Setting up HA with a single switch

jjensen · ‎03-02-2017

We currently have a facility with a single fortigate 60D device and want to get the facility setup with HA. I've seen this post:

http://cookbook.fortinet.com/high-availability-two-fortigates/ and was wondering if I can get by without the two separate switches.

If so would i just make sure the WAN ports on the switch & modem are on a specific vlan? We use HP procurve switches or the new HP Aruba switches out there and then put say ports 5 on the fortigate back to the switch(to connect to internal) on our regular vlan that it is currently setup as.

Thanks, Jeremy

Alby23 · ‎03-02-2017

Dear friend,

yes you could surely do this.

Just 2 observation:

[ul]

obviously the switch will be a single point of failure so you lose a bit of resilience in your architecture;

the 3 interfaces related to internal lan will be part of a VLAN and the 3 interfaces related to Internet will be part of another VLAN [/ul]

jjensen · ‎03-02-2017

Thanks for the response. I'm well aware of the single point of failure and it's something the company is OK with having so as a counter to that we've got a switch configured that is sitting in storage out there so if that switch were to go down we could swap it out, copy the latest config and should be up and running shortly.

ede_pfau · ‎03-02-2017

Yes you can use a single switch - partitioned by internal-only, untagged VLANs - to connect the cluster ports. For each port used on one FGT you need 3 switch ports. (I prefer to have 4 ports so that I could plug into that network for debugging.)

These partitioning VLANs must not be used anywhere else in the config - certainly not in your network. With IDs ranging up to 4095 it shouldn't be too hard to choose some troublefree IDs.

No idea about the Procurve switch but I doubt it being suitable. There is one caveat with switch partitioning: each (internal) VLAN needs to maintain a FDB of it's own. This is quite hard to verify in advance. I've heard that some DELL switches do not comply with this and just reboot on seeing the same MAC address on different physical ports. From experience, 'Enterprise grade' switches from 3Com/HP/H3C (series 58xx, 59xx) are fine to use.

Ede Kernel panic: Aiee, killing interrupt handler!

jjensen · ‎03-02-2017

I may be missing something can you explain the three switch ports for each port used on one FGT?

ede_pfau · ‎03-02-2017

1 for FGT1, 1 for FGT2, 1 for the network, right?

Ede Kernel panic: Aiee, killing interrupt handler!

Setting up HA with a single switch

Nominate a Forum Post for Knowledge Article Creation

You are leaving our website