Created on
07-13-2023
07:34 AM
Edited on
07-13-2023
07:48 AM
By
Jean-Philippe_P
Hi All,
To give some context, i am having challenges running the two FGTs in HA due to WAN IP limitation with my cloud provider (I intended to run the two FGTs in 2 different datacenters to set up HA but my CSP requires i move the WAN IP manually between the DCs during HA failover which results to a downtime of close to 5 minutes or more which beats the logic of having the FGTs in HA).
My main goal is to at least have two firewalls with different WAN IPs running on different DCs both serving as gateways for the same resources/vms and then set-up 2 ssl vpn gateways which i will deploy to users' FortiClient such that whenever one FGT is down, they can connect to the secondary VPN gw and continue accessing internal resources.
I know this is not an ideal set-up but i just want a failover mechanism at least for ssl vpns. I don't care much about about IPSec vpns and I am willing to manually update the configurations?
Do you think this is possible to achieve? I would appreciate your inputs on this.
FYI, i am running the VMs in ESXi servers.
Hello,
Thank you for using the Community Forum. I will seek to get you an answer or help. We will reply to this thread with an update as soon as possible.
Thanks,
I think FGSP clustering instead of the FGCP clustering may be the ideal solution for you.
FortiGate Session Life Support Protocol (FGSP) distributes sessions between two entities, which could be standalone FortiGates or an FGCP cluster, and performs session synchronization. If one of the peers fails, session failover occurs and active sessions fail over to the peer that is still operating. This failover occurs without any loss of data. Also, the external routers or load balancers will detect the failover and re-distribute all sessions to the peer that is still operating. FortiGates in both entities must be the same model and must be running the same firmware.
ref: https://docs.fortinet.com/document/fortigate/6.4.0/ports-and-protocols/796662/fgsp-fortigate-session...
Hi, have a look at using 2/multiple gateway IPs in Forticlient configuration - https://community.fortinet.com/t5/FortiClient/Technical-Tip-Multiple-gateway-IP-for-FortiClient/ta-p...
Also, you may consider using FQDN for gateway names to be used in FC, then have external script/system to update A record in DNS server of this FQDN if the current FGT/IP goes down.
Hello
it is possible to run two FortiGate (FGT) virtual machines (VMs) concurrently in an environment such as ESXi servers. This setup can provide redundancy and failover capabilities for your SSL VPN gateways.
User | Count |
---|---|
1926 | |
1144 | |
770 | |
447 | |
282 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2025 Fortinet, Inc. All Rights Reserved.