Hi guys,
Just have some questions about FortiManager HA, basically my environment is I have 2x DC where I want to put my FortiManager. I will be placing 1x FortiManager in each of my DC in my management segment/block and these have different subnet (e.g., DC1 = MgmtSubnetA and DC2 = MgmtSubnetB).
1. Is it feasible to form FortiManager in HA if my primary and slave will have different subnet?
2. If question 1 is feasible, how will the FortiGate communicates to the FortiManager?
3. If question 1 is feasible, how will the FortiGate communicate to the Slave FortiManager in the event of Primary FortiManager goes down?
Thank you
Nominating a forum post submits a request to create a new Knowledge Article based on the forum post topic. Please ensure your nomination includes a solution within the reply.
Hi FXE_FTNT
On FMG HA solution we don't call them master and slave, we called them primary and secondary.
Here are the answers:
1. Yes, then can be on different subnets. The primary unit and the secondary units can be in the same location or different locations. FortiManager HA supports geographic redundancy so the primary unit and secondary units can be in different locations attached to different networks as long as communication is possible between them (for example, on the Internet, on a WAN, or in a private network (link 1)
2. FGT will talk the primary FMG using the FMG IP address configured on FGT.
3. On my understanding based on Fortinet documentation, because there are in different DC (so assuming different subnets) they cannot be setup as VRRP, so it will be a manual failover mode.
More details can be found on the following links:
link1 - https://docs.fortinet.com/document/fortimanager/7.4.2/administration-guide/568591/high-availability
Hi @DPadula , if you say manual failover, do you mean manual promotion of the secondary FMG?
Hi @FXE_FTNT ,
After 7.2 there is an option to use VRRP protocol for forming HA cluster which should be the preferable way in your case.
https://community.fortinet.com/t5/FortiManager/Technical-Tip-FortiManager-HA-failover-guide/ta-p/191...
https://community.fortinet.com/t5/FortiManager/Technical-Tip-File-quota-on-FortiManager-HA-configura...
https://community.fortinet.com/t5/FortiManager/Technical-Tip-FortiManager-HA-setup-and-troubleshooti... - Please review this one
https://docs.fortinet.com/document/fortimanager/7.2.2/cli-reference/698226/ha
https://docs.fortinet.com/document/fortimanager/7.2.2/cli-reference/769887/ha
https://docs.fortinet.com/document/fortimanager/7.0.0/new-features/286406/cluster-ha-improvements-7-...
https://docs.fortinet.com/document/fortimanager/7.2.2/administration-guide/203784/if-the-primary-or-...
https://docs.fortinet.com/document/fortimanager/7.2.2/administration-guide/812355/configuring-ha-clu...
https://docs.fortinet.com/document/fortimanager/7.2.2/administration-guide/800686/configuring-ha-opt...
https://community.fortinet.com/t5/FortiManager/Technical-Tip-FortiManager-HA-failover-guide/ta-p/191...
https://community.fortinet.com/t5/FortiManager/Technical-Tip-FortiManager-HA-setup-and-troubleshooti...
https://community.fortinet.com/t5/FortiManager/Technical-Tip-How-to-configure-FortiManager-to-use-cu...
Best,
Hi @vraev , is my understanding correct, the VRRP failover mechanism of FMG can be done even if they have different subnet?
Hi @FXE_FTNT ,
Sorry for the delay but I had a chance to test the following standard HA cluster configuration recently.
So after the test I could tell that it is possible when is used standard HA setup. Both FMG had a route to each other setup in their configuration. FW policy that is allowing the traffic between them in both direction and no nat.
Hope this will help you.
Best,
Hi,
Please review the example:
Best,
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1733 | |
1106 | |
752 | |
447 | |
240 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.