This question has been answered before in that FortiGate requires one to maintain identical licensing in an HA pair. So my question is more specific. What happens if you don't? I am fine if the secondary [non-licensed] device gets promoted to primary and all the FortiGuard services stop working, I will promote the licensed one to primary or get a replacement if it dies. I can live with the non-licensed device being primary for a little while. Anything else that I might need to think about? I don't need support from FortiCare with the non-licensed device, since any issues will be handled on the licensed one always acting as primary.
Thoughts? And by thoughts, I don't need advice like just license both of them you cheapskate or similar. Thanks.
Solved! Go to Solution.
Nominating a forum post submits a request to create a new Knowledge Article based on the forum post topic. Please ensure your nomination includes a solution within the reply.
We decided to go with different support/replacement terms to save some money on our renewals for HA. The primary unit has 24x7 with best available time for replacement, the secondary units have 8x5 with slower hardware replacement terms- standalone devices have 24x7. They both have the same software/fortiguard/etc entitlement so there's no concern with having out of date signatures or fortiguard webfiltering breaking during a failover.
For what it's worth (as well), I've worked in budget constrained environments in the past and there were some loopholes you could jump through to minimize what you needed to buy. Also- typically in those environments you don't end up with HA because it literally doubles the costs of everything. I won't go into details, but here are some of the things that might happen in your situation.
If you have a failover, your secondary unit will likely have out of date IPS/AV signatures but IPS/AV will continue to work just with old sigs. If you are running in Active/Active- this may actually already be happening which could be a problem if scanned traffic gets sent to the secondary unit, an attack may not be detected if the signatures are out of date on it. If you have fortiguard webfiltering turned on- any policies using it will begin to block traffic as it can't determine a category. You can't switch fortiguard entitlements willy-nilly so you can't just switch the license from primary to secondary during a failover- typically it's only for RMA replacements. I had to physically move and restore configs on two (thankfully identical) devices that had their support terms swapped by mistake- they wouldn't do it after they were assigned to hardware. If you have a problem on your secondary unit, you will need to buy support for that one. Contracts are retroactive until the date of last coverage or 6 months, whichever is less. So if your secondary device dies and you buy a 1 year contract for it after having been inactive for 2 years- you end up with only 6 months coverage remaining right away. They instituted that policy years ago to prevent people from only buying contracts when they have RMA needs and abusing it.
CISSP, NSE4
Will you should have the same subscriptions across the HA cluster. You ask " what will happen?" Simple any UTM feature not present will fail or fail to work or you will have other configuration issues from cfg-sync.
e.g
A lack of IPS subscription on unit#2 will probably cause a lot of cfg-sync issues if you had the "unit#1 active" and had to fail to unit# with no subscriptions
Why would you ask this question in the 1st place? Purchasing a subscription bundle on one unit and then clustering the 2 together with a non subscription model is not good mojo or smart. Follow the FTNT guidelines and don't worry about anything and know you have a proper HA ( HA == High availability and that means all services imho )
i would look at what bundle and type & what you have ,and what your using.
And yes your a cheapskate
PCNSE
NSE
StrongSwan
We're talking about an essential service for a professional network here. Apparently the firewall's function is so important to you (or your business) that you decide to buy a second FGT and protect your network 24/7, no matter what happens. And then, after all this effort, you shy away from a couple of hundred bucks for the second subscription?
I'd say this is more a matter of business priorities than a technical issue.
For what it's worth, I believe if you are going to run in HA mode, 40Net offers a slightly discounted rate for the second device. Don't hold me to that. It's been a while since I had to deal with that.
Bob - self proclaimed posting junkie!
See my Fortigate related scripts at: http://fortigate.camerabob.com
Bob,
I never seen an official HA discount , but I know some partners will reduce there take on 2nd license but I 've only seen that offered at the initial purchased and only with the 3year bundles.
I believe the HA protocol might initialized between two different licensed models, but I don't believe a execute ha- ignore-revision is going to work here ;)
Both units needs to be identical in all aspect ( version, hardware, subscriptions,etc...)
just my 2cts
Ken
PCNSE
NSE
StrongSwan
emnoc wrote:I never seen an official HA discount , but I know some partners will reduce there take on 2nd license but I 've only seen that offered at the initial purchased and only with the 3year bundles.
I concur with this- it's what happened to me. I got a slight break on the HA devices during the initial buy. No breaks on renewal. I remember hearing about it from various sources, but never have I actually gotten it (for Fortinet equipment). Typically you'll end up with considerations regarding the overall deal rather than specifically for HA.
CISSP, NSE4
We decided to go with different support/replacement terms to save some money on our renewals for HA. The primary unit has 24x7 with best available time for replacement, the secondary units have 8x5 with slower hardware replacement terms- standalone devices have 24x7. They both have the same software/fortiguard/etc entitlement so there's no concern with having out of date signatures or fortiguard webfiltering breaking during a failover.
For what it's worth (as well), I've worked in budget constrained environments in the past and there were some loopholes you could jump through to minimize what you needed to buy. Also- typically in those environments you don't end up with HA because it literally doubles the costs of everything. I won't go into details, but here are some of the things that might happen in your situation.
If you have a failover, your secondary unit will likely have out of date IPS/AV signatures but IPS/AV will continue to work just with old sigs. If you are running in Active/Active- this may actually already be happening which could be a problem if scanned traffic gets sent to the secondary unit, an attack may not be detected if the signatures are out of date on it. If you have fortiguard webfiltering turned on- any policies using it will begin to block traffic as it can't determine a category. You can't switch fortiguard entitlements willy-nilly so you can't just switch the license from primary to secondary during a failover- typically it's only for RMA replacements. I had to physically move and restore configs on two (thankfully identical) devices that had their support terms swapped by mistake- they wouldn't do it after they were assigned to hardware. If you have a problem on your secondary unit, you will need to buy support for that one. Contracts are retroactive until the date of last coverage or 6 months, whichever is less. So if your secondary device dies and you buy a 1 year contract for it after having been inactive for 2 years- you end up with only 6 months coverage remaining right away. They instituted that policy years ago to prevent people from only buying contracts when they have RMA needs and abusing it.
CISSP, NSE4
Kenundrum wrote:We decided to go with different support/replacement terms to save some money on our renewals for HA. The primary unit has 24x7 with best available time for replacement, the secondary units have 8x5 with slower hardware replacement terms- standalone devices have 24x7. They both have the same software/fortiguard/etc entitlement so there's no concern with having out of date signatures or fortiguard webfiltering breaking during a failover.
For what it's worth (as well), I've worked in budget constrained environments in the past and there were some loopholes you could jump through to minimize what you needed to buy. Also- typically in those environments you don't end up with HA because it literally doubles the costs of everything. I won't go into details, but here are some of the things that might happen in your situation.
If you have a failover, your secondary unit will likely have out of date IPS/AV signatures but IPS/AV will continue to work just with old sigs. If you are running in Active/Active- this may actually already be happening which could be a problem if scanned traffic gets sent to the secondary unit, an attack may not be detected if the signatures are out of date on it. If you have fortiguard webfiltering turned on- any policies using it will begin to block traffic as it can't determine a category. You can't switch fortiguard entitlements willy-nilly so you can't just switch the license from primary to secondary during a failover- typically it's only for RMA replacements. I had to physically move and restore configs on two (thankfully identical) devices that had their support terms swapped by mistake- they wouldn't do it after they were assigned to hardware. If you have a problem on your secondary unit, you will need to buy support for that one. Contracts are retroactive until the date of last coverage or 6 months, whichever is less. So if your secondary device dies and you buy a 1 year contract for it after having been inactive for 2 years- you end up with only 6 months coverage remaining right away. They instituted that policy years ago to prevent people from only buying contracts when they have RMA needs and abusing it.
Good point, I forgot about retroactive contracts, they are all the rage with everyone nowadays.
So helpful. Thanks for the sermon which I specifically asked respondents to not post.If you don't want to hear what others think then don't ask.
I have to concur with the other Ken ;)
We did the same and saved tons of money in a 200+ device network. All Standby units had a 8x5 support but this has nothing todo per-se with the subscriptions just from support and RMA cost. Also if you are truly HA do you need a 24x7 support contract?
If you shop around, you can find numerous helpful way to save $$$$.$$$ or Euros.
Another trend is to use virtual-appliance for internal security segments. How many ORGs really need physical-hardware.? The price saving per PHY-VIRT can add up to be savings if your looking at TCO numbers.
PCNSE
NSE
StrongSwan
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1713 | |
1093 | |
752 | |
447 | |
231 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.