Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
commutator
New Contributor III

Cable FortiAnalyzer directly to FG HA pair?

We are installing a new HA pair of 501E's (v5.6) to replace some older FG's, and we're adding a FAZ 400E (v6.0) to the mix. No FAZ installed previously. I have one FAZ port on our mgmt VLAN and I can access it fine. I plan to use a separate FAZ port to receive the logging from the FG(s). Is there any way to cable the FAZ directly to the HA pair to receive logging? E.g., port10 on first 501E to FAZ port3 and port10 on second 501E to FAZ port4.

 

I don't see any internal switching capability in the FAZ to put two ports together with a single IP address. I don't see any layer 2 protocol options between FAZ & FG either. I don't have any other bright ideas. Has anyone attempted this with success?

 

If we use only one FAZ port then whatever switch module that port connects to is a single point of failure. All other devices of this significance in our network have redundant connections to different switch modules. We don't see the need for a 2nd FAZ as we will also be logging to the 501E internal disks and a separate syslog server too. I just want this cabling redundancy if the device design allows for it. Perhaps I should have thought of this before choosing the appliance over the VM license, but let's not dwell on that!

 

Thanks,

Fred

2 Solutions
commutator

I'm still curious too, but last year I did dig around and found no hint of a way to do any sort of link redundancy. We use LACP for virtually every other piece of infrastructure, so that would be ideal but even the simple redundant links feature found on the FortiGates would do the job. I don't like our chances.

 

...Fred

View solution in original post

emnoc
Esteemed Contributor III

I believe the hard appliance doesn't do LACP. Since the analyzer is NOT crucial for traffic flow I highly doubt FTNT will add this feature in. Open a Feature Request with sales and see what they say.

 

 

Ken Felix

 

PCNSE 

NSE 

StrongSwan  

View solution in original post

PCNSE NSE StrongSwan
7 REPLIES 7
ede_pfau
Esteemed Contributor III

My 2 cents on that:

Go for a single connection, and an intermediate switch.

The passive cluster member gets the same FAZ IP address as the active member, always.

I'd guess that a small sturdy, metal case 5- or 8-port switch won't die in the next years. Or partition an existing switch stack. The FAZ isn't redundant anyway. And doesn't need be, not as much as the FGTs.


Ede

"Kernel panic: Aiee, killing interrupt handler!"
Ede"Kernel panic: Aiee, killing interrupt handler!"
commutator
New Contributor III

Back to the point though: is there a way to have redundant cables on one FAZ? I'm presuming no one else knows of a way to do it either. It just doesn't seem to be in the design of the FAZ boxes - like say, configuring redundant interfaces on an FG.

 

...Fred

claytonmeyer

Bump. I'd also like to confirm if the FAZ supports link aggregation or separating management NICs from "data" NICs.

commutator

I'm still curious too, but last year I did dig around and found no hint of a way to do any sort of link redundancy. We use LACP for virtually every other piece of infrastructure, so that would be ideal but even the simple redundant links feature found on the FortiGates would do the job. I don't like our chances.

 

...Fred

emnoc
Esteemed Contributor III

I believe the hard appliance doesn't do LACP. Since the analyzer is NOT crucial for traffic flow I highly doubt FTNT will add this feature in. Open a Feature Request with sales and see what they say.

 

 

Ken Felix

 

PCNSE 

NSE 

StrongSwan  

PCNSE NSE StrongSwan
claytonmeyer

Also, it appears that you cannot separate the management & data planes on to separate NICs which is unfortunate.

chall_FTNT

It is true that LACP is not currently available for FortiAnalyzer hardware appliances.  It is being considered for a future maintenance release.  By all means, talk to your Fortinet sales team to help prioritize that feature on the roadmap.

Chris Hall
Fortinet Technical Support
Labels
Top Kudoed Authors