Hello,
Can we build two separate clusters with FortiGates and join them with VRRP, so that when the first cluster (primary cluster) goes down, the second cluster (secondary cluster) will come up?
The reason I'm asking this, is because we want to extend an existing cluster, but the FortiGates we have are not of the same type as those in the cluster.
Thanks
Nominating a forum post submits a request to create a new Knowledge Article based on the forum post topic. Please ensure your nomination includes a solution within the reply.
I don't see a reason not to work. It should be the same as setting up VRRP between a FGxx and another single FGyy as long as VRRP is configurable on the interface (can't configure directly on virtual-switch/switch-interface, if the model supports them).
That should be doable but beware of ASYMMETRICAL issues within the two different clusters but vrrp has been problematic in earlier fortiOS version. I would stray away from VRRP at all cost and beaware of any hosts that doesn't do GARP response very good or at all/
if you truly have 2x two-clusters
e.g
FGT XYZ master1 and slave1 VRRP grp prio 120
FGT LMN master2 and slave2 VRRP grp prio 90
And want to do VRRP between the two that should be doable ( never seen it done tho ).
Typically you don't mix HA protocol and I only used VRRP when we needed HA and the two models DID NOT match. But I never seen any one try to do VRRP within cluster to another cluster.
Ken
PCNSE
NSE
StrongSwan
Thanks for the responses. My customer has already a running cluster with 2x FortiGates which are EoS. So we can't add a third member in the cluster. That's why I'm thinking of setting up a second cluster with different FGs and make the two clusters speak VRRP to each other. Can you think of some other idea that I could do such thing?
I do.
Instead of building a 3-member HA cluster apply for the EOL TradeUp program and get 2 new FGTs. Adding members to a HA cluster has limited benefits in regard to throughput. It's good for redundancy but that's about it.
Besides, when the hardware is EoS the contracts will fade out, too. What then?
I'm afraid this cannot be done, because this is a public sector project and no trade-up is accepted due to bureaucratic constraints...
Ede has the right approach.
1> you are concern on HA 2> you on different models 3> EoS/EoL blah blah, ( these are all good points )
Escalate the above to your Purchasing and Director with the business impact as to why you need to refresh. Use the above points and the TOC and impact if the systems are not upgraded. A proper enterprise business should be aware that most system needs to be refresh between 3-5 years due to many factors
[ul]
If you have smart decision makers, they should easily understand the above .
FWIW the FT channelpartners can work with you on ANY cost savings and offer any trade-in credit that FTNT has. They only want to sell you hardware and would do what it takes to get a sale ;)
PCNSE
NSE
StrongSwan
Before saying no, do you know how big the discount is in the TradeUp program?
(in Europe, 38% on hardware and bundles, 30% on FortiCare and renewals)
This alone should be a good argument; add the vanishing support in the near future and you have valid points to make, in comparison to buying 2 smaller FGTs now.
Back to your question:
VRRP should work but as it is uncommon in this scenario it's not extensively documented. You will only benefit from the virtual WAN IP though - no session failover, longer time to fail over, no config sync. It's so limited you could get away with manually switching on a backup FGT.
If budget really is faint or nonexisting, then why not live with one cluster for the time it takes to gather a budget? One FGT can die (though not very probable) but a whole cluster can survive a long time. I cannot see the urgency to fail-protect the existing installation on the one hand, and the low budget argument on the other.
I have worked with several local, state, and federal agencies that were more than ok with doing trade up once we mentioned the advantages it provided.
Mike Pruett
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1468 | |
1006 | |
748 | |
443 | |
206 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.