Unlock Exclusive Benefits
Join Our Community Today!
Join our community and post in the forum to earn your exclusive Summer Badge! Become a member today!
LOGIN/REGISTER
CONTINUE AS A GUEST
- Support Forum
- Knowledge Base
- Customer Service
- Internal Article Nominations
- FortiGate
- FortiClient
- FortiADC
- FortiAIOps
- FortiAnalyzer
- FortiAP
- FortiAuthenticator
- FortiBridge
- FortiCache
- FortiCare Services
- FortiCarrier
- FortiCASB
- FortiConverter
- FortiCNP
- FortiDAST
- FortiData
- FortiDDoS
- FortiDB
- FortiDNS
- FortiDLP
- FortiDeceptor
- FortiDevice
- FortiDevSec
- FortiDirector
- FortiEdgeCloud
- FortiEDR
- FortiEndpoint
- FortiExtender
- FortiGate Cloud
- FortiGuard
- FortiGuest
- FortiHypervisor
- FortiInsight
- FortiIsolator
- FortiMail
- FortiManager
- FortiMonitor
- FortiNAC
- FortiNAC-F
- FortiNDR (on-premise)
- FortiNDRCloud
- FortiPAM
- FortiPhish
- FortiPortal
- FortiPresence
- FortiProxy
- FortiRecon
- FortiRecorder
- FortiSRA
- FortiSandbox
- FortiSASE
- FortiSASE Sovereign
- FortiScan
- FortiSIEM
- FortiSOAR
- FortiSwitch
- FortiTester
- FortiToken
- FortiVoice
- FortiWAN
- FortiWeb
- FortiAppSec Cloud
- Lacework
- Wireless Controller
- RMA Information and Announcements
- FortiCloud Products
- ZTNA
- 4D Documents
- Customer Service
- Community Groups
- Blogs
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
- Fortinet Community
- Support Forum
- How to setup active-active multi-homed 2 x ISP wit...
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Mute
- Printer Friendly Page
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
How to setup active-active multi-homed 2 x ISP with 1 Fortigate
I have Fortigate 2201E and want to setup active-active multi-home setup with 2 x ISP for web/app hosting on servers in the datacenter
I have 10G from each ISP and will like a truly redundant HA setup that is active-active, not primary-failover
I use cloudflare as firewall/proxy/DNS in front of the fortigate for reference and wanted to check what the best route for this setup is
I know most people go for primary/failover like mentioned in this guide https://community.fortinet.com/t5/FortiGate/Technical-Tip-How-to-configure-SD-WAN-with-Primary-ISP-a... by @lcamilo but what i want is active-active setup
Is this a common setup especially when not putting a router in front of fortigate and instead want to connect directly to the ISPs from the fortigate.
What i have heard so far is use SD-WAN feature and get ipv4/ipv6 blocks from each ISP. I will be getting /24 ipv4 and /48 ipv6 from each ISP. And then connect each ISP to an interface and setup dedicated virtual servers, virtual ips etc for each ISP and then setup load balancing on cloudflare
Is this the proper setup without setting up routing table BGP on the fortigate?
I also have my own ARIN /24 ipv4 and /48 ipv6 blocks just incase there is a better setup that may require that
So looking forward to the expert engineers to help guide in the best way to approach this
one of benefit of active-active with 2 x ISP each with 10G DIA uplink is i then get 20G
Labels:
- Labels:
-
FortiGate
11 REPLIES 11
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
If you want to split two ISP circuits with two FGTs (regardless if it's muti-home or not), you can't use HA regardless active-active or active-passive. Only option is to make each FGT as an independent router then connect them with iBGP while ISP neighborings would be eBGP since you're dealing with two different networks/ISPs.
I'm wondering if you're understanding how FGT's a-a HA actually works. If you ask Google AI "Fortigate active-active HA all traffic still needs to come in primary", you'll get below answer.
"Yes, in FortiGate active-active High Availability (HA), the primary unit is responsible for receiving all incoming traffic that is addressed to the cluster's virtual IP addresses. The primary unit then uses load balancing to distribute these sessions to other active units in the cluster, including itself. While subordinate units do process and exit traffic directly to their destinations, the initial entry point for the client-facing traffic is always the primary unit. "
I'm not sure if the "cluster's virtual IP addresses" is an appropriate term, but the main concept isn't wrong. You can find similar conversation somewhere else like Reddit if you search the same.
Toshi
Created on 10-05-2025 12:09 AM Edited on 10-05-2025 12:10 AM
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
@Toshi_Esumi not 2 fortigates, 1 fortigate each ISP will be connected to an interface
active-active is on the 2 x ISP connections meaning i will load balance traffic to an endpoint between them via cloudflare
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
If both IPs circuits are terminated at each FGT's two ports, meaning a VLAN switch(es) is terminating the circuits and distributing them to both FGTs, nothing is different between one standalone FGT, active-passive HA, and active-active HA. In other words HA setup wouldn't affect the BGP configuration on an FGT, which would be copied over to the secondary FGT via HA sync regardress a-p or a-a.
Toshi
Created on 10-05-2025 04:23 PM Edited on 10-05-2025 04:23 PM
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I just said 1 fortigate, where are you reading 2 fortigates?!?
can you please read the post?
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Generally with FGT, "active-active" is a specific type of HA, the opposite is "active-passive". That's why I assumed HA.
But you're talking about two active ISP circuits, please ignore all my comment above. Then, it's just two ISP connections with two eBGP neighborings. If you have your own ASN and own public subnet, yes, you can set multi-home as you would do with any other routers.
Toshi
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
But it is said that firewalls are not as powerful for managing BGP internet routing tables as compared to routers like for example Juniper MX204 etc that are dedicated for that task and the stateful nature of firewalls like fortigate will complicate and make them struggle a bit. Its same as trying to do switching on a firewall rather than a switch which is dedicated for switching
Am i wrong with those statements?
Created on 10-06-2025 09:16 AM Edited on 10-06-2025 09:16 AM
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
For that question, you need to get an official answer from somebody in FTNT. But I doubt even 220E's memory is large enough to hold full internet routes (1M+ prefixes for IPv4) if you get them from both ISPs. I was assuming you are/would be getting only default route from both ISPs.
Toshi
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
well which is why i asked about the SD-WAN approach as i mentioned i dont want to introduce a router in the setup and instead connect directly to the 2 x ISPs from the fortigate
so how can i achieve this with SD-WAN?
Created on 10-06-2025 12:54 PM Edited on 10-06-2025 12:55 PM
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Just read some SD-WAN documentations available from FTNT. It's not easy to just "show it how". But if you go to SD-WAN, that would be just two default routes to those two ISPs then basically load-balance based on your rules what traffic goes to which ISP by a separate type of policy routes from original policy routes, which basically can't change dynamically unlike SD-WAN's policy routes.
Toshi
Labels
-
FortiGate
10,673 -
FortiClient
2,175 -
FortiManager
896 -
5.2
687 -
FortiAnalyzer
683 -
5.4
638 -
FortiSwitch
591 -
FortiClient EMS
571 -
FortiAP
563 -
IPsec
424 -
6.0
416 -
SSL-VPN
386 -
FortiMail
374 -
5.6
362 -
FortiNAC
288 -
FortiWeb
253 -
6.2
251 -
FortiAuthenticator v5.5
234 -
SD-WAN
198 -
FortiAuthenticator
180 -
FortiGuard
160 -
5.0
152 -
Firewall policy
145 -
FortiGate-VM
134 -
6.4
128 -
FortiCloud Products
116 -
FortiToken
114 -
FortiSIEM
113 -
FortiGateCloud
112 -
Wireless Controller
95 -
Customer Service
88 -
High Availability
87 -
FortiProxy
78 -
ZTNA
77 -
Routing
75 -
SAML
74 -
Fortivoice
73 -
VLAN
73 -
DNS
72 -
FortiEDR
70 -
BGP
70 -
Authentication
69 -
FortiADC
68 -
Certificate
66 -
RADIUS
62 -
LDAP
61 -
FortiLink
57 -
SSO
54 -
NAT
54 -
FortiSandbox
53 -
FortiExtender
52 -
4.0MR3
49 -
vdom
49 -
Interface
46 -
Application control
46 -
FortiDNS
43 -
Logging
41 -
Virtual IP
41 -
FortiGate v5.4
38 -
FortiSwitch v6.4
38 -
FortiPAM
37 -
SSL SSH inspection
36 -
FortiConnect
35 -
Web profile
35 -
Automation
33 -
FortiWAN
31 -
FortiConverter
30 -
FortiGate v5.2
28 -
Traffic shaping
26 -
API
26 -
Static route
26 -
SNMP
25 -
SSID
25 -
FortiSwitch v6.2
23 -
FortiPortal
23 -
Fortigate Cloud
23 -
System settings
22 -
WAN optimization
21 -
FortiMonitor
20 -
OSPF
20 -
Security profile
19 -
Web rating
19 -
FortiSoar
18 -
Web application firewall profile
18 -
IP address management - IPAM
18 -
FortiDDoS
16 -
Explicit proxy
16 -
FortiAP profile
16 -
FortiGate v5.0
15 -
Admin
15 -
IPS signature
15 -
Proxy policy
15 -
Intrusion prevention
15 -
FortiCASB
14 -
NAC policy
14 -
FortiManager v4.0
13 -
DNS filter
13 -
FortiManager v5.0
12 -
FortiDeceptor
12 -
Users
12 -
Traffic shaping policy
12 -
Fabric connector
12 -
Port policy
12 -
FortiBridge
11 -
FortiRecorder
11 -
FortiAnalyzer v5.0
10 -
FortiWeb v5.0
10 -
Trunk
10 -
Traffic shaping profile
10 -
Authentication rule and scheme
10 -
Fortinet Engage Partner Program
10 -
FortiGate v4.0 MR3
9 -
RMA Information and Announcements
9 -
Antivirus profile
9 -
FortiCache
8 -
FortiToken Cloud
8 -
4.0
7 -
4.0MR2
7 -
Packet capture
7 -
Application signature
7 -
VoIP profile
7 -
Vulnerability Management
7 -
FortiScan
6 -
FortiNDR
6 -
FortiCarrier
5 -
FortiTester
5 -
DLP profile
5 -
DLP sensor
5 -
DoS policy
5 -
Email filter profile
5 -
Protocol option
5 -
TACACS
5 -
Cloud Management Security
5 -
3.6
4 -
FortiDirector
4 -
Internet service database
4 -
DLP Dictionary
4 -
Netflow
4 -
Replacement messages
4 -
SDN connector
4 -
Service
4 -
Multicast routing
4 -
FortiDB
3 -
FortiHypervisor
3 -
FortiAI
3 -
Kerberos
3 -
File filter
3 -
Multicast policy
3 -
FortiEdge Cloud
3 -
FortiInsight
2 -
Video Filter
2 -
Schedule
2 -
ICAP profile
2 -
Zone
2 -
Lacework
2 -
FortiGuest
2 -
4.0MR1
1 -
FortiManager-VM
1 -
FortiCWP
1 -
Subscription Renewal Policy
1 -
FortiSASE
1 -
Virtual wire pair
1 -
FortiEdge
1 -
FortiAIOps
1
Top Kudoed Authors
| User | Count |
|---|---|
| 2624 | |
| 1393 | |
| 804 | |
| 670 | |
| 455 |
Broad. Integrated. Automated.
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Security Research
Company
News & Articles
Copyright 2025 Fortinet, Inc. All Rights Reserved.