Help
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
Network-Eng2022
New Contributor

Created on ‎04-24-2023 09:42 PM

Connecting HA Cluster Firewalls to another HA Cluster Firewalls

I have an 2 seperate HA Active-Passive Cluster of Fortigate Firewalls.

I want to connect the first cluster to other cluster without introducing any switches in between in a full mesh connectivity. This is required to achieve full redundancy between the 2 HA clusters.

What is the best practice in achieving the above? Is creating Redundancy Interface and add 2 10GB port to this interface on both will do the job?

 

Labels:
1212
0 Kudos
8 REPLIES 8
srajeswaran
Staff
Staff

Created on ‎04-24-2023 10:29 PM

Please check if FGSP clustering between the current clusters is the solution for you.

 

https://docs.fortinet.com/document/fortigate/7.2.4/administration-guide/668583/fgsp

 

 

Regards,

Suraj

- Have you found a solution? Then give your helper a "Kudos" and mark the solution.

1196
Network-Eng2022
New Contributor
In response to srajeswaran

Created on ‎04-25-2023 02:37 AM

I have checked the document shared.

Actually what I am trying to achieve is connect 1 HA Cluster (Active-Passive) (Site-A) to another HA Cluster (Active-Passive)(Site-B) through direct fiber cables in a full mesh.

1184
0 Kudos
srajeswaran
Staff
Staff
In response to Network-Eng2022

Created on ‎04-25-2023 03:12 AM

Can you confirm how is the traffic flow through these 2 clusters? A full mesh HA is to avoid a single point of failure in network, something like below.

 

Full-Mesh-HA.png

 In your setup, you have 2 HA, are they redundant to each other? If so, how is the sessions synced between them and how is the traffic flow.

Regards,

Suraj

- Have you found a solution? Then give your helper a "Kudos" and mark the solution.

1181
gfleming
Staff
Staff

Created on ‎04-25-2023 09:01 PM

Is there a reason you don't want to use switches in between? 

Cheers,
Graham
1167
CEMS
New Contributor

Created on ‎05-10-2024 04:11 AM

Hi,Do you have a solution for that issue,I live same problem?

196
0 Kudos
AEK
SuperUser
SuperUser
In response to CEMS

Created on ‎05-10-2024 04:38 AM

Hi CEMS

Didn't test it and don't know if it is supported, but I think you can do it with a hardware (or software) switch interface.

i.e.: one each cluster you configure 2 ports as hardware (or software) switch, then you inter connect the two clusters via these ports, like shown below.

ha_inter.png

AEK
AEK
189
0 Kudos
CEMS
New Contributor
In response to AEK

Created on ‎05-10-2024 06:28 AM

Many thanks AEK,Ye I can Hardware or Software Switch,actually I can Redundancy or 802.3 ag but  I use HA Active(tus11,art11) and Passive (tus12,art12) How can trigger  something happens ,in my scenario connection 1 from tus11emc to art11 is down How can I transfer traffic through to art12 emc ,I could not add software or hardware swtich interface ha monitor interface by the way ,I just add redundant or 802.3AG interface,should I configure wtih these interface or should I do ip sla 

Adsız-2024-05-10-1137.png

154
0 Kudos
AEK
SuperUser
SuperUser
In response to CEMS

Created on ‎05-10-2024 06:44 AM

I guess you mean 802.3ad (aggregate).

For interface monitor you can't select hardware switch interface, but can monitor 802.3ad interface.

I think 802.3ad should also work as solution for your requirement, but you need to test it well, and also I don't know if this solution is supported by Fortinet, even in case it works well, so you may open a ticket to ask if it is supported or not.

AEK
AEK
150
0 Kudos
Labels
Top Kudoed Authors
View all
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2024 Fortinet, Inc. All Rights Reserved.