- Forums
- Knowledge Base
- Customer Service
- FortiGate
- FortiClient
- FortiAP
- FortiAnalyzer
- FortiADC
- FortiAuthenticator
- FortiBridge
- FortiCache
- FortiCarrier
- FortiCASB
- FortiConnect
- FortiConverter
- FortiCNP
- FortiDAST
- FortiDDoS
- FortiDB
- FortiDNS
- FortiDeceptor
- FortiDevSec
- FortiDirector
- FortiEDR
- FortiExtender
- FortiGate Cloud
- FortiGuard
- FortiHypervisor
- FortiInsight
- FortiIsolator
- FortiMail
- FortiManager
- FortiMonitor
- FortiNAC
- FortiNAC-F
- FortiNDR (on-premise)
- FortiNDRCloud
- FortiPAM
- FortiPortal
- FortiProxy
- FortiRecon
- FortiRecorder
- FortiSandbox
- FortiSASE
- FortiScan
- FortiSIEM
- FortiSOAR
- FortiSwitch
- FortiTester
- FortiToken
- FortiVoice
- FortiWAN
- FortiWeb
- Wireless Controller
- RMA Information and Announcements
- FortiCloud Products
- ZTNA
- 4D Documents
- Customer Service
- Community Groups
- Blogs
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
- Fortinet Community
- Forums
- Support Forum
- Re: Help needed with FG 100F - HA - A-P behind VRR...
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Mute
- Printer Friendly Page
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Help needed with FG 100F - HA - A-P behind VRRP routers
Hai all. After reading a lot on these forums helping me on the way with Fortinet producs, I have a problem that might be really simple but I don't see it. We have 2 FG100F in HA A-P running behind two Cisco routers in VRRP (ISP routers). I have configured the WAN1 interface with the IP's provided. So far so good. HA works fine when I pull the WAN interface on the main FG. However when the active VRRP router fails the WAN does not go down so no failover occurs. This mean no redundancy.
What is the best way to setup the FG's to the VRRP routers? I've used SD-WAN in other locations where we have redundant ISP's. That works like a charm. However for this main location we have 1 ISP with a redundant 200mb's line.
At the moment the setup is:
Router A VRRP Router B
| |
FG100 A ===HA=== FG100 B
I need to find a way to connect both FG's to both Routers while keeping the IP information and Gateway the same.
Hopefully you can help me out.
7 REPLIES 7
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
are you using VLAN ? or interface untagged?
NSE-4
NSE-4
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
jorge.americo wrote:are you using VLAN ? or interface untagged?
These interfaces are untagged.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Seferian wrote:jorge.americo wrote:are you using VLAN ? or interface untagged?
These interfaces are untagged.
I believe that if you do the configuration with VLAN you will not have this problem, as there will be knowledge of the L2 path, even if FGT_A is active and Router_B is with VRRP active.
Router A ========= Router B | | FG100 A === HA === FG100 B
Or you can also try to understand the reason why the VRRP is being changed, without dropping the interface.
NSE-4
NSE-4
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
jorge.americo wrote:Seferian wrote:jorge.americo wrote:are you using VLAN ? or interface untagged?
These interfaces are untagged.
I believe that if you do the configuration with VLAN you will not have this problem, as there will be knowledge of the L2 path, even if FGT_A is active and Router_B is with VRRP active.
Router A ========= Router B | | FG100 A === HA === FG100 B
Or you can also try to understand the reason why the VRRP is being changed, without dropping the interface.
I'm not quite sure I understand what you're trying to tell me. The Routers A and B are off the ISP. Let's assume the config can't be changed. And it's in VLAN0. How would I need to wire my fortigates to these devices? At the moment Fortigate A has a cable from WAN1 to RouterA. And Fortigate B has a cable from WAN1 to RouterB.
When I pull the cable on FG A it will failover as expected. However if I pull power from RouterA the Fortigate does not failover. My guess is because RouterB does not have a cable to Fortigate A. So RouterB became active but does not have a direct path to Fortigate A. Only to Fortigate B.
Is there a way to let the Fortigate failover when, let's say, it can't ping 8.8.8.8 five times in a row. If I then pull RouterA, Router B would become active. Fortigate A would not be able to ping 8.8.8.8 and should failover to Fortigate B. Then the connection should be active again.
But I'm not sure if the is the way. And if so, how to configure this.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I think you need a switch inbetween. VRRPs (per interface, not per device) between two routers would be half-useless if devices, in your case FGTs, are physically connected to only one side. When that side of hardware dies, the devices connected to it lose the path.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Sorry, but in the case described. if you turn ROUTER_A off the FGT_A interface will be DOWN, ok? . and thus force HA (if the interface is being monitored)
As for testing with ping for switching, I don't know.
NSE-4
NSE-4
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
toshiesumi wrote:I think you need a switch inbetween. VRRPs (per interface, not per device) between two routers would be half-useless if devices, in your case FGTs, are physically connected to only one side. When that side of hardware dies, the devices connected to it lose the path.
I was thinking of creating a hardware switch on the Fortigate. Put two interfaces in it and configure it to be the WAN. One interface will be connected to RouterA and the other to RouterB. This will be done on both Fortigates.
Would this work? And is there a downside to using a hardware switch over a physical interface?
Related Posts
- Need FortiClient VPN software to install... 37 Views
- Connect Fortigate to internet with 2... 121 Views
- Assistance Needed: Routing Issue with FortiGate... 196 Views
- Flow-based and proxy-based inspection explanation needed 241 Views
- Certificate help 218 Views
Labels
-
FortiGate
6,414 -
FortiClient
1,279 -
5.2
801 -
5.4
639 -
FortiManager
557 -
6.0
416 -
FortiAnalyzer
407 -
5.6
362 -
FortiSwitch
329 -
FortiAP
322 -
FortiClient EMS
259 -
6.2
251 -
FortiMail
238 -
FortiAuthenticator v5.5
234 -
5.0
196 -
FortiWeb
148 -
6.4
128 -
FortiNAC
102 -
FortiGuard
102 -
FortiGateCloud
86 -
FortiSIEM
85 -
FortiCloud Products
81 -
FortiToken
69 -
Customer Service
69 -
4.0MR3
64 -
IPsec
61 -
Wireless Controller
56 -
SSL-VPN
52 -
FortiProxy
43 -
FortiADC
42 -
Fortivoice
41 -
FortiEDR
37 -
FortiGate v5.4
34 -
FortiDNS
34 -
FortiExtender
31 -
FortiSandbox
30 -
FortiSwitch v6.4
28 -
FortiConnect
23 -
SD-WAN
23 -
FortiWAN
22 -
FortiConverter
21 -
High Availability
20 -
Firewall policy
20 -
FortiPortal
17 -
VLAN
16 -
FortiSwitch v6.2
16 -
FortiGate v5.2
16 -
ZTNA
15 -
FortiMonitor
14 -
Certificate
14 -
FortiDDoS
13 -
FortiCASB
12 -
SAML
11 -
DNS
11 -
Routing
11 -
FortiGate v5.0
10 -
FortiRecorder
10 -
Interface
10 -
VDOM
10 -
FortiWeb v5.0
9 -
BGP
9 -
LDAP
9 -
FortiManager v5.0
9 -
4.0MR2
9 -
Logging
9 -
Traffic shaping
8 -
Virtual IP
8 -
RADIUS
7 -
RMA Information and Announcements
7 -
FortiSOAR
7 -
fortilink
7 -
FortiAnalyzer v5.0
7 -
Admin
7 -
FortiGate v4.0 MR3
7 -
4.0
7 -
Fortigate Cloud
6 -
NAT
6 -
IP address management - IPAM
6 -
SSID
5 -
Traffic shaping policy
5 -
Authentication
5 -
FortiBridge
5 -
SNMP
5 -
SSO
5 -
Application control
5 -
FortiAuthenticator
5 -
Static route
5 -
FortiManager v4.0
5 -
FortiDirector
4 -
SSL SSH inspection
4 -
Security profile
4 -
WAN optimization
4 -
DNS Filter
4 -
FortiCarrier
4 -
FortiCache
4 -
3.6
4 -
FortiScan
4 -
Proxy policy
4 -
packet capture
3 -
Web application firewall profile
3 -
FortiToken Cloud
3 -
Automation
3 -
DoS policy
3 -
FortiTester
3 -
OSPF
3 -
Port policy
3 -
FortiDB
3 -
IPS signature
3 -
FortiDeceptor
2 -
FortiInsight
2 -
Antivirus profile
2 -
VoIP profile
2 -
Traffic shaping profile
2 -
FortiAP profile
2 -
Web profile
2 -
FortiAI
2 -
Intrusion prevention
2 -
FortiHypervisor
2 -
Netflow
2 -
trunk
2 -
NAC policy
1 -
SDN connector
1 -
4.0MR1
1 -
Users
1 -
Service
1 -
Subscription Renewal Policy
1 -
FortiCWP
1 -
FortiNDR
1 -
Application signature
1 -
Web rating
1 -
Authentication rule and scheme
1 -
Multicast routing
1 -
FortiManager-VM
1 -
Fabric connector
1 -
Zone
1 -
Internet Service Database
1 -
System settings
1 -
Fortinet Engage Partner Program
1 -
Explicit proxy
1 -
TACACS
1
Broad. Integrated. Automated.
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Security Research
Company
News & Articles
Copyright 2024 Fortinet, Inc. All Rights Reserved.