Fortinet black logo

Cookbook

HA using a hardware switch to replace a physical switch

Copy Link
Copy Doc ID 4e2e9371-e0d6-11ea-96b9-00505692583a:400041
Download PDF

HA using a hardware switch to replace a physical switch

Using a hardware switch to replace a physical switch is not recommended, as it offers no redundancy or interface monitoring.

  • If one FortiGate loses power, all of the clients connected to that FortiGate device cannot go to another device until that FortiGate recovers.
  • A hardware switch cannot be used as a monitor interface in HA. Any incoming or outgoing link failures on hardware member interfaces will not trigger failover; this can affect traffic.

Examples

The examples use the following topology:

Traffic between hardware switches

When using Hardware switch in HA environment, a client device connected to the hardware switch on the primary FortiGate can communicate with client devices connected to the hardware switch on secondary FortiGates as long as there is a direct connection between the two switches.

No configuration is required after setting up the hardware switches. If a client connected to both of the hardware switches needs to reach destinations outside of the cluster, the firewall must be configured for it.

To configure the FortiGate devices:
  1. Connect the devices as shown in the topology diagram.
  2. On each FortiGate, configure HA:
    config system ha
        set mode a-a
        set group-name Example_cluster
        set hbdev ha1 10 ha2 20
    end 
  3. On the primary FortiGate, configure the hardware switch:
    config system virtual-switch
        edit Hardware-SW
            set physical-switch sw0
            config port
                edit port3
                next
                edit port5
                next
            end
        next
    end
  4. On each FortiGate, configure the IP addresses on the hardware switches:
    config system interface
        edit Hardware-SW
            set ip 6.6.6.1 255.255.255.0
            set allowaccess ping ssh http https
        next
    end

    After configuring the hardware switches, PC1 and PC2 can now communicate with each other.

Traffic passes through FortiGate

If client device needs to send traffic through the FortiGate, additional firewall configuration on the FortiGate is required.

All traffic from the hardware switches on either the primary or secondary FortiGate reaches the primary FortiGate first. The traffic is then directed according to the HA mode and firewall configuration.

To configure the FortiGate devices:
  1. Connect the devices as shown in the topology diagram.
  2. On each FortiGate, configure HA:
    config system ha
        set mode a-a
        set group-name Example_cluster
        set hbdev ha1 10 ha2 20
    end 
  3. On the primary FortiGate, configure the hardware switch:
    config system virtual-switch
        edit Hardware-SW
            set physical-switch sw0
            config port
                edit port3
                next
                edit port5
                next
            end
        next
        edit Hardware-SW2
            set physical-switch sw0
            config port
                edit port1
                next
            end
        next
    end
  4. On each FortiGate, configure the IP addresses on the hardware switch:
    config system interface
        edit Hardware-SW
            set ip 6.6.6.1 255.255.255.0
            set allowaccess ping ssh http https
        next
        edit Hardware-SW2
            set ip 172.16.200.1 255.255.255.0
            set allowaccess ping ssh http https
        next
    end
  5. On each FortiGate, configure a firewall policy:
    config firewall policy
        edit 1
            set srcintf Hardware-SW
            set dstintf Hardware-SW2
            set srcaddr all
            set dstaddr all
            set service ALL
            set action accept
            set schedule always
            set nat enable
        next
    end
  6. On each FortiGate, configure a static route:
    config router static
        edit 1
            set device Hardware-SW2
            set gateway 172.16.200.254
        next
    end

    Traffic from PC1 and PC2 can now reach destinations outside of the FortiGate cluster.

HA using a hardware switch to replace a physical switch

Using a hardware switch to replace a physical switch is not recommended, as it offers no redundancy or interface monitoring.

  • If one FortiGate loses power, all of the clients connected to that FortiGate device cannot go to another device until that FortiGate recovers.
  • A hardware switch cannot be used as a monitor interface in HA. Any incoming or outgoing link failures on hardware member interfaces will not trigger failover; this can affect traffic.

Examples

The examples use the following topology:

Traffic between hardware switches

When using Hardware switch in HA environment, a client device connected to the hardware switch on the primary FortiGate can communicate with client devices connected to the hardware switch on secondary FortiGates as long as there is a direct connection between the two switches.

No configuration is required after setting up the hardware switches. If a client connected to both of the hardware switches needs to reach destinations outside of the cluster, the firewall must be configured for it.

To configure the FortiGate devices:
  1. Connect the devices as shown in the topology diagram.
  2. On each FortiGate, configure HA:
    config system ha
        set mode a-a
        set group-name Example_cluster
        set hbdev ha1 10 ha2 20
    end 
  3. On the primary FortiGate, configure the hardware switch:
    config system virtual-switch
        edit Hardware-SW
            set physical-switch sw0
            config port
                edit port3
                next
                edit port5
                next
            end
        next
    end
  4. On each FortiGate, configure the IP addresses on the hardware switches:
    config system interface
        edit Hardware-SW
            set ip 6.6.6.1 255.255.255.0
            set allowaccess ping ssh http https
        next
    end

    After configuring the hardware switches, PC1 and PC2 can now communicate with each other.

Traffic passes through FortiGate

If client device needs to send traffic through the FortiGate, additional firewall configuration on the FortiGate is required.

All traffic from the hardware switches on either the primary or secondary FortiGate reaches the primary FortiGate first. The traffic is then directed according to the HA mode and firewall configuration.

To configure the FortiGate devices:
  1. Connect the devices as shown in the topology diagram.
  2. On each FortiGate, configure HA:
    config system ha
        set mode a-a
        set group-name Example_cluster
        set hbdev ha1 10 ha2 20
    end 
  3. On the primary FortiGate, configure the hardware switch:
    config system virtual-switch
        edit Hardware-SW
            set physical-switch sw0
            config port
                edit port3
                next
                edit port5
                next
            end
        next
        edit Hardware-SW2
            set physical-switch sw0
            config port
                edit port1
                next
            end
        next
    end
  4. On each FortiGate, configure the IP addresses on the hardware switch:
    config system interface
        edit Hardware-SW
            set ip 6.6.6.1 255.255.255.0
            set allowaccess ping ssh http https
        next
        edit Hardware-SW2
            set ip 172.16.200.1 255.255.255.0
            set allowaccess ping ssh http https
        next
    end
  5. On each FortiGate, configure a firewall policy:
    config firewall policy
        edit 1
            set srcintf Hardware-SW
            set dstintf Hardware-SW2
            set srcaddr all
            set dstaddr all
            set service ALL
            set action accept
            set schedule always
            set nat enable
        next
    end
  6. On each FortiGate, configure a static route:
    config router static
        edit 1
            set device Hardware-SW2
            set gateway 172.16.200.254
        next
    end

    Traffic from PC1 and PC2 can now reach destinations outside of the FortiGate cluster.