Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
techdsmart
New Contributor

Its possible to Run two FGT VMs concurrently?

Hi All,


To give some context, i am having challenges running the two FGTs in HA due to WAN IP limitation with my cloud provider (I intended to run the two FGTs in 2 different datacenters to set up HA but my CSP requires i move the WAN IP manually between the DCs during HA failover which results to a downtime of close to 5 minutes or more which beats the logic of having the FGTs in HA).


My main goal is to at least have two firewalls with different  WAN IPs running on different DCs both serving as gateways for the same resources/vms and then set-up 2 ssl vpn gateways which i will deploy to users' FortiClient such that whenever one FGT is down, they can connect to the secondary VPN gw and continue accessing internal resources.


I know this is not an ideal set-up but i just want a failover mechanism at least for ssl vpns. I don't care much about about IPSec vpns and I am willing to manually update the configurations?


 


Do you think this is possible to achieve? I would appreciate your inputs on this. 


 


FYI, i am running the VMs in ESXi servers.

4 REPLIES 4
Anthony_E
Community Manager
Community Manager

Hello,


Thank you for using the Community Forum. I will seek to get you an answer or help. We will reply to this thread with an update as soon as possible.


Thanks,

Anthony-Fortinet Community Team.
srajeswaran
Staff
Staff

I think FGSP clustering instead of the FGCP clustering may be the ideal solution for you.


FortiGate Session Life Support Protocol (FGSP) distributes sessions between two entities, which could be standalone FortiGates or an FGCP cluster, and performs session synchronization. If one of the peers fails, session failover occurs and active sessions fail over to the peer that is still operating. This failover occurs without any loss of data. Also, the external routers or load balancers will detect the failover and re-distribute all sessions to the peer that is still operating. FortiGates in both entities must be the same model and must be running the same firmware.
ref: https://docs.fortinet.com/document/fortigate/6.4.0/ports-and-protocols/796662/fgsp-fortigate-session...

Regards,
Suraj
- Have you found a solution? Then give your helper a "Kudos" and mark the solution.
Yurisk
SuperUser
SuperUser

Hi, have a look at using 2/multiple gateway IPs in Forticlient configuration - https://community.fortinet.com/t5/FortiClient/Technical-Tip-Multiple-gateway-IP-for-FortiClient/ta-p...  

 

Also, you may consider using FQDN for gateway names to be used in FC, then have external script/system to update A record in DNS server of this FQDN if the current FGT/IP goes down.

Yuri https://yurisk.info/  blog: All things Fortinet, no ads.
Yuri https://yurisk.info/ blog: All things Fortinet, no ads.
stevediaz
New Contributor

Hello

it is possible to run two FortiGate (FGT) virtual machines (VMs) concurrently in an environment such as ESXi servers. This setup can provide redundancy and failover capabilities for your SSL VPN gateways.

Labels
Top Kudoed Authors