Fortinet black logo

Hyperscale Firewall Guide

Recommended interface use for an FGCP HA hyperscale firewall cluster

Recommended interface use for an FGCP HA hyperscale firewall cluster

When setting up an FGCP HA cluster of two FortiGates operating as hyperscale firewalls, you need to select interfaces to use for some or all of the following features:

  • Management.

  • HA heartbeat (also called HA CPU heartbeat).

  • HA session synchronization (also called HA CPU session synchronization).

  • FGCP HA hardware session synchronization.

  • Hardware logging.

  • CPU logging.

  • Logging to FortiAnalyzer

The following table contains Fortinet's recommendations for the FortiGate interfaces to use to support these features.

Interfaces

Recommended for

MGMT1 and MGMT2

Normal management communication with the FortiGates in the cluster.

HA1 and HA2

HA heartbeat (also called HA CPU heartbeat) between the FortiGates in the cluster.

AUX1 and AUX2

HA session synchronization (also called HA CPU session synchronization) or session pickup.

The AUX1 and AUX2 interfaces are available only on the FortiGate 4200F/4201F and 4400F/4401F. For other FortiGate models, you can use any available interface or LAG for HA CPU session synchronization. For example, you may be able to use the HA1 and HA2 interfaces for both HA CPU heartbeat and HA CPU session synchronization. If you need to separate HA CPU heartbeat traffic from HA CPU session synchronization traffic, you can use a data interface or a data interface LAG for HA CPU session synchronization.

Data interface or data interface LAG

FGCP HA hardware session synchronization. If you use a data interface LAG as the FGCP HA hardware session synchronization interface, the LAG cannot be monitored by HA interface monitoring.

Data interface or data interface LAG

Hardware logging, CPU logging, and logging to a FortiAnalyzer. Depending on bandwidth use, you can use the same data interface or data interface LAG for all of these features.

Recommended interface use for an FGCP HA hyperscale firewall cluster

When setting up an FGCP HA cluster of two FortiGates operating as hyperscale firewalls, you need to select interfaces to use for some or all of the following features:

  • Management.

  • HA heartbeat (also called HA CPU heartbeat).

  • HA session synchronization (also called HA CPU session synchronization).

  • FGCP HA hardware session synchronization.

  • Hardware logging.

  • CPU logging.

  • Logging to FortiAnalyzer

The following table contains Fortinet's recommendations for the FortiGate interfaces to use to support these features.

Interfaces

Recommended for

MGMT1 and MGMT2

Normal management communication with the FortiGates in the cluster.

HA1 and HA2

HA heartbeat (also called HA CPU heartbeat) between the FortiGates in the cluster.

AUX1 and AUX2

HA session synchronization (also called HA CPU session synchronization) or session pickup.

The AUX1 and AUX2 interfaces are available only on the FortiGate 4200F/4201F and 4400F/4401F. For other FortiGate models, you can use any available interface or LAG for HA CPU session synchronization. For example, you may be able to use the HA1 and HA2 interfaces for both HA CPU heartbeat and HA CPU session synchronization. If you need to separate HA CPU heartbeat traffic from HA CPU session synchronization traffic, you can use a data interface or a data interface LAG for HA CPU session synchronization.

Data interface or data interface LAG

FGCP HA hardware session synchronization. If you use a data interface LAG as the FGCP HA hardware session synchronization interface, the LAG cannot be monitored by HA interface monitoring.

Data interface or data interface LAG

Hardware logging, CPU logging, and logging to a FortiAnalyzer. Depending on bandwidth use, you can use the same data interface or data interface LAG for all of these features.