Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
scerazy
New Contributor III

HA cluster A/P WAN failover

2x 300E in HA cluster with BGP, dedicated direct fibre for HA Heartbeat between units, each unit with WAN (active/passive provided by same ISP)

 

What do I need to configure for the WAN failover to work?

 

For now I want to tackle the WAN itself, if primary unit's active WAN link fails, how do I get all traffic routed to secondary's unit WAN ?

 

Seb

5 REPLIES 5
lobstercreed
Valued Contributor

If you have two different WAN connections (you mentioned different routing) then you need twice that number of physical connections to the firewall (put a $20 dumb switch in between).  So WAN from ISP1 (or since same ISP, let's say connections A and B) goes to wan1 and connection B/ISP2 goes to wan2 on EACH firewall.  Anything else does not work with HA cluster.  Connectivity on the firewalls should always be identical, and each WAN connection should be monitored as a condition for failover.

scerazy
New Contributor III

I do have a VSF stack of 2 switches (not that cheap) between each Fortigate and each ISP router

FTG1 -> switch stack - ISP router 1

FTG2 -> switch stack - ISP router 2

 

In normal condition FTG1 is primary, ISP router 1 is active & default

 

I can monitor active connection, but I see no way to monitor passive connection

 

 

 

 

lobstercreed

As I said, you need to double your connections so the connectivity is the SAME on both FortiGates.  You need it to look like this instead:

 

FTG1, wan1 -> switch stack - VLAN for ISP router 1

FTG2, wan1 -> switch stack - VLAN for ISP router 1 FTG1, wan2 -> switch stack - VLAN for ISP router 2

FTG2, wan2 -> switch stack - VLAN for ISP router 2

 

You obviously don't need to double the connections going to the ISP router (probably can't) which is why I said VLAN for....  Basically you have one port on your switch to the ISP router 1 and then 2 ports to the 2 FGTs.  Same thing with ISP router 2.  6 ports on your switch, in total.

scerazy
New Contributor III

OK, so the dual connectivity from each FTG would be for a purpose of only WAN link failing, not the actual any FTG unit failing itself (because HA cluster can be quite happy itself), right?

 

Seb

lobstercreed

I'm not quite sure what you're asking.  I assume that's why you have two WAN connections, yes, in case one of them fails.  And the reason you have two FGTs is in case one of *them* fails.  Since you have both, you could now have 1 of each fail and still have no impact to service.  Anytime you throw HA firewalls in place you need to make sure each one has the same connectivity to all networks or it's not really HA and it won't work.

 

Now you'll need to consider the impact of the failure of one of your VSF switches as well, or that becomes a single point of failure.  Most likely you'd do 1 WAN to each switch and then make both connections (to FGT1 and FGT2) from that same switch.  So the WAN connected to each switch becomes reliant on that switch, and if say switch A fails at the same time that WAN B fails, you're SOL because working WAN A can't talk to either FGT although both FGTs can talk to broken WAN B.  There's always some combination that can break things, but you can think through the different scenarios and consider what's more likely under your circumstances (unreliable ISP, old gear, etc).

 

Hope that helps!  - Daniel

Labels
Top Kudoed Authors