Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
decyphervlan
New Contributor

How to setup active-active multi-homed 2 x ISP with 1 Fortigate

I have Fortigate 2201E and want to setup active-active multi-home setup with 2 x ISP for web/app hosting on servers in the datacenter

 

I have 10G from each ISP and will like a truly redundant HA setup that is active-active, not primary-failover

I use cloudflare as firewall/proxy/DNS in front of the fortigate for reference and wanted to check what the best route for this setup is

 

I know most people go for primary/failover like mentioned in this guide https://community.fortinet.com/t5/FortiGate/Technical-Tip-How-to-configure-SD-WAN-with-Primary-ISP-a... by @lcamilo but what i want is active-active setup

Is this a common setup especially when not putting a router in front of fortigate and instead want to connect directly to the ISPs from the fortigate. 

 

What i have heard so far is use SD-WAN feature and get ipv4/ipv6 blocks from each ISP. I will be getting /24 ipv4 and /48 ipv6 from each ISP. And then connect each ISP to an interface and setup dedicated virtual servers, virtual ips etc for each ISP and then setup load balancing on cloudflare 

 

Is this the proper setup without setting up routing table BGP on the fortigate?

 

I also have my own ARIN /24 ipv4 and /48 ipv6 blocks just incase there is a better setup that may require that

 

So looking forward to the expert engineers to help guide in the best way to approach this

 

one of benefit of active-active with 2 x ISP each with 10G DIA uplink is i then get 20G 

11 REPLIES 11
Toshi_Esumi
SuperUser
SuperUser

If you want to split two ISP circuits with two FGTs (regardless if it's muti-home or not), you can't use HA regardless active-active or active-passive. Only option is to make each FGT as an independent router then connect them with iBGP while ISP neighborings would be eBGP since you're dealing with two different networks/ISPs.

I'm wondering if you're understanding how FGT's a-a HA actually works. If you ask Google AI "Fortigate active-active HA all traffic still needs to come in primary", you'll get below answer.

 

"Yes, in FortiGate active-active High Availability (HA), the primary unit is responsible for receiving all incoming traffic that is addressed to the cluster's virtual IP addresses. The primary unit then uses load balancing to distribute these sessions to other active units in the cluster, including itself. While subordinate units do process and exit traffic directly to their destinations, the initial entry point for the client-facing traffic is always the primary unit. "

I'm not sure if the "cluster's virtual IP addresses" is an appropriate term, but the main concept isn't wrong. You can find similar conversation somewhere else like Reddit if you search the same.

Toshi

 
decyphervlan

@Toshi_Esumi  not 2 fortigates, 1 fortigate each ISP will be connected to an interface

 

active-active is on the 2 x ISP connections meaning i will load balance traffic to an endpoint between them via cloudflare

 

 

Toshi_Esumi

If both IPs circuits are terminated at each FGT's two ports, meaning a VLAN switch(es) is terminating the circuits and distributing them to both FGTs, nothing is different between one standalone FGT, active-passive HA, and active-active HA. In other words HA setup wouldn't affect the BGP configuration on an FGT, which would be copied over to the secondary FGT via HA sync regardress a-p or a-a.

Toshi

decyphervlan

I just said 1 fortigate, where are you reading 2 fortigates?!?
can you please read the post?

Toshi_Esumi

Generally with FGT, "active-active" is a specific type of HA, the opposite is "active-passive". That's why I assumed HA.
But you're talking about two active ISP circuits, please ignore all my comment above. Then, it's just two ISP connections with two eBGP neighborings. If you have your own ASN and own public subnet, yes, you can set multi-home as you would do with any other routers.

Toshi 

decyphervlan

But it is said that firewalls are not as powerful for managing BGP internet routing tables as compared to routers like for example Juniper MX204 etc that are dedicated for that task and the stateful nature of firewalls like fortigate will complicate and make them struggle a bit. Its same as trying to do switching on a firewall rather than a switch which is dedicated for switching

Am i wrong with those statements? 

Toshi_Esumi

For that question, you need to get an official answer from somebody in FTNT. But I doubt even 220E's memory is large enough to hold full internet routes (1M+ prefixes for IPv4) if you get them from both ISPs. I was assuming you are/would be getting only default route from both ISPs.

 

Toshi

decyphervlan

well which is why i asked about the SD-WAN approach as i mentioned i dont want to introduce a router in the setup and instead connect directly to the 2 x ISPs from the fortigate

so how can i achieve this with SD-WAN?

Toshi_Esumi

Just read some SD-WAN documentations available from FTNT. It's not easy to just "show it how". But if you go to SD-WAN, that would be just two default routes to those two ISPs then basically load-balance based on your rules what traffic goes to which ISP by a separate type of policy routes from original policy routes, which basically can't change dynamically unlike SD-WAN's policy routes.

Toshi

Announcements
Check out our Community Chatter Blog! Click here to get involved
Labels
Top Kudoed Authors