Help
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
mushy78
New Contributor

Created on ‎11-10-2023 11:53 AM

Two Fortigate pairs in a HA pair (4 Fortigates total)

I'll do my best to explain. I also have crude drawing to help explain

 

I have 4 Fortigates. Two in one building and two in another. They are currently in HA pairs, Y with Y and X with X. What I need to have happen is if either X or Y in building A goes down, I need both fortigates to fail over to the B side. If one has an issue it fails to B but leaves the other in A breaking the "stack" they are setup in. While they are broken the link to each other seems to remain up even though one fortigate is passive at that point. 

 

I thought you could make two clusters and run them in HA. Building A would be a cluster with both X and Y and B would be a cluster with X and Y. That doesn't appear to be the case. My other thought is monitoring certain interfaces in the HA setup, but with links seemingly staying up even in passive, I'm not sure it would help. 

 

Has anyone worked this sort of setup before. The drawing doesn't show the additional connections involved but should get the point across. map.PNG

Labels:
889
0 Kudos
3 REPLIES 3
Toshi_Esumi
SuperUser
SuperUser

Created on ‎11-10-2023 02:05 PM Edited on ‎11-10-2023 02:10 PM

I would guess automation stitch can be used because HA failover can trigger an action(s), to shutdown the interfaces to the other FGT. Then the other FGT can "monitor" the interface to trigger HA failover. You need to set this up only on the A side since that side is your primary.

https://docs.fortinet.com/document/fortigate/7.4.1/administration-guide/43081/triggers

 

Probably you need to have another stitch for failback though.


Just an idea without any POC testing.

 

Toshi

 

866
ede_pfau
SuperUser
SuperUser

Created on ‎11-11-2023 02:37 PM

Wonder why nobody mentions the "link monitor". You can set up a link monitor, using ping or TCP handshake or other means, to monitor a remote server/target. Which in your case would be the other HA cluster. If detected, the link monitor can trigger a HA failover.

https://docs.fortinet.com/document/fortigate/7.4.1/administration-guide/76624/link-monitor

 

Before you ask: no, no recipe available as yet, but IMHO worth to explore in the lab.

Ede Kernel panic: Aiee, killing interrupt handler!
Ede Kernel panic: Aiee, killing interrupt handler!
829
mushy78
New Contributor
In response to ede_pfau

Created on ‎11-13-2023 06:08 AM

Thanks, this is the direction I was heading just wasn't sure how to implement it. I'll give it a go and see what happens. 

796
0 Kudos
Announcements

Select Forum Responses to become Knowledge Articles!

Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.

Labels
Top Kudoed Authors
View all
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2024 Fortinet, Inc. All Rights Reserved.