Re: Fortigate 300E - Losing internet connection of some users
Remember about A-A limitation:
"HTTPS, ICMP, multicast, and broadcast sessions are never load balanced and are always processed by the
primary unit. IPS, Application Control, flow-based virus scanning, flow-based web filtering, flow-based DLP, flowbased
email filtering, VoIP, IM, P2P, IPsec VPN, HTTPS, SSL VPN, HTTP multiplexing, SSL offloading, WAN
optimization, explicit web proxy, and WCCP sessions are also always processed only by the primary unit."
"Proxy-based security profile processing that is load balanced includes proxy-based virus scanning, proxy-based
web filtering, proxy-based email filtering, and proxy-based data leak prevention (DLP) of HTTP, FTP, IMAP,
IMAPS, POP3, POP3S, SMTP, SMTPS, IM, and NNTP, sessions accepted by security policies"
In your case - 'proxy' - more sessions can be processed by secondary units but still I would think twice before switching to A-A HA mode. Today there is more HTTPS than HTTP traffic, so most of the web traffic can be processed only by the primary unit. There is one problem with the traffic, which can be sent to the secondaries. It must be sent twice: once, initial traffic from the sender, and second time, when the primary unit forwards it to the secondary unit. Traffic consumes more bandwidth (2x) but only for the traffic which can be sent to the secondary unit - so only you know the volume and know the answer if it is a problem or not.