Active Active HA

vishal · ‎07-05-2019

Hi Everyone, I'm having an doubt regarding an Active Active HA using FGT 200E. Can anyone help me regarding this. 1) Subordinate Active unit monitored interface need to configure IP address individually or it reflect from Primary Active unit when trigger happen. 2) I'm having 2 heartbeat interface for redundancy so assigning Heartbeat interface a priority affect primary or secondary unit selection during HA setup. Any help will be highly appreciated. Regards, Vishal

hubertzw · ‎07-06-2019

Once you configure HA on both (if you have 2 device) they sync their config. Primary device will send it to secondary one. You can set different IP on both to allow access via ssh or https. Make sure you understand election process to set the right IP on the correct device. Priority is 3rd parameter to check (default settings) in the HA election process.

vishal · ‎07-06-2019

Hubertzw, Thanks for your reply. My query is related to scenerio where I have to run 2 FGT200E in Active Active mode where internal interface from each fortigate connected to 2 Switch running in stacking mode. So what configuration need to do on interfaces of both Fortigate connected to switch in stack as internal to achieve traffic should pass through both unit.

ede_pfau · ‎07-07-2019

@Vishal:

1- all settings (except very few, like hostname) are duplicated between cluster members. So, port addresses as well. As you connect both ports (master and slave) to a L2 switch, this isn't a problem. They even have the same virtual MAC address (which in cheap switches may be a problem...).

2- HBDEV priority isn't about master election. This parameter only distributes heartbeat traffic across multiple HA links (which is a best practice). You influence election by setting "override" and port monitoring. Port monitoring triggers a failover when a monitored port fails. And of course, the monitored port setting is duplicated between cluster members.

Ede

"Kernel panic: Aiee, killing interrupt handler!"

hubertzw · ‎07-07-2019

One more comment: if you have different vlans for port1 and port2, make sure all ports of all cluster members are placed in the corect VLAN. That's critical in active active concept. Primary unit must be able to forward traffic from its port1 to port1 of the secondary unit.

vishal · ‎07-07-2019

Hi Ede_pfau, Thanks for your reply. As per your above points in which you have describe all settings has been duplicated between cluster members including port address. It is applicable in Active Active HA also ? Means if I connect my two fortigate internal interfaces with 2 switches in stack and forms a A-A HA. So assigning ip address to 1st Active Fortigate internal interface that same would be replicated on 2nd Active Fortigate internal interface and traffic load sharing/balance would be achieved. Correct if I'm wrong. Thanks in advance

ede_pfau · ‎07-09-2019

Synchronization of the config is identical for A-P and A-A clusters.

Ede

"Kernel panic: Aiee, killing interrupt handler!"

emnoc · ‎07-09-2019

You mention stacked switches are you doing a LACP bundle between each FGT200E to each switch member ? Regardless, the A-A or A-P in a stacked env will not matter. I would also ensure ( I believe that you are ) that each HBDEv interfaces are cabled back-2-back and introduce into the switch stack.

So if your looking for the max in HA and with bandwidth you could take fgt-port1+2 and create a bonded interface and cables these to switch members sw1+sw2 and fgt-ports 3+4 as port-member cabled to switch members sw1+sw2

Finally for layer3 interfaces you could easily do 802.1q tagging.

Ken Felix

PCNSE

NSE

StrongSwan