Help
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
dur
New Contributor

Created on ‎06-18-2018 08:11 AM

High Availability & WAN Design Failover

Hello,

 

I've a question regards WAN failover and HA A/P design that I can't find the answer anywhere in the documentation.

 

 

Please check the attached diagram designed, the question that comes in mind is:

[ul]
  • If the link WAN1 from CORE1 to Port1 on of FS-1 goes down, then the Internet connectivity will be done through CORE1 - WAN2 as far as I understand.
  • Is it possible to set it up, that instead of failover to use CORE1-WAN2 it uses CORE2-WAN1? The only way I've seen to set up this scenario is to enable port-monitoring on CORE1-WAN1 and then failover to CORE2. But in my opinion it seems a bit of extreme use to failover to CORE2 just only because the link between CORE1 WAN1 / FS1 Port1 fails.[/ul]

     

    Thanks for your help.

    • 5326
    0 Kudos
    1 Solution
    Toshi_Esumi
    SuperUser
    SuperUser

    Created on ‎06-18-2018 10:20 AM

    With FortiGate HA a-p mode, both unit has basically the same config (copied over from a to p). So if you set up a fail-over from wan1 to wan2 on the current active, the standby unit has the same config and duplicate the fail-over operation if a-p roles are flipped. 

    How let the standby unit take over the control from the active unit is a completely separate issue and you can control it by monitoring interfaces.

    By assuming wan1-ISP1 and wan2-ISP2 are pairs, I would set up a fail-over mechanism wan1->wan2 with some optional split traffic first, then set up HA a-p between two 200Es. Much more complicated fail-overs are probably possible, but it wouldn't fit with HA a-p and more importantly wouldn't add much benefits in my opinion, other than more complicated troubleshooting/isolation process when a fail-over situation happens.

    View solution in original post

    1898
    0 Kudos
    2 REPLIES 2
    Toshi_Esumi
    SuperUser
    SuperUser

    Created on ‎06-18-2018 10:20 AM

    With FortiGate HA a-p mode, both unit has basically the same config (copied over from a to p). So if you set up a fail-over from wan1 to wan2 on the current active, the standby unit has the same config and duplicate the fail-over operation if a-p roles are flipped. 

    How let the standby unit take over the control from the active unit is a completely separate issue and you can control it by monitoring interfaces.

    By assuming wan1-ISP1 and wan2-ISP2 are pairs, I would set up a fail-over mechanism wan1->wan2 with some optional split traffic first, then set up HA a-p between two 200Es. Much more complicated fail-overs are probably possible, but it wouldn't fit with HA a-p and more importantly wouldn't add much benefits in my opinion, other than more complicated troubleshooting/isolation process when a fail-over situation happens.

    1899
    0 Kudos
    dur
    New Contributor
    In response to Toshi_Esumi

    Created on ‎06-23-2018 03:28 PM

    Thanks for the answer Toshi, very much appreciated! :)

    1854
    0 Kudos
    Announcements

    Select Forum Responses to become Knowledge Articles!

    Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.

    Labels
    Top Kudoed Authors
    View all
    Broad. Integrated. Automated.

    The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

    Social Media
    Security Research
    Company
    News & Articles
    Contact Us

    Copyright 2024 Fortinet, Inc. All Rights Reserved.