Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
elpg101
New Contributor

HA - active-passive with VDOM

I would like to deploy two fortigate firewalls (firewall 1 and firewall 2) with each firewall having 3 VDOMs,

[ul]
  • root
  • VDOM_1
  • VDOM_2[/ul]

     

    I don't want virtual clustering (as I only want firewall 2 to kick in action when firewall 1 fails). I'm struggling to understand how this will be possible as the port numbers the subnets for the both VDOM's are connected to are different in firewall 1 and firewall 2. For example, I have 5 ports connected to 5 subnets on each firewall as follows,

     

    Firewall 1

    root

      port 1 - management

      port 3 - HA port

    VDOM_1

       port 2 - subnet 1

       port 4 - subnet 2

    VDOM_2

       port 6 - subnet 3

       port 5 - subnet 4

     

    Firewall 2

    root

      port 1 - management

      port 2 - HA port

    VDOM_1

       port 3 - subnet 1

       port 5 - subnet 2

    VDOM_2

       port 6 - subnet 3

       port 4 - subnet 4

     

    If the configuration is synced, how does the firewall know which port should be connected to with VDOM? Is this not synced?

  • 4 REPLIES 4
    lobstercreed
    Valued Contributor

    You won't be able to configure things like that.  That's simply not how HA works.  Once you join a 2nd firewall to the HA cluster, the config syncs, so whatever you have as port 2 and port 4 on firewall 1 must be connected to the same networks as port 2 and 4 on firewall 2.

     

    As far as multiple VDOMs, that config is synced as well and if you don't enable virtual clustering then you'll have the active/passive failover you're looking for.

    elpg101

    Ok - thank you.

     

    I will re-arrange the ports. Does HA also sync the IP addresses for the interfaces ? i.e - do the IP addresses need to be the same for both firewalls?

    lobstercreed

    Yes, shared IP addressing is surely the primary purpose of HA in the first place.  You really don't need to configure the secondary FortiGate almost at all.  It is actually recommended that it be in a factory reset state actually when you join it to the primary to avoid any accidental config overwrites. 

     

    I would recommend doing some Googling around specific HA concepts as the documentation abounds, but I'll link this as it may help you get started: https://docs.fortinet.com/document/fortigate/6.0.0/cookbook/161720/high-availability 

    j_a_m_e_s

    Also to mention that if you do FGCP HA, the MGT IP will also be shared between the two units. To manage the slave, you need to go to the master and do "exec ha manage X". There are some workarounds for this, but they didn't work well for me. 

    Labels
    Top Kudoed Authors