HA FortiGate Redundant ISP Design and Walk Through
Рет қаралды 14,866
Күн бұрын
@nustiko 5 жыл бұрын
another interesting video. it is very useful to have practical cases. a good complement to fortinet's technical files. Excuse me for my english. I am from France
@FortinetGuru 5 жыл бұрын
Thanks Cedric
@rakuntal100 Ай бұрын
Superb Video , Thanks
@ojammeh 3 жыл бұрын
hi. Thanks for this. If i have a site-to-site vpn in which the other side use wan1 public ip as peer, what happens if wan1 is down? Will the other side recognize my wan2 and establish connection there?
@chrism589 Жыл бұрын
Glad I found this video as it is a close match to what we have. I have a question though. WAN1 and WAN2 use different IP address/range. If WAN 1 goes down (which is also our range of public IPs) how can external users access our websites, we can inform our service provider to advertise the WAN1 addresses via WAN2 but if WAN1 is down they can no longer get to WAN1 as the link is down/can they get to it via WAN2, is it possible for traffic coming into WAN2 to access the addresses on WAN1? Hope I am making sense ?
@FortinetGuru 9 ай бұрын
It will use the external IP of the interface. If you need public IPs to persists then you would use BGP with a public space you own. If you want publicly accessible stuff to be available you would use some level of dynamic or DNS failover to change records when the primary link goes down)
@gautamgarg1649 2 жыл бұрын
I have two ISP configured and one of my isp goes down and second isp becomes active and my backup isp is not passing data. so what can be the reasons behind it.
@claudioi.villagra9163 3 жыл бұрын
Thanks for taking the time to do all of those pretty good videos! Question: are the cluster's members need to be the exact same model? I heard that for using HA must be the same models...?
@FortinetGuru 3 жыл бұрын
Same hardware model
@claudioi.villagra9163 3 жыл бұрын
Thanks!
@Plutonash262 2 жыл бұрын
Can I configure Fortigate lan ports to wan ports for more than 2 isp connection?
@battlement 5 жыл бұрын
So strange, I just setup my first HA pair last week. I also have a Splunk shirt that reads "Because Ninjas Are Too Busy". It's good to know that the HA pair was setup correctly. Have you messed around with the automation feature in 6.2? I tried making a "Conserve Mode Emergency Reboot" event that runs a CLI script that does an "exe reboot" followed by a "y", but it doesn't seem to be working. Any thoughts on what I am missing? Thanks for sharing your knowledge!
@FortinetGuru 5 жыл бұрын
I haven't dove as deep into 6.2 as I would like to just yet. I love Splunk!
@leihan942 11 ай бұрын
Are Fortigates on NAT mode or transparent mode in this configuration? If I would like to use them in NAT mode, it seems I cannot avoid double NAT. Will IPSec dialup VPN and SSL VPN be affected if double NAT is involved? How about only connecting 1 ISP to 1 FortiGate to avoid double NAT or transparent mode?
@FortinetGuru 9 ай бұрын
You can run fortigates just fine like this. You would want public IPs to pass down to the interface though. That will depend on the ISP
@mdabdulmoiz 3 жыл бұрын
One question here is since there is only one link between the two firewalls is this the only link responsible for sharing Heartbeat, Link down info, session table information and config changes replication? don't we use two links as we do with the Palo Alto Control link and Data links?
@FortinetGuru 3 жыл бұрын
You can utilize two links. Higher end models have to ports specifically labeled as such. You are free to use any port on the device for it as you see fit though.
@chrismccann8991 3 жыл бұрын
If we have the two firewalls seperated by distance (still running active/passive) (our IPS come in different buildings) running a link to each ISP from each FW could be challenging. Is it acceptable to have only a single link from each FW to each ISP link?
@wilder92 2 жыл бұрын
You would have two different ISPs per firewall in the same pair? So the primary would be connected ONLY to ISP1, and the secondary (which is in a different building) connected to ONLY ISP2? If that's the case, it is possible; however, you would not be able to monitor the ISPs because from the cluster perspective, one ISP would always be in a down state (only a physical connection to one ISP). If it's OK to only monitor the LAN, then it would probably work, but you'd lose that WAN up/down monitoring so it may not be useful. I see your comment is a year old, were you able to get this working? Curious to see your solution.
@childsplay1495 3 жыл бұрын
in an interview, i was asked when ISP1 fails the traffic doesn't move to ISP2. it needs a refresh. so, why do we need a refresh to move the traffic to ISP2???
@FortinetGuru 3 жыл бұрын
If you have link monitors on the failing links then sessions should fail over fine.
@mdabdulmoiz 3 жыл бұрын
maybe GARP?
@yehan89 3 жыл бұрын
Can WAN1 ports on both firewalls have the same IP address? Can you elaborate on the IP assignment on the 2 firewall and WAN router
@FortinetGuru 3 жыл бұрын
Fortigates do HA via layer 2. Virtual MAC owns the IP and it floats between the two depending on who is master.
@yehan89 3 жыл бұрын
@@FortinetGuru thanks for sharing your knowledge
Bikash's Tech
Рет қаралды 9 М.
IgoroTech Official
Рет қаралды 32 М.