I have Fortigate 2201E and want to setup active-active multi-home setup with 2 x ISP for web/app hosting on servers in the datacenter
I have 10G from each ISP and will like a truly redundant HA setup that is active-active, not primary-failover
I use cloudflare as firewall/proxy/DNS in front of the fortigate for reference and wanted to check what the best route for this setup is
I know most people go for primary/failover like mentioned in this guide https://community.fortinet.com/t5/FortiGate/Technical-Tip-How-to-configure-SD-WAN-with-Primary-ISP-a... by @lcamilo but what i want is active-active setup
Is this a common setup especially when not putting a router in front of fortigate and instead want to connect directly to the ISPs from the fortigate.
What i have heard so far is use SD-WAN feature and get ipv4/ipv6 blocks from each ISP. I will be getting /24 ipv4 and /48 ipv6 from each ISP. And then connect each ISP to an interface and setup dedicated virtual servers, virtual ips etc for each ISP and then setup load balancing on cloudflare
Is this the proper setup without setting up routing table BGP on the fortigate?
I also have my own ARIN /24 ipv4 and /48 ipv6 blocks just incase there is a better setup that may require that
So looking forward to the expert engineers to help guide in the best way to approach this
one of benefit of active-active with 2 x ISP each with 10G DIA uplink is i then get 20G
If you want to split two ISP circuits with two FGTs (regardless if it's muti-home or not), you can't use HA regardless active-active or active-passive. Only option is to make each FGT as an independent router then connect them with iBGP while ISP neighborings would be eBGP since you're dealing with two different networks/ISPs.
I'm wondering if you're understanding how FGT's a-a HA actually works. If you ask Google AI "Fortigate active-active HA all traffic still needs to come in primary", you'll get below answer.
"Yes, in FortiGate active-active High Availability (HA), the primary unit is responsible for receiving all incoming traffic that is addressed to the cluster's virtual IP addresses. The primary unit then uses load balancing to distribute these sessions to other active units in the cluster, including itself. While subordinate units do process and exit traffic directly to their destinations, the initial entry point for the client-facing traffic is always the primary unit. "
I'm not sure if the "cluster's virtual IP addresses" is an appropriate term, but the main concept isn't wrong. You can find similar conversation somewhere else like Reddit if you search the same.
Toshi
Created on 10-05-2025 12:09 AM Edited on 10-05-2025 12:10 AM
@Toshi_Esumi not 2 fortigates, 1 fortigate each ISP will be connected to an interface
active-active is on the 2 x ISP connections meaning i will load balance traffic to an endpoint between them via cloudflare
If both IPs circuits are terminated at each FGT's two ports, meaning a VLAN switch(es) is terminating the circuits and distributing them to both FGTs, nothing is different between one standalone FGT, active-passive HA, and active-active HA. In other words HA setup wouldn't affect the BGP configuration on an FGT, which would be copied over to the secondary FGT via HA sync regardress a-p or a-a.
Toshi
Created on 10-05-2025 04:23 PM Edited on 10-05-2025 04:23 PM
I just said 1 fortigate, where are you reading 2 fortigates?!?
can you please read the post?
Generally with FGT, "active-active" is a specific type of HA, the opposite is "active-passive". That's why I assumed HA.
But you're talking about two active ISP circuits, please ignore all my comment above. Then, it's just two ISP connections with two eBGP neighborings. If you have your own ASN and own public subnet, yes, you can set multi-home as you would do with any other routers.
Toshi
But it is said that firewalls are not as powerful for managing BGP internet routing tables as compared to routers like for example Juniper MX204 etc that are dedicated for that task and the stateful nature of firewalls like fortigate will complicate and make them struggle a bit. Its same as trying to do switching on a firewall rather than a switch which is dedicated for switching
Am i wrong with those statements?
Created on 10-06-2025 09:16 AM Edited on 10-06-2025 09:16 AM
For that question, you need to get an official answer from somebody in FTNT. But I doubt even 220E's memory is large enough to hold full internet routes (1M+ prefixes for IPv4) if you get them from both ISPs. I was assuming you are/would be getting only default route from both ISPs.
Toshi
well which is why i asked about the SD-WAN approach as i mentioned i dont want to introduce a router in the setup and instead connect directly to the 2 x ISPs from the fortigate
so how can i achieve this with SD-WAN?
Created on 10-06-2025 12:54 PM Edited on 10-06-2025 12:55 PM
Just read some SD-WAN documentations available from FTNT. It's not easy to just "show it how". But if you go to SD-WAN, that would be just two default routes to those two ISPs then basically load-balance based on your rules what traffic goes to which ISP by a separate type of policy routes from original policy routes, which basically can't change dynamically unlike SD-WAN's policy routes.
Toshi
User | Count |
---|---|
2624 | |
1393 | |
804 | |
670 | |
455 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2025 Fortinet, Inc. All Rights Reserved.