Hi All,
There is a requirement wherein I need to setup two FGTs into a VRRP pair rather than creating a cluster. In this situation, do we have option to utilize HA links, rather than having to upon the LAN switches to provide a path for VRRP heartbeat?
Also, can I create a LACP aggregate of two ports on the built-in switch by converting it to Interface (routed) mode? I read that switched ports cannot be used for VRRP.
Can VRRP switchover be tied to the ISP failure?
Finally, any way to stop both firewalls to become VRRP master if one of the LAN switch (to which one firewall is connected)? I find there is no option to track interfaces, and VRGRP option is available to group multiple routed interfaces, is that better option then to add another set of directly connected interfaces between two firewalls be added to another VRRP group and
Thanks
Trying to answer some of your questions:
1- the HA ports should not used for general traffic, which VRRP is. You can use any other ports for which you can set a route, even the WAN ports.
2- I was puzzled by your mentioning of "interface (routed)" in the context of switch ports. Switch ports can be converted to be 'standalone' or single ports, thus 'interfaces'. Routing has nothing to do with this, 'interface/routed' pertains to one flavor of IPsec VPNs.
That said, yes, you can create an aggregate port using 2 or more single ports, and use it for any traffic. Your goal would be to achieve redundancy. I have not yet heard that a switch port cannot be used for VRRP and I wouldn't know why not.
3- detecting an external failover in VRRP isn't easy except for monitoring the VRRP heartbeat packets. Link failure or remote target failure detection are features of FortiOS HA.
I once had to set up a pair of FGTs with VRRP'ed routers in front of them (2 distant locations with one access router and FGT each). I chose to set up the FGTs in HA a/p mode to be able to fully synchronize all settings and states. One way to fail over the HA pair in case of a VRRP failover is to configure the router to tear down the internal port (facing the FGT) in this case. On Cisco equipment, an event procedure would do this. Link failure is always monitored in a HA pair. YMMV.
Thank you Ede for your detailed advice.
Yes, I may have used wrong terminology (used Cisco way). I meant single ports not part of the built-in virtual switch.
I did read that VRRP can only be setup on either physical ports or VLAN interfaces, so I assumed physical will imply the non-switched ports.
My use case does not allow to create an HA cluster as that will be very simple setup. I need to have two separate MPLS links (though in same AS) with different requirements for routing, and if I put two firewalls in same cluster, then they are just one box with only one BGP process. I am hoping that VRDST and VRGRP helps in my case to achieve some of the things that I am looking for.
Merry Christmas and Season's Greetings.
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1737 | |
1107 | |
752 | |
447 | |
240 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.