Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
arie12092
New Contributor III

FortiGate HA Scenario

Hi,

I have a scenario and I'm looking for advice.

 

I have 2 FortiGate configured Active-Passive FGCP.

Each FortiGate has 3 active ports (e.g. port1, port2, port3). Those interfaces are monitored by HA.

Let say, FortiGate-1 (priority 150) is the primary and FortiGate-2 (default priority) is the secondary. The override is enable.

 

When port1 is disconnected in FortiGate-1, the FortiGate will failover to FortiGate-2. Now, the FortiGate-2 becomes the Primary.

And then, suddenly the port2 in FortiGate-2 is also disconnected (while the port1 in FortiGate-1 still disconnected). In this situation, the FortiGate-2 doesn't failover to FortiGate-1, right?

The port1 and port3 can be serving the traffic, but port2 can't because port2 is connected to FortiGate-1 (Secondary) only.

 

Is there any suggestion for this scenario?

 

Thanks

Arie

1 Solution
jintrah_FTNT
Staff
Staff

hi Arie,

 

when both devices have the same number of monitored interfaces in down state, the active member is determined by priority again as override is enabled. So it will failback from fgt2 to fgt1. And traffic through port2 and port3 should work here but not port1 being in disconnected state. Only one firewall would be active at a time, so it is not feasible to send some traffic on one and some other traffic that can work on port1 through secondary.

 

best regards,

Jin

View solution in original post

5 REPLIES 5
jintrah_FTNT
Staff
Staff

hi Arie,

 

when both devices have the same number of monitored interfaces in down state, the active member is determined by priority again as override is enabled. So it will failback from fgt2 to fgt1. And traffic through port2 and port3 should work here but not port1 being in disconnected state. Only one firewall would be active at a time, so it is not feasible to send some traffic on one and some other traffic that can work on port1 through secondary.

 

best regards,

Jin

arie12092
New Contributor III

Hi Jin,

 

Thanks for the correction.

The FortiGate-2 will be fallback to FGT-1 when the port2 suddenly disconnected and port1 in FGT-1 still not recoverable.

So, in this situation, the port1 traffic will be lost connectivity until it is recover in FGT-1, right?

How about active-active FGCP? Does it have same behavior?

 

Thanks

Arie

jintrah_FTNT

Hi,

Master unit election process is same in a-p or a-a mode, irrespective.

 

Best regards,

Jin

arie12092

Hi Jin,

So, in the scenario, even in A-A mode, the traffic in port1 (FGT-1 primary) still lost the connectivity, is it correct?

 

Thanks

Arie

jintrah_FTNT

yes, correct.

 

Best regards,

Jin

Labels
Top Kudoed Authors