information and Announcements
7 -
FortiSOAR
7 -
FortiAnalyzer v5.0
7 -
FortiGate v4.0 MR3
7 -
Admin
7 -
4.0
7 -
IP address management - IPAM
7 -
Security profile
6 -
FortiBridge
6 -
Fortigate Cloud
6 -
SNMP
6 -
Traffic shaping policy
5 -
Web application firewall profile
5 -
Web profile
5 -
FortiTester
5 -
FortiManager v4.0
5 -
Static route
5 -
FortiDirector
4 -
IPS signature
4 -
Proxy policy
4 -
Packet capture
4 -
Automation
4 -
WAN optimization
4 -
DNS Filter
4 -
FortiCarrier
4 -
FortiCache
4 -
OSPF
4 -
3.6
4 -
FortiScan
4 -
Port policy
4 -
Antivirus profile
3 -
FortiToken Cloud
3 -
FortiAP profile
3 -
DoS policy
3 -
Intrusion prevention
3 -
FortiDB
3 -
FortiDeceptor
2 -
System settings
2 -
FortiInsight
2 -
NAC policy
2 -
Fortinet Engage Partner Program
2 -
Traffic shaping profile
2 -
FortiPAM
2 -
VoIP profile
2 -
FortiAI
2 -
FortiHypervisor
2 -
Email filter profile
2 -
Netflow
2 -
trunk
2 -
Protocol option
2 -
4.0MR1
1 -
Users
1 -
TACACS
1 -
Replacement messages
1 -
Subscription Renewal Policy
1 -
Schedule
1 -
FortiCWP
1 -
FortiNDR
1 -
SDN connector
1 -
Application signature
1 -
Authentication rule and scheme
1 -
FortiManager-VM
1 -
Web rating
1 -
Internet Service Database
1 -
Fabric connector
1 -
Multicast routing
1 -
Explicit proxy
1 -
Zone
1
Broad. Integrated. Automated.
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Security Research
Company
News & Articles
Copyright 2024 Fortinet, Inc. All Rights Reserved.