Created on 04-07-2021 04:53 AM
I'm setting up a new cluster for a new location of ours the location will be L2 connected to an existing location but also have it's own Internet connection and Fortigate cluster.
At our existing location we have an Active-Passive HA cluster running and now I am considering making the new cluster Acitive-Active to not leave performance on the table.
I reached out to support to ask what the recommended mode was since the documentation does not mention a best practice/recommendation as far as Active-Active vs Active-Passive but was told "we don't make recommendations".
So instead asking the community about their experience with this :)
We are a single company so not sure how relevant using VDOMs is to us.
Out of hundreds FGT firewalls I have seen so far - I am yet to see Active-Active cluster in production. This pretty much answers your question I guess, no, if you don't have very specific reason for using A-A, you don't use it.
When there are enough networks/traffic behind Fortigate HA to warrant load splitting between machines - I advise on vcluster - splitting existing topology into multiple (2) VDOMs when each FGT machine holds as active a different VDOM, this way both boxes work and not idling, but also provide HA for each other. But this involves next set of decision making as well - how to set up Internet access to both VDOMs or just one of them/SD-WAN? What about routed/advertised subnets ? etc.
https://yurisk.info/ blog: All things Fortinet, no ads.
To add out of the 1 thousands plus fortigate env I worked, I only seen a-a just handful of times org that deployed active-active.
1st you need to determine what you really want
do you need fail-over protection ( a-p )
do you need load-balance ( a-a )
if yes on the 2nd part, why do you think you need load-balance?
On load-balance it'sa joke since it really does NOT load balance trafifc, only session and certain sessions. And when it comes to trouble-shooting it makes it 10x harder looking at traffic is you have some traffic on fgt1 and other on fgt2
Back to vcluster, this is ONLY available if you have 2 or more vdom and again you have restriction ( vdom-links ) and it does absolutely nothing with load-balancing session|traffic within that vdom. And like above when you do diagnostic, you must know what fgt node is carrying your traffic for that vdom.
think of vcluster like cisco deployment of fail-over groups fwiw
A-A is not so common... if you have an issue it will be a mess to debug (analyze how it works and you will see it's really complicated, and the gain will be more or less 20% if you have UTM).
it depends on your design, maybe you can put in place FGSP (with internal/external load balancer or router). But once again, it increase the complexity.
Do you need more performance, or it's just to use the second box? If it's only to use your second box, I think it's better to forget this idea and use as 99,99999999% customer HA A-P. you will avoid a lot of issue
Thanks for all the great replies!
The reason I was considering A-A was to not leave performance on the table and A-A is possible and works well in a whole lot of other equipment plus the documentation did not signal it being problematic, but I understand we're better off just sticking with A-P.
I cannot say for all the firewalls, but at least for Checkpoint - after seeing hundreds of them as well, I am yet to see one in production in A-A (Load Sharing mode clustering) :)
Every time someone tried to use A-A with either of them - FGT or CP, he/she regretted it and moved to A-P set up, just too much pain with too little gain.
https://yurisk.info/ blog: All things Fortinet, no ads.
We are running 3x FGT100E&F - 2x FGT400D - 2x FGT500E 1x FGT600D 4x FGT1000C 1xFGT1200D Clusters in a-a mode.
Starting with the first a-a on FGT1000A (V3.0) in 2007 I can only report it is working great.
The best measure I can provide is the enduser experience: We always start with a single FGT and introduce the second FGT after a few weeks, when configuration is "solid". The feedback we get from the (End-) users is always "what have you done, Network is much more responsive I'm happy" ... after introducing a-a.
We implement mostly in environments where all/each Network-Segments (up to 100 VLAN) needs to be heavyly protected by AntiVirus, WebFilter, AppControl(!) and IPS. Especially AppControl can slow down the overall performance dramatically if applied on every VLAN; a-a is then, at least to our experience, best choice to balance the load.
With the introduction of the FGT100, a-a was pushed by FortiGate in a good way, but, that is at least my feeling, since many Forum's "do not like" a-a ... FortiGate over the years kept the functionality but does not realy push it forward; A shame.
Regarding TroubleShooting / Diagnostics:
In very rare cases we turned of the second device, made diagnostics and brought the a-a back in Service after TroubleShooting was finished.
We had never to TroubleShoot an a-a problem OR related to a-a !
So, what are the week points:
- In case the Master goes down: SSL VPN user will loose their connections and have to re-connect.
- We suggest FortiAnalyzer (!)
(We are not using vdom ... NO experience here)
These are the settings we have the best experience with:
config system ha set group-id XX set group-name "Name" set mode a-a set route-ttl 30 set session-pickup enable set override disable set priority 250 -> on Master
set priority 150 -> on secondary device
set load-balance-all enable
Design: Make sure you connect the FortiGate(s) to a Core Switch, we preferred always 2x Switches with VLT and created mLAG's (LACP) with by far better performance than connecting to Stack or single Switch(!)
I realy hope a-a gets more attraction which then may force FortiNet to invest more in this great functionallity!!!
Give it a try, get more for your money, it is easy to go back, IF at all, to a-p ...
When in A-A mode is the LACP aggregate to the forti cluster a single aggregate (at the moment I have 2 lags, one for each forti)?
How do you handle the WAN side? (On the WAN side we have a switch managed by the ISP with 2 ports on the same VLAN but not a LACP aggregate also not 100% they would be willing to do that)
With our new location I can and want to play around before it becomes production.
Hello Keeper of the Keys
Yes, 2 LAGs ... one for each FGT
For the WAN-Side or any other Ports on the FGT you will use a Switch where 3 Ports belong to 1 VLAN (see picture attached). So, for every Port-Group we create a seperate VLAN.
We also provide 2GBit/s and more Bandwidth to Customers for Internet Connection, in this case it is usually presented through a 10GBit/s Port, we create LAG's with 2,3 or 4 Ports on each FGT and bring it to the Switch (LACP) on a seperate VLAN where the 10GBit/s Port belongs to.