Currently I have a setup like below:
DMZ
|
[sw1---stack---sw2]
|| ||
[fw1] [fw2]
|| ||
[sw3---stack---sw4]
|
PC
Links between sw and fw are 802.3ad with 2 different vlan tag. One vlan for production and another one is for Mgmt.
I config all interfaces on fw1&2 as VRRP. However if sw3 down, PC is not able to reach DMZ because the return traffic will still hit fw1 which cannot pass packet back to PC via sw3.
The reason i'm not using FGCP is I want to manage both fw separately. However, if I use "reserved management interface" then FGCP cannot form a VIP for mgmt interface. I need the VIP because the fw mgmt interface is the GW for mgmt zone.
So, I wonder if I configure FGCP with reserved mgmt interface and then configure VRRP on those 2 interfaces. And my question is, will FGCP monitor the 2 mgmt interfaces? If sw3 goes down, will the return packet be passed from fw1 to fw2 due to FGCP?
This is why VRRP on a fortigate or any other vendor needs to be carefully analysis before deployment.
You argument for need to manage the 2 firewall & 2 unique systems is Questionable imho. You are adding more points of failures and more complexity ( more firewall policies to managed across each firewall-gateways ) to a solution that's already simplified if you just ran FGCP and in a A-A or A-P mode.
Now with that said here what might work for you . Could you deploy dead gateway detect or vrdst on internal lan segments routes into the stack? ( just a guess here )
Could you run a 802.3ad bundle split between 2x members with each member on one stack'd switch ( i.e vPC in cisco lingo ),so your port-channel would be like this;
bond0
# alias inside-interface INSIDE/INTERNAL
port 1 ( inside stack-switch 1 )
port 2 ( inside stack-switch 2 )
bond1
# alias inside-interface DMZ
port 1 ( DMZ stack-switch 1 )
port 2 ( DMZ stack-switch 2 )
This might get away from the just one single link failure issue.
BTW VRRP is great if you have a firewall hardware failure , but can wreck havoc when it's a just a single link failure. I don't know or think fortigate has VRRP group and object tracking available to the same degree as cisco btw. But you might to read up on any new VRRP HA features in the latest code.( I'm too lazy at this time todo that from the location I'm currently at )
PCNSE
NSE
StrongSwan
Hi emnoc,
Thanks for your reply. I'm new to Fortinet. unfortunately it seems fortios cannot provide HA mechanism like juniper nsrp or cisco hsrp.
emnoc wrote:This is why VRRP on a fortigate or any other vendor needs to be carefully analysis before deployment.
You argument for need to manage the 2 firewall & 2 unique systems is Questionable imho. You are adding more points of failures and more complexity ( more firewall policies to managed across each firewall-gateways ) to a solution that's already simplified if you just ran FGCP and in a A-A or A-P mode.
Now with that said here what might work for you . Could you deploy dead gateway detect or vrdst on internal lan segments routes into the stack? ( just a guess here )
Could you run a 802.3ad bundle split between 2x members with each member on one stack'd switch ( i.e vPC in cisco lingo ),so your port-channel would be like this;
bond0
# alias inside-interface INSIDE/INTERNAL
port 1 ( inside stack-switch 1 )
port 2 ( inside stack-switch 2 )
bond1
# alias inside-interface DMZ
port 1 ( DMZ stack-switch 1 )
port 2 ( DMZ stack-switch 2 )
This might get away from the just one single link failure issue.
BTW VRRP is great if you have a firewall hardware failure , but can wreck havoc when it's a just a single link failure. I don't know or think fortigate has VRRP group and object tracking available to the same degree as cisco btw. But you might to read up on any new VRRP HA features in the latest code.( I'm too lazy at this time todo that from the location I'm currently at )
Hello, You choose VRRP to manage your firewall separately ? this is the only reason ? So your installation is active passif ? is that correct ? you don't use one firewall for one subnet, and the second for the other ? If that correct, I suggest you to use FGCP, like that you can : - create a dedicated management interface on both firewall : conf sys ha, set ha-mgmt-status enable, set ha-mgmt-interface mgmt, set ha-mgmt-interface-gateway "yourDMZMgmtgw(your VIP)" - disable sessions sync : set sync-config disable - finish to configure your HA (the rest is basic config) With this solution, you will have a correct HA system, without synchronisation of the config..
Lucas
Hi emnoc, Thanks for your reply. I'm new to Fortinet. unfortunately it seems fortios cannot provide HA mechanism like juniper nsrp or cisco hsrp.
Correct, but I would word it as; it ( fortinet ) is not as robust as jnpr's NSRP or csco's HSRP/GLBP/VRRP." Than again your comparing features found primarily on routers to a firewall.
All of the layer3 redundant gateway protocols have some type of track ( ip, protocol, routing,etc.....) . Fortinet implementation at this time does not.
Maybe you should ask for a feature enhancement to FortiOS to give you a track-ip/port function
PCNSE
NSE
StrongSwan
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1737 | |
1108 | |
752 | |
447 | |
240 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.