Help
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
JesperAP
New Contributor

Created on ‎05-27-2024 12:45 AM

WAN BGP connection from datacenter (HA)

Hello,

 

We've got a BGP configuration in the datacenter (see screenshot below) and we have 2 FortiGates (100F).

 

We want to make the FortiGates highly available. But for both ports we have a /30 subnet so our external IP address is different for both ports.

 

Is this even possible (to have different IP addresses on both ports and use HA) or should we switch to a different configuration

 

 
 

dual-bgp-assigned-ip15b.png

Labels:
661
0 Kudos
3 REPLIES 3
fricci_FTNT
Staff
Staff

Created on ‎05-27-2024 04:02 AM

Hi @JesperAP ,

 

I am not a design expert. When you configure FGCP you have to configure the WAN interface IP on primary unit and it will be automatically sync'd to secondary unit, so primary and secondary units interfaces have the same IPs. On your WAN interface you may enable/assign a secondary IP (using the IP belonging to the secondary BGP subnet /30). Bear in mind that the BGP configuration/peering will only be active on the current primary unit and I am not sure about the performances of that implementation and consequent BGP peering failover.
https://docs.fortinet.com/document/fortigate/6.4.0/ports-and-protocols/564712/fgcp-fortigate-cluster...

It might be worth contacting your SE and ask for a Professional Services consultancy.

 

Best regards,

---
If you have found a useful article or a solution, please like and accept it to make it easily accessible to others.
614
JesperAP
New Contributor

Created on ‎05-27-2024 04:20 AM

Isn't it a option to make a VDOM exception for the WAN interface?

 

https://docs.fortinet.com/document/fortigate/7.0.5/administration-guide/105611/vdom-exceptions

 

How do I specify to only have a exception for the WAN interface?

603
0 Kudos
Toshi_Esumi
SuperUser
SuperUser

Created on ‎05-27-2024 09:48 AM

You can not do HA with those two FGTs because this BGP design assumes two independent routers (FGTs) on the customer end. 

Toshi

551
Announcements
Check out our Community Chatter Blog! Click here to get involved
Labels
Top Kudoed Authors
View all
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2025 Fortinet, Inc. All Rights Reserved.