Hello,

(FortiOS 5.6)

the Hardware-Switch on FortiGate 61/81E seems to be limited to the numbered ports (internal1 to internal7), the Ports labeled WAN1, WAN2 and DMZ can only be used in a Software-Switch.

I am not concerned about performance (the few % are probably within the sizing we did) difference, i am however concerned about the following Feature of Hardware-Switch in HA configuration:

The the ports of a Hardware-Switch on the standby unit in a HA Active-Standby configuration function like a Layer-2 switch.

We use this in one of our sites with a Pair of FortiGate 140D to provide L2 redundancy without a local switch (by abusing the Standby unit as a secondary local switch). This requires the HW switch(es) of both FortiGates to be interconnected by cable, but it works fine.

We planned on using something similar on the 61/81E as well: by grouping WAN1 and WAN2 port into a hardware switch we wanted to be able to connect two uplink cables redundantly to both Fortigate units in a HA cluster without an additional L2-switch.

However this platform only supports Hardware-Switching on Ports Internal1-Internal7, the other ports can only be used in a Software-switch.

I really dont want to use Ports labeled "Internal" as the WAN uplinks and the WAN/DMZ ports for internal connection (although that is perfectly possible, I am just concerned that people will complain due to the labels).

My Question: Does the Software-Switch also work on a Standby-Unit in a Active-Passive HA cluster? Or is that feature only active on the Active Firewall?