I would like to deploy two fortigate firewalls (firewall 1 and firewall 2) with each firewall having 3 VDOMs,
[ul]
I don't want virtual clustering (as I only want firewall 2 to kick in action when firewall 1 fails). I'm struggling to understand how this will be possible as the port numbers the subnets for the both VDOM's are connected to are different in firewall 1 and firewall 2. For example, I have 5 ports connected to 5 subnets on each firewall as follows,
Firewall 1
root
port 1 - management
port 3 - HA port
VDOM_1
port 2 - subnet 1
port 4 - subnet 2
VDOM_2
port 6 - subnet 3
port 5 - subnet 4
Firewall 2
root
port 1 - management
port 2 - HA port
VDOM_1
port 3 - subnet 1
port 5 - subnet 2
VDOM_2
port 6 - subnet 3
port 4 - subnet 4
If the configuration is synced, how does the firewall know which port should be connected to with VDOM? Is this not synced?
Nominating a forum post submits a request to create a new Knowledge Article based on the forum post topic. Please ensure your nomination includes a solution within the reply.
You won't be able to configure things like that. That's simply not how HA works. Once you join a 2nd firewall to the HA cluster, the config syncs, so whatever you have as port 2 and port 4 on firewall 1 must be connected to the same networks as port 2 and 4 on firewall 2.
As far as multiple VDOMs, that config is synced as well and if you don't enable virtual clustering then you'll have the active/passive failover you're looking for.
Ok - thank you.
I will re-arrange the ports. Does HA also sync the IP addresses for the interfaces ? i.e - do the IP addresses need to be the same for both firewalls?
Yes, shared IP addressing is surely the primary purpose of HA in the first place. You really don't need to configure the secondary FortiGate almost at all. It is actually recommended that it be in a factory reset state actually when you join it to the primary to avoid any accidental config overwrites.
I would recommend doing some Googling around specific HA concepts as the documentation abounds, but I'll link this as it may help you get started: https://docs.fortinet.com/document/fortigate/6.0.0/cookbook/161720/high-availability
Also to mention that if you do FGCP HA, the MGT IP will also be shared between the two units. To manage the slave, you need to go to the master and do "exec ha manage X". There are some workarounds for this, but they didn't work well for me.
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1709 | |
1093 | |
752 | |
446 | |
231 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.