Hello AEK

Thanks for your reply. For your first point about FG is completely down. I've considered this situation actually. But I think adding a pair of L2 switches will be similar. If I add a pair of L2 switch in this design, the server will be completely isolated as well if one switch is completely down. That's also the reason I'm thinking if a switch is really required. But if the passive FG can't work as a L2 switch. Then this is not doable...

And for the other point, I think that may be a good idea. Actually I'm also considering if I can use a feature named NIC Teaming on Windows OS to avoid extra switch. But the thing is, I can't find any detail document about how NIC Teaming is working. I can use two NIC port on the servers to connect to both FG. But if those two ports are all UP. Will the OS sending traffic to both ports even one port is connecting a passive FG? If so, then it will bring issues. Maybe the best way is just to do a POC test. But the awkward thing is...Our customer will purchase the secondary firewall only if this design will work......o(╥﹏╥)o

Hi @Oucean 

No, if you add a pair of switch (stack, mlag, ...) and use LACP to connect each server to both switches then in case one FG is down or one switch is down the  your server will still be accessible.

For the second option (no switch), even I find this design a bit ugly, and probably no one firewall vendor has documented such design, (and I'd never do that in prod except in lab), I think you need to select the right teaming/IPMP algorithm that must be L3 based, not L2 based, otherwise as you said it might be possible to have a bad side effects. I didn't have a time te test it, so for sure you need to do a PoC.

Another bad side effects is even if this design works, in case one day you have some issue related to this design then Fortinet support "may" tell you this design is not supported and you need to add L2 switches.

(I'm sorry, I changed my email ID and not able to access my prefious profile now...)

Hello @AEK 

Thanks for your reply.

Ah...If that's the case, then you are correct. We need a pair of switch stack to provide a better HA architecture. Just need the server to have 2 NIC and configure LACP. Almost all servers can support this. Just, my challenge is, the customer has very limit budget, not sure the budget can cover two switches that support stacking and LACP...Anyway, I'll take your point to my customer. Thanks a lot for your comment.

For the second option, as I mentioned just now, the budget is limited. Also the customer doesn't want to add more devices. That's the reason I'm considering "no-switch" design. The key point of this option is the of Windows OS's NIC Teaming algorithm. I agree with you this needs to be a L3 based algorithm. Maybe I'll try to post a thread in Microsoft Community.

The best way is to just do a PoC, but the budget limitation is a headache.

I'll bring all our points to the customer and try to discuss with them again. Your point about Fortinet support is also one that should be considered. Thanks again for your kingdly help.

Hello hbac

Thanks for your reply. So even the L2 switch function will not work, right? May I know if we have any tried on this point? Of course the best way is that I just do a POC test for this. But the awkward thing is...Our customer will purchase the secondary firewall only if this design can work......o(╥﹏╥)o