Help
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
Potato168
New Contributor II

Created on ‎12-09-2024 12:28 AM

Question regarding Firewall Active-Active Layer 2 HA design

Hello all,

 

I have a question regarding a design like this.

 

Suppose CheckPoint A is the Master unit for its cluster, while Forgate A and B are in Active-Active HA.

 

Fortigate A or B comes with one virtual wire and the VW1 is connected between the Checkpoint and Core switch.

 

No switch is between Fortigate and Checkpoint.

 

I wonder if Fortigate B receives traffic from a user, can the user stillbe able to use CheckPoint A to access to the internet?

 

 

Design.PNG

Labels:
347
0 Kudos
6 REPLIES 6
sjoshi
Staff
Staff

Created on ‎12-09-2024 02:01 AM

Hi,

 

Is there any connection between FGTB and checkpoint A or FGTB is only connected to checkpoint B?

Also in checkpoint is it working as Active-Passive mode? 

Let us know if this helps.
Salon Raj Joshi
336
Potato168
New Contributor II
In response to sjoshi

Created on ‎12-15-2024 10:19 PM

No  connection between FGTB and checkpoint A . Only A to A and B to .

Checkpoint is it working as Active-Active - Clueter mode.

70
0 Kudos
AEK
SuperUser
SuperUser

Created on ‎12-09-2024 05:26 AM

Hi Potato

I don't think it will work like that, because the FG Master may not see the CheckPoint Master.

Even in AA-HA, FG master is the one who receives the incoming traffic, so you need a switch between the two firewall clusters.

AEK
AEK
285
jakbork
New Contributor

Created on ‎12-09-2024 05:34 AM

I will also try your advice. Thank you.

259
0 Kudos
sjoshi
Staff
Staff
In response to jakbork

Created on ‎12-09-2024 05:37 AM

This article describes an example of a simple TCP 3-way-handshake in HA Active-Active cluster where packet distribution between Master and Slave FortiGate occurs.
Refer:-
https://community.fortinet.com/t5/FortiGate/Technical-Tip-FortiGate-HA-A-A-cluster-3-way-TCP-handsha...

Let us know if this helps.
Salon Raj Joshi
241
Potato168
New Contributor II
In response to sjoshi

Created on ‎12-16-2024 06:37 PM

So, what if got drop on Step 3 ?

3) SYN is forwarded from internal interface to External Interface to the external switch connected to the Server

Will the Master FG1 try to resend SYN forward to the Server?

62
0 Kudos
Announcements

Select Forum Responses to become Knowledge Articles!

Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.

Labels
Top Kudoed Authors
View all
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2024 Fortinet, Inc. All Rights Reserved.