you don't like the sd-wan feature?

Very good question Jinoos. IPSec VPN is usually hardcoded to one static IP address or DNS name, and remote gateway can't be used in multiple VPNs - limit one - so your best option in this case as Abdul mentioned is to create SD-WAN zone (check channel latest video on how to configure SD-WAN), include WAN1 and WAN2 interfaces to an SD-WAN zone, create default route to SD-WAN zone interface instead of individual port names. Create VPN tunnel, local interface should be the SD-WAN zone, and firewall policies according o your needs, now your side is done. For the remote site they need to be able to connect to either of your public IPs, the hard way to do this is to have them create two tunnels with same settings except one of them has remote gateway your Public IP 1 and the other would have remote gateway as Public IP 2, the easy way to do this is to enable FortiGuard DDNS on the settings page, this will assign your SD-WAN interface IP to a domain like jinoos.fortiddns.com then ask them to create one tunnel only with remote gateway set as Dynamic DNS and the hostname would be jinoos.fortiddns.com, only caveat for the easy method if you watch the SD-WAN video you will notice lots of failovers and these DNS changes on Internet take time to take effect so might cause downtimes occasionally. Go for hard way for more stability.

Hi Fella, what kind of switch are you using and what are you trying to configure on it? for heartbeat links they can be connected directly between two firewalls or through a switch but since it's layer2 communication no need to configure anything on switch side.

LACP is not needed at all for this example, the switch would forward the ARP requests and primary firewall would answer with its virtual mac address, switch then will learn to use that interface (until ARP time out) to reach the upstream gateway.

You can configure multiple HA links for redundancy which is quite common on enterprise networks, Assume you dedicate ports 10 and 11 for HA redundant links you would complete the config as follows config system ha set hbdev port10 100 port11 75 end The HB device refers to heartbeat interfaces used to communicate cluster info via multicast. The following numbers (100 and 75) are heartbeat interface priority, higher priority means more preferred, so in above example port10 with higher priority is used and preferred unless it goes down or fail, then switch to port11 and continue cluster sync.

No restart needed. Use (diag sys ha status) to verify both members status are in-sync

@@ElastiCourse thank you, do you have HA in active active video?

Not currently, but I will work on HA Active Active setup soon.

@@ElastiCourse sounds great, i can't wait for it :D

Correct Active-Active is more ideal for higher bandwidth, and it shares same capabilities of Active Passive setup like automatic session failover and two-way config sync.

Please share the cli command it's useful for our practice CLI mode

config system ha set mode a-a end This is the command to convert to Active-Active mode

No. Am asking like documentation it's useful for us.. If you any blog please share me.

You can configure HA using GUI or CLI. CLI is better in my opinion as it shows more hidden options. Try this to see yourself the amount of hidden options: config system ha set ? Question mark will list all options possible for HA config also: config system ha config ?

May i kindly ask if the course posted on udemy is good enough to get pass NSE4 or other levels?