Hello, I should deploy 2 x Fortigate 3000D in HA located in one site each, so that the HA links cannot be direct crossover cables, but regular ethernet cables connected to a LAN infrastructure interconnecting both sites at L2.
All my FG 3000D interfaces are 10-gigabit, so that I should use 2x 10-Gigabit interfaces for the HA connection between both, resulting in a theoretical 20Gbps connection.
My problem is that I’ve been policed with up to 2 Gpbs in this LAN as per bandwidth constraints of the links between both sites.
So my question is whether I can police the HA bandwith consumption in the Fortigate by any means (I have not found any feature to do it), or the best thing I could do is to replace two 10-gigabit SFP+ transceivers by 1-Gigabit SFP’s for HA?
Solved! Go to Solution.
hi,
I don't think there is any means to traffic shape the HA links. Besides, HA traffic uses a non-standard ethertype - you should check that the equipment in-between can handle that. Cisco Nexus can't - they use the same ethertype internally and this will collide. The ethertype can be changed on the FGT side (CLI).
Your best bet would be to use 1 G SFP. Datasheet says they are supported. You will probably use the LX type.
hi,
I don't think there is any means to traffic shape the HA links. Besides, HA traffic uses a non-standard ethertype - you should check that the equipment in-between can handle that. Cisco Nexus can't - they use the same ethertype internally and this will collide. The ethertype can be changed on the FGT side (CLI).
Your best bet would be to use 1 G SFP. Datasheet says they are supported. You will probably use the LX type.
Back in the day I had two 1000As in HA mode with a single 1Gb connection. The traffic over that link was inconsequential, even during peak traffic times. 10 Gb is WAY overkill for those links, in my opinion.
Bob - self proclaimed posting junkie!
See my Fortigate related scripts at: http://fortigate.camerabob.com
Thank you for your inputs.
I think i'll try to replace two 10-G transceivers SFP+ at each Fortigate unit by 1-G copper SFP's. I'll also try to find if my network can cope with the Fortigate ethertypes.
You can find the ethertypes in your config:
config system ha
show full
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1738 | |
1108 | |
752 | |
447 | |
240 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.