I Have two FortiGate' s 60 with all interfaces connected to the same cisco swicht. It works fine in standalone mode but, when I start the ha cluster I have some problems because of the virtual mac of the cluster. All of the interfaces get the same mac and it create a conflict with swicht mac address table. I tried to make a static mac address but it didn' t work. Have someone had the same or a similar problem? Thank.
You need to have the heart beats on a switch or a hub. Crossover is disadvised. The reason is that if one of th FGT units dies, the other will lose link and become confused. You may lose everything. In a pinch, you could use a hub/switch for your primary heartbeat network and a crossover for the secondary, but I wouldn' t go just crossover.
I did a redundant switch setup in November. It was pretty difficult. I don' t have the configs handy, but they were Cisco 2950 series switches. I had a separate switch for each heartbeat network. There were other architecture issues and guidelines because dictating more than just a pair of Fortigate 200A' s.
Hope this helps.
So if the units are running in A-P mode, rather than A-A, do they do something different with the virtual MACs?
I' m trying to get an HA pair installed in different buildings where the amount of fibre between them is limited - the fewer links I can use the better. Because of the shared virtual MAC, I' m already looking at one extra fibre for the outside, one for the heartbeat, one for the DMZ and an existing one for the inside.
If I can use VLANs for the outside, DMZ and heartbeat interfaces and pop them all in one switch, then I' ve reduced the number of fibre pairs required from 3 to 1 - much better!
As ldwltsysadmins says:
" more than just a pair of Fortigate 200A' s"
This could be a reason to make the choice using a switch for the heartbeats device. Otherwise for two units a crossover cable is enough. Be sure you will use two heartbeat devices each unit. This will eliminate the single point of failure of only one cable.
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.