I agree; you use way too many switches... Look at the HA pair as ONE FGT. All ports used on FGT1 must be connected (port by port) to the same ports on FGT2. Assume you are using <n> ports on the FGT (like WAN, LAN and DMZ => <n>=3). You can either use <n> switches with each having at least 3 ports, or use one switch which you partition into <n> compartments using port-based VLANs. I would partition into <n> x 4 ports: FGT1, FGT2, LAN connect and one spare for testing. So using one 24-port switch you could utilize 6 firewall ports for different zones. And in my inner ear I already hear emnoc gasping " not all eggs into one basket!" - if you use one switch like this you build in a single point of failure, you should know that. In the clusters I' ve built so far I' ve always used one switch per firewall port used.

Agreed to the last statement. Even better I build stacked-members ( 2960) with aggregated links from each FGT. Might be overally built for a small office but a must in a enterprised or carrier arena. food for thought E.g we build vPC to nexus 5Ks for FGT3040 in my last big deployment. This gave use full multipath and with no single failure. Also with HA members, we use dual-links for HA link redundant connections. This might limiting in a smaller FGT, but once again a must in a entrprised or carrier outfit

No you don' t. And I' m afraid you didn' t get my point (sorry, my fault): each port of both FGTs has to be connected on the SAME switch. So, if you use LAN and WAN1, WAN2 on the FGTs, you would need 3 switches with at least 3 ports (better 4 ports). That' s just for HA. To get rid of the risk that one small switch fails you could stack 2 to form 1 switch. In the above example, you' d need 6 small switches which would have to be stackable. As these do not exist, I recommend bigger switches (like 24 port), stack 2 of them and partition them into 3 x 4 ports (3 internal port-based VLANs). Select the 4 ports in such a manner that they span both switches: portgroup 1: sw1-1, sw1-2, sw2-1, sw2-2 from FGT1-LAN to sw1-1 from FGT2-LAN to sw1-2 from your LAN to sw1-2 or sw2-2 (or via LAG to both) Likewise for WAN1 and WAN2, using the same switches sw1 and sw2. Bottom line: no LAG required on FGTs, LAG only if your connection should be redundant. Sounds far more complicated than it is in reality.

No, sorry,

LAG only if your connection should be redundant

should read

LAG between switch and your LAN only if your connection from the switch to your LAN is required be redundant

LAG is no requirement for a FGT cluster! The cluster protocol (FGCP) takes care if there are multiple links to the same target in order to avoid loops. If you re-read the setup of a HA cluster in the Handbook, don' t read too much into it - it' s short because there' s not much to do. No complications to take into account. The only thing ' complicated' you could do on the FGT side is to have 2 HA links between the FGTs. Reasoning: one HA link will do nicely. BUT if that link breaks (is pulled by accident) then the cluster falls apart - you immediately have 2 identical routers with identical IP addresses, ALIVE. Breaking the HA link must be avoided at any cost. Best practice: do not run the link across any intermediate switch, use 2 cables which you annotate accordingly, use a different cable color (RED for instance). And one final best practice: you will have good reasons to run the cluster in A/A. From my experience, an A/P cluster is much more stable and serves 90% of the time just as good. So, if you have good reasons, OK, if not, stick to A/P.

My FGT 80c' s do not support LAG apparently.

So much the better. No brain racking needed.

Thanks guys for the reply. I had drawn out removing the (6) switches and consolidating to (2) Stackable and create VLANs.