AnsweredHot!Firewall Failure - Spare Firewall

Author
SecurityPlus
Gold Member
  • Total Posts : 367
  • Scores: 4
  • Reward points: 0
  • Joined: 2014/08/11 18:41:34
  • Status: offline
2020/09/10 05:57:29 (permalink)
0

Firewall Failure - Spare Firewall

We work with a number of offices that use some version of the 50 to 100 series FortiGate firewall. One worry I have is a hardware failure. Though I have only seen 1 failure ever of an in-production firewall, the risk is still a factor. Waiting 1 or 2 days to receive a replacement unit could be costly to the users. I realize that we could run with High Availability (HA) but this would amount to a 2x the firewall purchase and support bundle cost. Is there a way to keep a spare firewall in house and to replace a failed firewall with the spare in the event of a failure? If this is done I presume that the configuration could be imported from the last backup of the failed firewall. Could the support bundle be transferred to the replacement firewall? If not I presume that the replacement firewall could run temporarily without these services. Are there any other considerations that I am overlooking?

FWF30E, FG40F, FG50E, FWF50E, FG60D, FWF60D, FG60E, FG60F, FG80E, FG100D
FortiOS 5.2, 5.4, 5.6, 6.0, 6.2, and 6.4
FortiSwitch FS-224E-POE
FAP-221E, FAP-221C
#1
sw2090
Expert Member
  • Total Posts : 751
  • Scores: 56
  • Reward points: 0
  • Joined: 2017/06/14 01:27:25
  • Location: Regensburg
  • Status: offline
Re: Firewall Failure - Spare Firewall 2020/09/11 01:24:28 (permalink) ☼ Best Answerby SecurityPlus 2020/09/11 02:31:54
0
Licenses can be transferred in support portal. If you RMA a Fortigate you can have Fortinet transferring them to the new unit automatically even.
 
If the spare is the same model you can also transfer the config 1:1. Just create a backup fro the current FGT and restore it there.
 
On Models that are very close (like 100D and 100E) it may work by replacing the first lines in the backup (they contain model and serial etc) with those from a backup from the spare one and then restore this on the spare one.
Did that several times when I migrated from 100D to 100E.
 
In other cases you will have to edit your config to make it fit because there may be different port names/layout. Some Port may not exist (a 300E e.g. has no physical WAN1/2 Interface). Also some config option may not exist on different MOdels.
#2
SecurityPlus
Gold Member
  • Total Posts : 367
  • Scores: 4
  • Reward points: 0
  • Joined: 2014/08/11 18:41:34
  • Status: offline
Re: Firewall Failure - Spare Firewall 2020/09/11 02:32:47 (permalink)
0
Thank you. This is very helpful.

FWF30E, FG40F, FG50E, FWF50E, FG60D, FWF60D, FG60E, FG60F, FG80E, FG100D
FortiOS 5.2, 5.4, 5.6, 6.0, 6.2, and 6.4
FortiSwitch FS-224E-POE
FAP-221E, FAP-221C
#3
lobstercreed
Gold Member
  • Total Posts : 292
  • Scores: 35
  • Reward points: 0
  • Joined: 2018/11/28 14:57:58
  • Location: Sedalia, MO
  • Status: offline
Re: Firewall Failure - Spare Firewall 2020/09/12 10:01:17 (permalink)
0
I would also point out that the cost of HA (where even a brief failure is unacceptable) is not necessarily 2x everything. 
 
 
If your sales team knows you're buying them for HA, they should give you more of a price break on hardware + support of the 2nd unit--at least if you buy them at the same time.  I've seen it be closer to 50% more for the 2nd unit than what it would have been with just 1. 
 
Something to keep in mind where uptime is critical and there's some wiggle room for cost.
#4
Jump to:
© 2020 APG vNext Commercial Version 5.5