Unlock Exclusive Benefits
Join Our Community Today!
Join our community and post in the forum to earn your exclusive Summer Badge! Become a member today!
LOGIN/REGISTER
CONTINUE AS A GUEST
- Support Forum
- Knowledge Base
- Customer Service
- Internal Article Nominations
- FortiGate
- FortiClient
- FortiADC
- FortiAIOps
- FortiAnalyzer
- FortiAP
- FortiAuthenticator
- FortiBridge
- FortiCache
- FortiCare Services
- FortiCarrier
- FortiCASB
- FortiConverter
- FortiCNP
- FortiDAST
- FortiData
- FortiDDoS
- FortiDB
- FortiDNS
- FortiDLP
- FortiDeceptor
- FortiDevice
- FortiDevSec
- FortiDirector
- FortiEdgeCloud
- FortiEDR
- FortiEndpoint
- FortiExtender
- FortiGate Cloud
- FortiGuard
- FortiGuest
- FortiHypervisor
- FortiInsight
- FortiIsolator
- FortiMail
- FortiManager
- FortiMonitor
- FortiNAC
- FortiNAC-F
- FortiNDR (on-premise)
- FortiNDRCloud
- FortiPAM
- FortiPhish
- FortiPortal
- FortiPresence
- FortiProxy
- FortiRecon
- FortiRecorder
- FortiSRA
- FortiSandbox
- FortiSASE
- FortiSASE Sovereign
- FortiScan
- FortiSIEM
- FortiSOAR
- FortiSwitch
- FortiTester
- FortiToken
- FortiVoice
- FortiWAN
- FortiWeb
- FortiAppSec Cloud
- Lacework
- Wireless Controller
- RMA Information and Announcements
- FortiCloud Products
- ZTNA
- 4D Documents
- Customer Service
- Community Groups
- Blogs
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
- Fortinet Community
- Support Forum
- How to setup active-active multi-homed 2 x ISP wit...
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Mute
- Printer Friendly Page
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
How to setup active-active multi-homed 2 x ISP with 1 Fortigate
I have Fortigate 2201E and want to setup active-active multi-home setup with 2 x ISP for web/app hosting on servers in the datacenter
I have 10G from each ISP and will like a truly redundant HA setup that is active-active, not primary-failover
I use cloudflare as firewall/proxy/DNS in front of the fortigate for reference and wanted to check what the best route for this setup is
I know most people go for primary/failover like mentioned in this guide https://community.fortinet.com/t5/FortiGate/Technical-Tip-How-to-configure-SD-WAN-with-Primary-ISP-a... by @lcamilo but what i want is active-active setup
Is this a common setup especially when not putting a router in front of fortigate and instead want to connect directly to the ISPs from the fortigate.
What i have heard so far is use SD-WAN feature and get ipv4/ipv6 blocks from each ISP. I will be getting /24 ipv4 and /48 ipv6 from each ISP. And then connect each ISP to an interface and setup dedicated virtual servers, virtual ips etc for each ISP and then setup load balancing on cloudflare
Is this the proper setup without setting up routing table BGP on the fortigate?
I also have my own ARIN /24 ipv4 and /48 ipv6 blocks just incase there is a better setup that may require that
So looking forward to the expert engineers to help guide in the best way to approach this
one of benefit of active-active with 2 x ISP each with 10G DIA uplink is i then get 20G
Solved! Go to Solution.
Labels:
- Labels:
-
FortiGate
1 Solution
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
based on further research will be going with using my ips and setting BGP but not managing internet routing tables but instead use the default routes for each ISPs
SD-WAN is more of branch office outbound and internet browsing traffic not for datacenter inbound and web hosting traffic
14 REPLIES 14
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
If you want to split two ISP circuits with two FGTs (regardless if it's muti-home or not), you can't use HA regardless active-active or active-passive. Only option is to make each FGT as an independent router then connect them with iBGP while ISP neighborings would be eBGP since you're dealing with two different networks/ISPs.
I'm wondering if you're understanding how FGT's a-a HA actually works. If you ask Google AI "Fortigate active-active HA all traffic still needs to come in primary", you'll get below answer.
"Yes, in FortiGate active-active High Availability (HA), the primary unit is responsible for receiving all incoming traffic that is addressed to the cluster's virtual IP addresses. The primary unit then uses load balancing to distribute these sessions to other active units in the cluster, including itself. While subordinate units do process and exit traffic directly to their destinations, the initial entry point for the client-facing traffic is always the primary unit. "
I'm not sure if the "cluster's virtual IP addresses" is an appropriate term, but the main concept isn't wrong. You can find similar conversation somewhere else like Reddit if you search the same.
Toshi
Created on 10-05-2025 12:09 AM Edited on 10-05-2025 12:10 AM
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
@Toshi_Esumi not 2 fortigates, 1 fortigate each ISP will be connected to an interface
active-active is on the 2 x ISP connections meaning i will load balance traffic to an endpoint between them via cloudflare
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
If both IPs circuits are terminated at each FGT's two ports, meaning a VLAN switch(es) is terminating the circuits and distributing them to both FGTs, nothing is different between one standalone FGT, active-passive HA, and active-active HA. In other words HA setup wouldn't affect the BGP configuration on an FGT, which would be copied over to the secondary FGT via HA sync regardress a-p or a-a.
Toshi
Created on 10-05-2025 04:23 PM Edited on 10-05-2025 04:23 PM
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I just said 1 fortigate, where are you reading 2 fortigates?!?
can you please read the post?
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Generally with FGT, "active-active" is a specific type of HA, the opposite is "active-passive". That's why I assumed HA.
But you're talking about two active ISP circuits, please ignore all my comment above. Then, it's just two ISP connections with two eBGP neighborings. If you have your own ASN and own public subnet, yes, you can set multi-home as you would do with any other routers.
Toshi
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
But it is said that firewalls are not as powerful for managing BGP internet routing tables as compared to routers like for example Juniper MX204 etc that are dedicated for that task and the stateful nature of firewalls like fortigate will complicate and make them struggle a bit. Its same as trying to do switching on a firewall rather than a switch which is dedicated for switching
Am i wrong with those statements?
Created on 10-06-2025 09:16 AM Edited on 10-06-2025 09:16 AM
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
For that question, you need to get an official answer from somebody in FTNT. But I doubt even 220E's memory is large enough to hold full internet routes (1M+ prefixes for IPv4) if you get them from both ISPs. I was assuming you are/would be getting only default route from both ISPs.
Toshi
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
well which is why i asked about the SD-WAN approach as i mentioned i dont want to introduce a router in the setup and instead connect directly to the 2 x ISPs from the fortigate
so how can i achieve this with SD-WAN?
Created on 10-06-2025 12:54 PM Edited on 10-06-2025 12:55 PM
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Just read some SD-WAN documentations available from FTNT. It's not easy to just "show it how". But if you go to SD-WAN, that would be just two default routes to those two ISPs then basically load-balance based on your rules what traffic goes to which ISP by a separate type of policy routes from original policy routes, which basically can't change dynamically unlike SD-WAN's policy routes.
Toshi
Labels
-
FortiGate
10,789 -
FortiClient
2,206 -
FortiManager
903 -
FortiAnalyzer
688 -
5.2
687 -
5.4
638 -
FortiSwitch
596 -
FortiClient EMS
580 -
FortiAP
568 -
IPsec
443 -
6.0
416 -
SSL-VPN
392 -
FortiMail
380 -
5.6
362 -
FortiNAC
297 -
FortiWeb
257 -
6.2
251 -
FortiAuthenticator v5.5
234 -
SD-WAN
205 -
FortiAuthenticator
186 -
FortiGuard
161 -
5.0
152 -
Firewall policy
149 -
FortiGate-VM
140 -
6.4
128 -
FortiCloud Products
118 -
FortiSIEM
114 -
FortiToken
114 -
FortiGateCloud
112 -
Wireless Controller
96 -
High Availability
93 -
Customer Service
88 -
FortiProxy
79 -
SAML
78 -
ZTNA
78 -
Routing
77 -
Fortivoice
73 -
BGP
73 -
DNS
73 -
VLAN
73 -
FortiEDR
71 -
Authentication
71 -
FortiADC
69 -
Certificate
69 -
LDAP
64 -
RADIUS
63 -
FortiLink
59 -
SSO
57 -
FortiSandbox
55 -
NAT
55 -
FortiExtender
52 -
Interface
50 -
VDOM
50 -
4.0MR3
49 -
Application control
48 -
Virtual IP
44 -
FortiDNS
43 -
Logging
42 -
FortiGate v5.4
38 -
FortiSwitch v6.4
38 -
SSL SSH inspection
38 -
FortiPAM
37 -
Web profile
36 -
FortiConnect
35 -
Automation
35 -
FortiWAN
31 -
FortiConverter
31 -
API
29 -
FortiGate v5.2
28 -
Fortigate Cloud
26 -
Traffic shaping
26 -
Static route
26 -
SNMP
25 -
SSID
25 -
FortiSwitch v6.2
23 -
FortiPortal
23 -
System settings
22 -
WAN optimization
22 -
FortiMonitor
21 -
OSPF
21 -
Security profile
19 -
Web application firewall profile
19 -
Web rating
19 -
IP address management - IPAM
19 -
FortiSoar
18 -
FortiAP profile
17 -
FortiGate v5.0
16 -
FortiDDoS
16 -
Explicit proxy
16 -
Admin
15 -
IPS signature
15 -
Proxy policy
15 -
Intrusion prevention
15 -
FortiManager v4.0
14 -
FortiCASB
14 -
NAC policy
14 -
DNS filter
13 -
Users
13 -
FortiManager v5.0
12 -
FortiDeceptor
12 -
Traffic shaping policy
12 -
Fabric connector
12 -
Port policy
12 -
FortiBridge
11 -
FortiRecorder
11 -
Authentication rule and scheme
11 -
FortiAnalyzer v5.0
10 -
FortiWeb v5.0
10 -
Trunk
10 -
Traffic shaping profile
10 -
Fortinet Engage Partner Program
10 -
FortiGate v4.0 MR3
9 -
RMA Information and Announcements
9 -
Antivirus profile
9 -
FortiCache
8 -
FortiToken Cloud
8 -
Application signature
8 -
4.0
7 -
4.0MR2
7 -
Packet capture
7 -
VoIP profile
7 -
Vulnerability Management
7 -
FortiScan
6 -
FortiNDR
6 -
DoS policy
6 -
FortiCarrier
5 -
FortiTester
5 -
DLP profile
5 -
DLP sensor
5 -
Email filter profile
5 -
Protocol option
5 -
TACACS
5 -
Cloud Management Security
5 -
3.6
4 -
FortiDirector
4 -
Internet service database
4 -
DLP Dictionary
4 -
Netflow
4 -
Replacement messages
4 -
SDN connector
4 -
Service
4 -
Multicast routing
4 -
FortiDB
3 -
FortiHypervisor
3 -
FortiAI
3 -
Kerberos
3 -
File filter
3 -
Multicast policy
3 -
FortiEdge Cloud
3 -
FortiInsight
2 -
Video Filter
2 -
Schedule
2 -
ICAP profile
2 -
Zone
2 -
Lacework
2 -
FortiGuest
2 -
4.0MR1
1 -
FortiManager-VM
1 -
FortiCWP
1 -
Subscription Renewal Policy
1 -
FortiSASE
1 -
Virtual wire pair
1 -
FortiEdge
1 -
FortiAIOps
1
Top Kudoed Authors
| User | Count |
|---|---|
| 2699 | |
| 1413 | |
| 810 | |
| 713 | |
| 455 |
Broad. Integrated. Automated.
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Security Research
Company
News & Articles
Copyright 2025 Fortinet, Inc. All Rights Reserved.