I have a client with multiple remote sites. All of the remote sites are connected back to the main site via Comcast switched fiber Ethernet with layer 3 static routing and no connection to the internet. The remote sites come back to the main site for internet and all server access, the main site runs a 200D. The plan is to make one of the remotes a hot site and adding a connection to the internet and installing another 200D. Routers between the layer 3 switches and the Comcast link for OSPF routing will be added at all sites. Is it possible to configure the 200D's in HA in the case that the main site goes down?
Not sure what you mean HA across the network but here 's a example of what I'm doing with ATT.
We have 2x active West & East exits. The internal sites for this car dealership exit out of what ever sit eis up and less metric. if the ATT edge router goes down, our ospf default expires and traffic divert out the other exit. We are running FGT800C at each W/E DC in a cluster & EX43000 stacks terminating our MPLS cloud appearance with 40mbps uplinks.
VIP terminates in each datacenter for external peering services ( webmail, DNS, MXes, etc...) Clients are SNAT at the W or E appearance.
i just recently had VRRP peers installed for the edge-routers. So we have redundancy in all areas and as long as the MPLS core is intact and the link into the mpls core is up , we have 100% uptime. All of my failures today has been with ATT either the mpls cloud where a site was isolated into a island or A edge-router. I call it a very good design & for the bandwidth we have great performance on the FGT800C for ipsec and non-ipsec traffic.
PCNSE
NSE
StrongSwan
what I am asking is if it is possible to HA the 200d's even though they are at different locations. The Comcast links between them are the ENA switched cloud point to point links.
If your talking about the FGCP protocol across the comcast cloud yes, but that would probably not be wise.
if the comcast paths are un-stable you might have premature failover or both units operating as active and then your port monitor attempts would be extremely hard to manage. Also session pickup or not could cause extreme delay or major interruptions if you have any serious flapping the 2 units. I would think long and hard on what your trying to accomplish the risks involved.
PCNSE
NSE
StrongSwan
Hi Paul and Emnoc,
Just looking at your post and subsequent replies relating to running HA (FGCP) between two FW's operating out of two sites. I have a similar situation in a client's enterprise network that I'm looking into designing a solution. Both Data Centres are located about 50-60km (30-35miles) apart, with a latency of about 20mS (40mS on a bad day). I'm using EoMPLS across a 10GigB link between the two sites, stretching the Inside, Outside, DMZ and any other FW I/F's that I need to cross connect between sites. I've seen it done before on other "Brands" of firewalls, but new to Fortinet, so please excuse my ignorance on the capabilities with this product line (200D).
Are you aware of any case study documents, or results from other forum members who've experimented with this type of HA Clustering with Fortinet ??? My failover needs to be stateful and to keep the TCP socket alive and well. If a packet is dropped I could probably live with that, because my application can deal with retransmissions of un-acknowledged packets at the application layer on the hosts. What I can't risk is failure of the TCP Socket due to the FW Pair not syncing in a timely manner between the Active and the Failover device, and then the Failover devices refusing to pass a packet, because the SEQ/ACK are out of whack. My upper layer application has a noted history of taking 10 minutes to time out before re-initiating a connection.....(Bank applications and Security Protocols)......and something that I can not change.
Your thoughts are most welcome.
Jeff
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1736 | |
1107 | |
752 | |
447 | |
240 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.