HA between remote sites over managed FortiSwitches

In a multi-site FortiGate HA topology that uses managed FortiSwitches in a multi-chassis link aggregation group (MCLAG) to connect between sites, HA heartbeat signals can be sent through the switch layer of the FortiSwitches, instead of through back-to-back links between the heartbeat interfaces. This means that two fiber connections can be used, instead of four. The FortiSwitches can be different models, but must all support MCLAG and be running version 6.4.2 or later.

This example shows how to configure heartbeat VLANs to assign to the access ports that the heartbeat interfaces connect to, passing over the trunk between the FortiSwitches on the two sites.

FortiGate HA is with two FortiGates in separate locations and the switch layer connection between the FortiSwitches is used for the heartbeat signal.

To configure the example:
  1. Disconnect the physical connections between Site 1 and Site 2:

    • Disconnect the cable on Site 1 FSW-1 port 12.

    • Disconnect the cable on Site 1 FSW-2 port 10.

  2. Configure Site 1:

    1. On the FortiGate, go to WiFi & Switch Controller > FortiLink Interface and configure FortiLink:

    2. Go to System > HA and configure HA:

      1. Set the heartbeat ports to the ports that are connected to FortiSwitch.

      2. Adjust the priority and enable override so that this FortiGate becomes the primary.

    3. Go to WiFi & Switch Controller > FortiSwitch VLANs and create a switch VLAN that is dedicated to the FortiGate HA heartbeats between the two FortiGates.