HA using a hardware switch to replace a physical switch
Using a hardware switch to replace a physical switch is not recommended, as it offers no redundancy or interface monitoring.
- If one FortiGate loses power, all of the clients connected to that FortiGate device cannot go to another device until that FortiGate recovers.
- A hardware switch cannot be used as a monitor interface in HA. Any incoming or outgoing link failures on hardware member interfaces will not trigger failover; this can affect traffic.
Examples
The examples use the following topology:
Traffic between hardware switches
When using Hardware switch in HA environment, a client device connected to the hardware switch on the primary FortiGate can communicate with client devices connected to the hardware switch on secondary FortiGates as long as there is a direct connection between the two switches.
No configuration is required after setting up the hardware switches. If a client connected to both of the hardware switches needs to reach destinations outside of the cluster, the firewall must be configured for it.
To configure the FortiGate devices:
- Connect the devices as shown in the topology diagram.
- On each FortiGate, configure HA:
config system ha set mode a-a set group-name Example_cluster set hbdev ha1 10 ha2 20 end - On the primary FortiGate, config