Help
FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
Muhammad_Haiqal
Staff
Staff

Created on ‎01-07-2020 12:18 AM Edited on ‎02-05-2024 01:20 AM By Community Manager

Article Id 196942

Technical Tip: High Availability basic deployment design

Description


This article explains Active-Passive High Availability scenario.

 

Scope

 

Any supported version of FortiGate, High Availability.


Solution

 

In the following scenarios, FortiGate is connected to two switches without LACP and with LACP (802.3ad) design.
Any HA deployment is highly dependent on the network side. 

The following scenarios explain common best practices for HA network design.


Scenario 1: Without LACP.


 
SW-A and SW-B are in one cluster or called stacking which acts as 1 brain.
 
- One cable(port23) from SW-A connects to FGT-A(port1).
- One cable(port23) from SW-B connects to FGT-B(port1).
 
Assuming SW-A and SW-B are the 'core switch'(one brain) for now, which connects to FGT-A and FGT-B.

Core switch: 10.10.10.2
Fortigate: 10.10.10.1

SW-A(port23) to FGT-A(port1) set as VLAN100
SW-B(port23) to FGT-B(port1) set as VLAN100

From a core switch perspective, 10.10.10.1 (FortiGate) is reachable on VLAN100.
The core switch(SW-A & SW-B) may send traffic to both FGT-A and FGT-B at the same time due to the same VLAN100.
Since FGT-A is the master, only FGT-A will respond to the traffic. 

 

 
 
Scenario 2: With LACP.
 
kb_17002_2.png

 

 
This scenario is almost the same as the first, but this scenario is configured with LACP for higher redundancy and better performance.
 
On the core switch side:
 
LACP Group A = Port23 & port24 of SW-A. This group connect to FGT-A port1&port2.
LACP Group B = Port23 & port24 of SW-B. This group connect to FGT-B port1&port2.
Separate the LACP group for each FortiGate. Note, two FortiGates are considered as 2 individual brains (active-passive).
Combining 4 cables in 1 group will make the LACP not work as expected.

 

29973
Submit Article Idea
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2024 Fortinet, Inc. All Rights Reserved.