Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
Necron99
New Contributor

HA and licensing

This question has been answered before in that FortiGate requires one to maintain identical licensing in an HA pair. So my question is more specific. What happens if you don't? I am fine if the secondary [non-licensed] device gets promoted to primary and all the FortiGuard services stop working, I will promote the licensed one to primary or get a replacement if it dies. I can live with the non-licensed device being primary for a little while. Anything else that I might need to think about? I don't need support from FortiCare with the non-licensed device, since any issues will be handled on the licensed one always acting as primary.

 

Thoughts? And by thoughts, I don't need advice like just license both of them you cheapskate or similar. Thanks.

1 Solution
Kenundrum

We decided to go with different support/replacement terms to save some money on our renewals for HA. The primary unit has 24x7 with best available time for replacement, the secondary units have 8x5 with slower hardware replacement terms- standalone devices have 24x7. They both have the same software/fortiguard/etc entitlement so there's no concern with having out of date signatures or fortiguard webfiltering breaking during a failover.

 

For what it's worth (as well), I've worked in budget constrained environments in the past and there were some loopholes you could jump through to minimize what you needed to buy. Also- typically in those environments you don't end up with HA because it literally doubles the costs of everything. I won't go into details, but here are some of the things that might happen in your situation.

If you have a failover, your secondary unit will likely have out of date IPS/AV signatures but IPS/AV will continue to work just with old sigs. If you are running in Active/Active- this may actually already be happening which could be a problem if scanned traffic gets sent to the secondary unit, an attack may not be detected if the signatures are out of date on it. If you have fortiguard webfiltering turned on- any policies using it will begin to block traffic as it can't determine a category. You can't switch fortiguard entitlements willy-nilly so you can't just switch the license from primary to secondary during a failover- typically it's only for RMA replacements. I had to physically move and restore configs on two (thankfully identical) devices that had their support terms swapped by mistake- they wouldn't do it after they were assigned to hardware. If you have a problem on your secondary unit, you will need to buy support for that one. Contracts are retroactive until the date of last coverage or 6 months, whichever is less. So if your secondary device dies and you buy a 1 year contract for it after having been inactive for 2 years- you end up with only 6 months coverage remaining right away. They instituted that policy years ago to prevent people from only buying contracts when they have RMA needs and abusing it.

CISSP, NSE4

 

View solution in original post

CISSP, NSE4
11 REPLIES 11
Necron99

ede_pfau wrote:

So helpful. Thanks for the sermon which I specifically asked respondents to not post.
If you don't want to hear what others think then don't ask.

I didn't ask to hear that, I specifically stated so in my request. I assume since you responded in English, you understand what you read [so stupid not ignorant]. Which brings me to this quote from Groucho "He may look like an idiot and talk like an idiot, but don't let that fool you- he really is an idiot."

 

Cheers

Necron99

ede_pfau wrote:

We're talking about an essential service for a professional network here. Apparently the firewall's function is so important to you (or your business) that you decide to buy a second FGT and protect your network 24/7, no matter what happens. And then, after all this effort, you shy away from a couple of hundred bucks for the second subscription?

I'd say this is more a matter of business priorities than a technical issue.

So helpful. Thanks for the sermon which I specifically asked respondents to not post.

Announcements

Select Forum Responses to become Knowledge Articles!

Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.

Labels
Top Kudoed Authors