Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
Millibhu
New Contributor

HA with WAN loadbalancing

Hi,

 

We try to implement Firewall HA with Wan loadbalacing (We have two ISP , with two public IP from each). Could anyone suggest that which HA mode I could deploy with these requirement ? I want to deploy as below screenshot

 

 

From our requirement

1. Use Fortigate 100D as route mode, perform WAN loadbalacing between two ISP.

2. If not sure that if we have only 2 Public IP from each ISP

    123.123.123.7 - ISP A

    62.62.62.62.7 - ISP B

    Can we configure it on two of our Fortigate WAN interface with same IP address as screenshot , is there a way to do virtual IP ?

3. If we cannot deploy as above screenshot, could you guide the topology such as insert router between internet as Fortigate and configure WAN interface of Fortigate to be our local IP (but if we change to this deployment we cannot do WAN loadbalacing)

 

Thanks in advance

Millibhu

 

12 REPLIES 12
gschmitt
Valued Contributor

Once you set up a HA cluster they behave as one device.

You can simply connect the lines from the ISP to both wan1 interfaces of both devices (might need a small switch for it) and the other ISP on both wan2 ports.

Enable the wan link loadbalance feature and create a loadbalacing interface with wan1 and wan2.

You can use virtual IPs (FortiGates version of incoming Port Forwarding/NAT)

vjoshi_FTNT
Staff
Staff

Hello Millibhu,

 

Yes, you can have the HA for the above requirement and with the same topology:

 

- When the HA is formed, only the active unit(Master) would respond to all the requests and process the traffic

- In a-a mode, the Master will decide if the slave has to serve any sessions and even in that case, your topology should work

Millibhu
New Contributor

Hi Gschmitt,

 

Once I get the cluster up (Implement as Full mesh FGCP) the port 1 will have virtual MAC and the device behave as one device. But when I configure WAN 1 of both Unit to be same IP form ISP1 123.123..123.7 it cannot route outside (I connect both unit via small switch before connect to internet), but when I remove IP from WAN 1 of 1 unit. Firewall can reach outside, For my idea I think it behave like one device but when ISP see it use same IP address from different MAC address then it cannot use. Is there other way to implement this ?

 

Thanks

Millibhu

Millibhu

Hi Vjoshi,

 

I implement follow the Fortios handbook as Full mesh FGCP (Active-Active), but I'm not sure that do I need two more public IP from each ISP ? in order to avoid duplicate IP. (Currently I have only 2 IP from each ISP and I implement as the topology i've shown which is not working right now)

 

There another way if I implement router between internet and Firewall and configure public IP to be on both of Router WAN interface and use our private IP as Firewall WAN interface. But if I implement like this, how could i load balancing between two ISP ?

 

Thanks

Millibhu

gschmitt
Valued Contributor

Both wan1 ports of the FortiGates in the cluster have the same IP, this is intended

Millibhu

Hi ede,

 

Thanks for your advice, now I'm able to connect cluster HA with Active-Passive mode to internet (same ip address on both Cluster WAN interface from ISP1) via small switch (8 port). I left only connect ISP2 to both Fortigate unit and test load balancing

 

I already tried to change configuration and it sync on both unit like you mention. May I ask about session pick-up ?

Id I deploy in Active-Passive mode do I need to enable session pick-up ? since in fortios cookbook only mention to enable is you deploy as Active-Active mode

(Quote from cookbook "If you enable session pickup for a cluster, if the primary unit fails or a subordinate unit in an active-active cluster fails, all communication sessions with the cluster are maintained or picked up by the cluster after the cluster negotiates to select a new primary unit.")

 

Thanks

Millibhu

ede_pfau
Esteemed Contributor III

May I suggest that you leave out the second FGT for a while and just build the WAN load balancing with WAN1 and WAN2 first. In FortiOS v5.2 this is a bit easier to set up than in v5.0, with checks that the routes are correct. WAN1 will take the IP address from ISP1, WAN2 the other IP address from ISP2.

 

If that is working correctly, set up an A-P HA cluster: HA configuration, connection between the HA ports, reboot. You will have to duplicate the connections from WAN1 (-router) and WAN2 and LAN/internal by using e.g. 4 port switches (1 port for the router, 1 port to FGT1, 1 port for FGT2).

Once running as a HA cluster both FGTs will use the same IP addresses and even the same MAC addresses. When you connect to the management IP you will actually talk to the cluster master. Every change you make to the FGT's configuration will then be applied automatically to the slave unit as well.


Ede

"Kernel panic: Aiee, killing interrupt handler!"
Ede"Kernel panic: Aiee, killing interrupt handler!"
vjoshi_FTNT
Staff
Staff

Hello Millibhu,

 

Enabling the 'session-pickup' will help the new master(after the failover) to pickup the ongoing sessions making less impact on the traffic.

There are few services which cannot failover to the new master, but yes, it would definitely help and works with a-p mode as well.

 

 

walidmuhamed

Hello Millibhu,

 

would please feedback me since im facing the same topology with the exact requirements will it work in HA A-P or A-A  and if there was a router on the edge facing the internet, will it work perfectly since im using private IPs and also how it'd be configured  Thanks

Labels
Top Kudoed Authors