HA using a hardware switch to replace a physical switch
An HA cluster can be deployed without physical switches connecting the traffic interfaces on the primary and secondary members. This setup may be desirable in certain environments where the network infrastructure must be kept to a bare minimum.
Generally, using a hardware switch to replace a physical switch is not recommended, as it offers no redundancy or interface monitoring. If one FortiGate loses power, all of the clients connected to that FortiGate device cannot go to another device until that FortiGate recovers. A hardware switch cannot be used as a monitor interface in HA. Any incoming or outgoing link failures on hardware member interfaces will not trigger failover; this can affect traffic. Therefore, assess your environment thoroughly before applying this solution.
Examples
The examples use the following topology:
Traffic between hardware switches
When using Hardware switch in HA environment, a client device connected to the hardware switch on the primary FortiGate can communicate with client devices connected to the hardware switch on secondary FortiGates as long as there is a direct connection between the two switches.
To configure the FortiGate devices:
-
Connect the LAN side of the FortiGate cluster as shown in the topology diagram.
-
On each FortiGate, configure HA:
config system ha set mode a-a set group-name Example_cluster set hbdev ha1 10 ha2 20 end -
On the primary FortiGate, configure the hardware switch:
config system virtual-switch edit Hardware-SW set physical-switch sw0 config port edit port3 next edit port4 next end next end -
On each FortiGate, configure the IP addresses on the hardware switches:
config system interface edit Hardware-SW set ip 192.168.10.1 255.255.255.0 set allowaccess ping ssh http https next endAfter configuring the hardware switches, PC1 and PC2 can now communicate with each other.
Traffic passes through FortiGate
If client device needs to send traffic through the FortiGate, additional firewall configuration on the FortiGate is required.
All traffic from the hardware switches on either the primary or secondary FortiGate reaches the primary FortiGate first. The traffic is then directed according to the HA mode and firewall configuration.
On the WAN side, in order for both HA members to reach the upstream router without connecting to a switch, a hardware switch must be configured with a direct connection between the cluster members.
To configure the FortiGate devices:
-
Connect the WAN side of the FortiGate cluster as shown in the topology diagram.
-
On the primary FortiGate, configure another hardware switch for the WAN connection:
config system virtual-switch edit Hardware-SW2 set physical-switch sw0 config port edit port1 next edit port2 next end next end -
On each FortiGate, configure the IP addresses on the hardware switch:
config system interface edit Hardware-SW2 set ip 172.16.200.1 255.255.255.0 set allowaccess ping ssh http https next end -
On each FortiGate, configure a firewall policy:
config firewall policy edit 1 set srcintf Hardware-SW set dstintf Hardware-SW2 set srcaddr all set dstaddr all set service ALL set action accept set schedule always set nat enable next end -
On each FortiGate, configure a static route:
config router static edit 1 set device Hardware-SW2 set gateway 172.16.200.254 next endTraffic from PC1 and PC2 can now reach destinations outside of the FortiGate cluster.