FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.

This article describes some technical considerations when FortiGate devices in an HA Cluster, Active-Passive mode, are connected to L2 switch(es) with LACP (802.3ad).

The following network diagram is used to illustrate this article :

rmetzger_FD31396 LACP A-A.jpg

The LACP groups (LAG) defined on the L2 switch must be different for each FortiGate (hence creating independent bundles) in order to avoid incoming traffic being sent to the Subordinate.

Note: for this reason, Nortel devices in SMLT are not supported.

  • if different LAGs cannot be configured on the L2 switch, use the following command to prevent the subordinate units from participating in LACP negotiation with an aggregate interface ; note that in this mode, the failover time can be longer as it will include the LACP negotiation between the newly elected Primary Unit and the L2 switch.
config system interface
edit <aggregate_name>
set lacp-ha-slave disable

It is recommended to set LACP mode to Static on both sides (FortiGate and switch) if the ports are connected with a back-to-back cable.