Help
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
duahimanshu
New Contributor II

Created on ‎10-11-2024 07:53 AM Edited on ‎10-11-2024 07:54 AM

Inquiry on Failover Design Between Multiple Sites

Hello Expert,

I have a design question regarding our current network setup, and I’m hoping you can help clarify a few points. While this design may seem a bit unconventional, we are limited to using the switches already implemented in our design. I would like to know if what I’m proposing is feasible, and if so, how we can achieve it.

Current Setup Overview:

  1. Site 1:

    • Two FortiGate hardware devices configured in High Availability.
    • The setup is functioning correctly.

  2. Site 2 (DMZ):

    • Two virtual FortiGate devices configured in HA.
    • This setup is also functioning correctly.

  3. Site 3 (LAN):

    • Two virtual FortiGate devices configured in HA.
    • Their HA synchronization is working fine.

Connection Between Sites:

  • Site 1’s primary and backup firewalls are directly connected to Site 2’s primary and backup devices.
  • Site 2’s primary and backup devices are connected to Site 3’s primary and backup devices.

Key Question:

  • If the primary firewall at Site 1 goes down, I can configure link monitoring to trigger a failover to Site 2’s primary firewall. However, I am concerned about how Site 3 will be notified of this change.
    • Specifically, if Site 2’s backup device becomes primary and starts sending traffic to Site 3’s backup device, will Site 3 recognize this failover?
    • How Fotigate Backup device behave if it receive the traffic will it dicard?

I have attached a design diagram for your reference to help illustrate my question.

 

 

 HA.png

321
0 Kudos
3 REPLIES 3
Toshi_Esumi
SuperUser
SuperUser

Created on ‎10-11-2024 09:36 AM

Ideally those two switches at each site are stacked, or just one switch, so that you don't have to do link-monitor to detect HA status change on the other site. But I assume it's not possible.

- Site 3's FGTs need to have the same link-monitor to detect changes at Site 2.
- Secondary/backup FGT doesn't process/pass L3 packets other than "dedicated-to management" interfaces.

Toshi

292
0 Kudos
Toshi_Esumi
SuperUser
SuperUser

Created on ‎10-11-2024 10:52 AM Edited on ‎10-11-2024 10:53 AM

In other words, with your current set up, each site or each HA cluster can't change a-p roles independently. When one of them changes, the other have to change at the same time.
This means, you have to set up the link monitor at Site1 cluster when Site2 swap, and Site2 needs to detect Site3's change as well.
Not efficient design.

Toshi

270
0 Kudos
duahimanshu
New Contributor II
In response to Toshi_Esumi

Created on ‎10-11-2024 11:03 AM

thanks Toshi for your reply,

i would like to mention that those switch can not be stacked and those are layer 3 switches.

 

To clarify, with this design, I need to set up the link monitoring on Site 2 for both Site 1 and Site 3, as well as on Site 3 for Site 2, correct?

 

Additionally, lets take another scenario if I configure the interfaces on Site 3 that connect to Site 2 as routed ports and set up a trunk port between the primary and secondary switches at Site 2, would I still need to configure link monitoring on Site 3? In this scenario, if Site 1 goes down, the backup device at Site 2 would route traffic to Site 3 via the trunk port. What are your thoughts on this approach? 

HA.png

 

is there any other way i could achieve which is better way? 

264
0 Kudos
Announcements

Select Forum Responses to become Knowledge Articles!

Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.

Labels
Top Kudoed Authors
View all
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2024 Fortinet, Inc. All Rights Reserved.