2x 300E in HA cluster with BGP, dedicated direct fibre for HA Heartbeat between units, each unit with WAN (active/passive provided by same ISP)
What do I need to configure for the WAN failover to work?
For now I want to tackle the WAN itself, if primary unit's active WAN link fails, how do I get all traffic routed to secondary's unit WAN ?
Seb
Nominating a forum post submits a request to create a new Knowledge Article based on the forum post topic. Please ensure your nomination includes a solution within the reply.
If you have two different WAN connections (you mentioned different routing) then you need twice that number of physical connections to the firewall (put a $20 dumb switch in between). So WAN from ISP1 (or since same ISP, let's say connections A and B) goes to wan1 and connection B/ISP2 goes to wan2 on EACH firewall. Anything else does not work with HA cluster. Connectivity on the firewalls should always be identical, and each WAN connection should be monitored as a condition for failover.
I do have a VSF stack of 2 switches (not that cheap) between each Fortigate and each ISP router
FTG1 -> switch stack - ISP router 1
FTG2 -> switch stack - ISP router 2
In normal condition FTG1 is primary, ISP router 1 is active & default
I can monitor active connection, but I see no way to monitor passive connection
As I said, you need to double your connections so the connectivity is the SAME on both FortiGates. You need it to look like this instead:
FTG1, wan1 -> switch stack - VLAN for ISP router 1
FTG2, wan1 -> switch stack - VLAN for ISP router 1 FTG1, wan2 -> switch stack - VLAN for ISP router 2
FTG2, wan2 -> switch stack - VLAN for ISP router 2
You obviously don't need to double the connections going to the ISP router (probably can't) which is why I said VLAN for.... Basically you have one port on your switch to the ISP router 1 and then 2 ports to the 2 FGTs. Same thing with ISP router 2. 6 ports on your switch, in total.
OK, so the dual connectivity from each FTG would be for a purpose of only WAN link failing, not the actual any FTG unit failing itself (because HA cluster can be quite happy itself), right?
Seb
I'm not quite sure what you're asking. I assume that's why you have two WAN connections, yes, in case one of them fails. And the reason you have two FGTs is in case one of *them* fails. Since you have both, you could now have 1 of each fail and still have no impact to service. Anytime you throw HA firewalls in place you need to make sure each one has the same connectivity to all networks or it's not really HA and it won't work.
Now you'll need to consider the impact of the failure of one of your VSF switches as well, or that becomes a single point of failure. Most likely you'd do 1 WAN to each switch and then make both connections (to FGT1 and FGT2) from that same switch. So the WAN connected to each switch becomes reliant on that switch, and if say switch A fails at the same time that WAN B fails, you're SOL because working WAN A can't talk to either FGT although both FGTs can talk to broken WAN B. There's always some combination that can break things, but you can think through the different scenarios and consider what's more likely under your circumstances (unreliable ISP, old gear, etc).
Hope that helps! - Daniel
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1731 | |
1098 | |
752 | |
447 | |
240 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.