Help
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
akabarasif
New Contributor III

Created on ‎07-30-2020 08:59 PM

How to Config redundant ISP with HA without having switch?

HI,

we have 2 ISPs directly connected. it is P2P link one is L3-P2P another is L2-P2P, 1 link is connected to primary firewall and 2nd is connected to secondary firewall, both firewall has active/active HA enabled. how can i utilised both ISPs 50/50%. Stacked core switch is connected to both firewall.

4401
0 Kudos
3 REPLIES 3
lobstercreed
Valued Contributor

Created on ‎07-31-2020 12:27 AM

Can you not buy a couple of tiny cheap unmanaged switches?  If you're going to do HA you need to do it right which means you're going to need a switch.

 

If you don't want to buy anything, create two VLANs for this purpose on your core switch.  It does consume 6 total ports, but that's what we have done.  VLAN 3333 is ISP1 and has 1 port out to the ISP equipment, 1 port to primary firewall, 1 port to secondary firewall.  Then VLAN 3334 is ISP2 and has 1 port out to the ISP equipment, 1 port to primary firewall, 1 port to secondary firewall.

3247
0 Kudos
akabarasif
New Contributor III
In response to lobstercreed

Created on ‎08-16-2020 12:45 PM

lobstercreed wrote:

Can you not buy a couple of tiny cheap unmanaged switches?  If you're going to do HA you need to do it right which means you're going to need a switch.

 

If you don't want to buy anything, create two VLANs for this purpose on your core switch.  It does consume 6 total ports, but that's what we have done.  VLAN 3333 is ISP1 and has 1 port out to the ISP equipment, 1 port to primary firewall, 1 port to secondary firewall.  Then VLAN 3334 is ISP2 and has 1 port out to the ISP equipment, 1 port to primary firewall, 1 port to secondary firewall.

Hi,

actually we are using same firewall instead of both firewall without HA for a time being. we config the SD-wan with ipsec tunnel but link is not fully utilising. each link has 2 Mbps speed. both side we config sd-wan from HQ-branch and branch-HQ. but i see more packet loss in 1 link. could you please tell me how to solve this issue ?

 

3247
0 Kudos
harmesh88
New Contributor

Created on ‎08-24-2020 03:26 AM

As you mentioned in post that you dont have switch for ISP Connectivity 

 

You should connect both ISP in Primary Firewall and then you can use ISP load sharing Method and use both ISP 

 

Once your primary Firewall will goes down you should manually connect both link to secondary Firewall

 

If you dont want manual fail over and need auto fail over - You should have one L2 switch other wise you can use port from your core switch by making one isolated VLAN .

 

And you can achieve it 

 

Regards,

Harmesh Yadav

CCNP CCSE

 

 

3247
0 Kudos
Announcements
Check out our Community Chatter Blog! Click here to get involved
Labels
Top Kudoed Authors
View all
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2025 Fortinet, Inc. All Rights Reserved.