HA using a hardware switch to replace a physical switch
Using a hardware switch to replace a physical switch is not recommended, as it offers no redundancy or interface monitoring.
- If one FortiGate loses power, all of the clients connected to that FortiGate device cannot go to another device until that FortiGate recovers.
- A hardware switch cannot be used as a monitor interface in HA. Any incoming or outgoing link failures on hardware member interfaces will not trigger failover; this can affect traffic.
Examples
The examples use the following topology:
Traffic between hardware switches
When using Hardware switch in HA environment, a client device connected to the hardware switch on the primary FortiGate can communicate with client devices connected to the hardware switch on secondary FortiGates as long as there is a direct connection between the two switches.
No configuration is required after setting up the hardware switches. If a client connected to both of the hardware switches needs to reach destinations outside of the cluster, the firewall must be configured for it.
To configure the FortiGate devices:
- Connect the devices as shown in the topology diagram.
- On each FortiGate, configure HA:
config system ha set mode a-a set group-name Example_cluster set hbdev ha1 10 ha2 20 end - On the primary FortiGate, configure the hardware switch:
config system virtual-switch edit Hardware-SW set physical-switch sw0 config port edit port3 next edit port5 next end next end - On each FortiGate, configure the IP addresses on the hardware switches:
config system interface edit Hardware-SW set ip 6.6.6.1 255.255.255.0 set allowaccess ping ssh http https next endAfter configuring the hardware switches, PC1 and PC2 can now communicate with each other.
Traffic passes through FortiGate
If client device needs to send traffic through the FortiGate, additional firewall configuration on the FortiGate is required.
All traffic from the hardware switches on either the primary or secondary FortiGate reaches the primary FortiGate first. The traffic is then directed according to the HA mode and firewall configuration.
To configure the FortiGate devices:
- Connect the devices as shown in the topology diagram.
- On each FortiGate, configure HA:
config system ha set mode a-a set group-name Example_cluster set hbdev ha1 10 ha2 20 end - On the primary FortiGate, configure the hardware switch:
config system virtual-switch edit Hardware-SW set physical-switch sw0 config port edit port3 next edit port5 next end next edit Hardware-SW2 set physical-switch sw0 config port edit port1 next end next end - On each FortiGate, configure the IP addresses on the hardware switch:
config system interface edit Hardware-SW set ip 6.6.6.1 255.255.255.0 set allowaccess ping ssh http https next edit Hardware-SW2 set ip 172.16.200.1 255.255.255.0 set allowaccess ping ssh http https next end - On each FortiGate, configure a firewall policy:
config firewall policy edit 1 set srcintf Hardware-SW set dstintf Hardware-SW2 set srcaddr all set dstaddr all set service ALL set action accept set schedule always set nat enable next end - On each FortiGate, configure a static route:
config router static edit 1 set device Hardware-SW2 set gateway 172.16.200.254 next endTraffic from PC1 and PC2 can now reach destinations outside of the FortiGate cluster.