Hi All,
We have two Fortinet firewall currently configured HA between them. We are planning to configure VRRP in order to have L3 redundancy, My question can we have HA and VRRP together?
Thank you,
Sr
Solved! Go to Solution.
Nominating a forum post submits a request to create a new Knowledge Article based on the forum post topic. Please ensure your nomination includes a solution within the reply.
Hi,
Just to add more details. If you will try to configure VRRP on FortiGate that is already in HA Cluster, it will not work, because first that config will be copied to secondary device and second, when secondary device is passive, it will not have vrrp process running. Anyway, HA will provide you L3 redundancy. If primary device will go down, secondary device will be active and will be handling request as your gateway. Similarly, it is using virtual-macs to provide you this.
Hi Shahan / Adrian,
Thank you for your replies, we will try remove HA and configure VRRP, once its done I will upload the result.
I check one more thing with you guys can we use port bond for VRRP? I read some where VRRP will not work on port bond.
Thank you
Srini
Hi vasugk,
A few questions here would be helpful:
1. Are you planning to configure FGT devices in VRRP that are already in HA?
2. Is it a third party devices you are going to use for VRRP with FGT cluster?
Please note that FGTs when in HA act as one device active at a time. With this, there should not be a problem if you are configuring VRRP with some third party device.
However, if you are planning to implement VRRP between two FGTs that are in cluster, there is a possibility that it might now work.
Please look into this post: https://community.fortinet.com/t5/Fortinet-Forum/VRRP-vs-HA/m-p/80772?m=160969
You can get some answers from here.
Also please look at community article regarding VRRP:
Let us know if you have any further questions.
Thanks,
Shahan
Hi Shahan,
Thank you for reply,
1. Are you planning to configure FGT devices in VRRP that are already in HA? Yes
2. Is it a third party devices you are going to use for VRRP with FGT cluster? No we don't have plan to use 3rd party device.
Yeah know that HA one device act as active, we have wrong design at present we want to achieve routing redundancy.
Regards,
Sr
Hi vasugk,
For that you should look into either active-active HA or break the HA cluster and use FGTs as standalone devices.
Unfortunately, we do not have any examples that highlight such an implementation.
Thanks.
Shahan
Hi,
Just to add more details. If you will try to configure VRRP on FortiGate that is already in HA Cluster, it will not work, because first that config will be copied to secondary device and second, when secondary device is passive, it will not have vrrp process running. Anyway, HA will provide you L3 redundancy. If primary device will go down, secondary device will be active and will be handling request as your gateway. Similarly, it is using virtual-macs to provide you this.
Created on 08-03-2022 09:01 AM Edited on 08-03-2022 09:02 AM
The concept of HA a-p is a system-wide of VRRP. While VRRP's scope focuses only on interface groups, HA does the fail-over system wide. With VRRP, its members communicate over the interfaces while HA communicates each others over heartbeat connections.
Toshi
Hi Shahan / Adrian,
Thank you for your replies, we will try remove HA and configure VRRP, once its done I will upload the result.
I check one more thing with you guys can we use port bond for VRRP? I read some where VRRP will not work on port bond.
Thank you
Srini
Hello,
You mean on aggregate port? If yes, then it will work if aggregate port has IP address (or VLAN bounded to that agg port).
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1710 | |
1093 | |
752 | |
447 | |
231 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.