Fortinet black logo

Best Practices

Home FortiGate / FortiOS 7.0.0 Best Practices

High availability and redundancy

7.0.0
7.4.0
7.2.0
7.0.0
6.4.0
6.2.0
6.0.0
Copy Link
Copy Doc ID 7c8e21ef-1be2-11ec-8c53-00505692583a:114990
Download PDF

High availability and redundancy

Downtime due to an unexpected network failure negatively impacts business operations. For some companies, some downtime is acceptable; for others, any downtime is unacceptable. Determine your uptime requirements, and ensure that your network has the resilience to meet those requirements.

Building a resilient network costs more initially, as it can include HA, cold standby spares, multiple internet circuits, premium supports contracts, and more.

High availability

HA provides resilience not only in the event of a cluster member failing, but also allows for firmware updates without any downtime. Several HA options are supported by FortiGate: FortiGate Clustering Protocol (FGCP), FortiGate Session Life Support Protocol (FGSP), Virtual Router Redundancy Protocol (VRRP), and auto scaling in cloud environments.

FGCP is the most commonly used HA solution. It allows two or more FortiGates of the same type and model to be put into a cluster in Active-Passive (A-P) or Active-Active (A-A) mode. A-P mode provides redundancy by having one or more FortiGates in hot standby in case the primary device experiences a detectable failure. If a failure occurs, traffic quickly fails over to a secondary device, preventing any significant downtime. A-A mode allows traffic to be balanced across the units in the cluster for scanning purposes, and also performs failover. For FortiGates on the network edge, at least a two unit cluster is recommended.

FGSP is used in more advanced setups that include external load balancers that distribute traffic across the firewall nodes. FGSP members do not need to have the same network configuration, so they do not need to be in the same physical location. Each FGSP member usually has identical firewall policies to enforce the same access rules. Sessions can be failed over from one FGSP member to another if a device failure occurs.

HA is supported on cloud and virtual platforms. In the cloud, HA can be configured in A-P, A-A load balancing, auto-scaling, and others. See the FortiGate Public Cloud documentation for more information.

FortiGates also support VRRP. This can be an appropriate choice when interoperating with third party routers and firewalls. Consult public documentation for further details.

Assess your environment and budget to determine what options are most appropriate for your use case.

Redundant and aggregate links

Using multiple interfaces and links adds resiliency if one link fails, and increases throughput at a lower cost than using a single link with a larger throughput. For example, a 10 GB interface can be less than half the cost of a 20 GB interface.

When using multiple links to connect your FortiGate to the LAN, asses your network for single points of failure. For example, if both links connect to a single switch, and that switch fails, then you could experience an outage. If a single FortiGate is used in the network path, a failure on that FortiGate would also disrupt traffic. A full mesh switching solution along with FortiGate HA could be used so that no single link, switch, or firewall is a point of failure that could disrupt the entire network. For information on FortiSwitch architectures that can deploy such redundancy, see the FortiSwitch documentation.

SD-WAN

Traffic bottlenecks and disruptions often occur on the WAN links and ISP networks that are outside of your network These can be due to bandwidth limitations, link quality, and other outside factors that are affecting your ISP. Using multiple WAN connections from different vendors can ensure connectivity in the event of an ISP outage and increase performance and throughput. SD-WAN SLA performance health checks can ensure that your WAN connection is always available by selecting the next redundant WAN if the quality of the WAN link is degraded.

SD-WAN can also provide application and service based steering. For example, critical traffic can be steered to a more expensive but more reliable transport link, while less important traffic is steered to a cheaper, higher bandwidth link. After the rules have been defined, traffic steering happens automatically, with failover occurring as needed based on the link health monitors. This can save administrative effort, and the panic caused be network outages, while providing a stable experience for the end users.

For more information about SD-WAN solutions and configurations, see SD-WAN in the FortiOS Administration Guide.

Previous
Next

High availability and redundancy

Downtime due to an unexpected network failure negatively impacts business operations. For some companies, some downtime is acceptable; for others, any downtime is unacceptable. Determine your uptime requirements, and ensure that your network has the resilience to meet those requirements.

Building a resilient network costs more initially, as it can include HA, cold standby spares, multiple internet circuits, premium supports contracts, and more.

High availability

HA provides resilience not only in the event of a cluster member failing, but also allows for firmware updates without any downtime. Several HA options are supported by FortiGate: FortiGate Clustering Protocol (FGCP), FortiGate Session Life Support Protocol (FGSP), Virtual Router Redundancy Protocol (VRRP), and auto scaling in cloud environments.

FGCP is the most commonly used HA solution. It allows two or more FortiGates of the same type and model to be put into a cluster in Active-Passive (A-P) or Active-Active (A-A) mode. A-P mode provides redundancy by having one or more FortiGates in hot standby in case the primary device experiences a detectable failure. If a failure occurs, traffic quickly fails over to a secondary device, preventing any significant downtime. A-A mode allows traffic to be balanced across the units in the cluster for scanning purposes, and also performs failover. For FortiGates on the network edge, at least a two unit cluster is recommended.

FGSP is used in more advanced setups that include external load balancers that distribute traffic across the firewall nodes. FGSP members do not need to have the same network configuration, so they do not need to be in the same physical location. Each FGSP member usually has identical firewall policies to enforce the same access rules. Sessions can be failed over from one FGSP member to another if a device failure occurs.

HA is supported on cloud and virtual platforms. In the cloud, HA can be configured in A-P, A-A load balancing, auto-scaling, and others. See the FortiGate Public Cloud documentation for more information.

FortiGates also support VRRP. This can be an appropriate choice when interoperating with third party routers and firewalls. Consult public documentation for further details.

Assess your environment and budget to determine what options are most appropriate for your use case.

Redundant and aggregate links

Using multiple interfaces and links adds resiliency if one link fails, and increases throughput at a lower cost than using a single link with a larger throughput. For example, a 10 GB interface can be less than half the cost of a 20 GB interface.

When using multiple links to connect your FortiGate to the LAN, asses your network for single points of failure. For example, if both links connect to a single switch, and that switch fails, then you could experience an outage. If a single FortiGate is used in the network path, a failure on that FortiGate would also disrupt traffic. A full mesh switching solution along with FortiGate HA could be used so that no single link, switch, or firewall is a point of failure that could disrupt the entire network. For information on FortiSwitch architectures that can deploy such redundancy, see the FortiSwitch documentation.

SD-WAN

Traffic bottlenecks and disruptions often occur on the WAN links and ISP networks that are outside of your network These can be due to bandwidth limitations, link quality, and other outside factors that are affecting your ISP. Using multiple WAN connections from different vendors can ensure connectivity in the event of an ISP outage and increase performance and throughput. SD-WAN SLA performance health checks can ensure that your WAN connection is always available by selecting the next redundant WAN if the quality of the WAN link is degraded.

SD-WAN can also provide application and service based steering. For example, critical traffic can be steered to a more expensive but more reliable transport link, while less important traffic is steered to a cheaper, higher bandwidth link. After the rules have been defined, traffic steering happens automatically, with failover occurring as needed based on the link health monitors. This can save administrative effort, and the panic caused be network outages, while providing a stable experience for the end users.

For more information about SD-WAN solutions and configurations, see SD-WAN in the FortiOS Administration Guide.

Previous
Next