Skip to Content

How to switch behavior of Hardware or VLAN in FortiGate HA Cluster

By: Author Alex Lim

Posted on

Categories Troubleshooting

This article describes how hardware switches behave on FortiGates in an HA cluster.

Scope

FortiGate.

Solution

The sketch above illustrates a sample topology where FG101F-1(Primary) and FG101F-2(Secondary) are in an Active-Passive HA cluster. Both devices have a VLAN switch configured and a link has been made between them via port15 on both firewalls.

A PC is plugged into port1 on 101F-1 and another FortiGate (FGT1A) to port1 on 101F-2.

FG101F-1 # get sys ha stat
.........
Cluster state change time: 2024-06-13 17:06:18
<2024/06/13 17:06:18> vcluster-1: FG101FTK1900AAAA is selected as the primary because its override priority is larger than peer member FG101FTK1900BBBB.
<2024/06/13 17:05:44> vcluster-1: FG101FTK1900AAAA is selected as the primary because it's the only member in the cluster.
ses_pickup: disable
override: disable
Configuration Status:
FG101FTK1900AAAA(updated 0 seconds ago): in-sync
FG101FTK1900AAAA chksum dump: 7d 61 69 4c cb da 58 78 16 9a 41 b4 5e a4 9c 45
FG101FTK1900BBBB(updated 0 seconds ago): in-sync
FG101FTK1900BBBB chksum dump: 7d 61 69 4c cb da 58 78 16 9a 41 b4 5e a4 9c 45
.........
Primary : FG101F-1 , FG101FTK1900AAAA, HA cluster index = 1
Secondary : FG101F-2 , FG101FTK1900BBBB, HA cluster index = 0
number of vcluster: 1
vcluster 1: work 169.254.0.2
Primary: FG101FTK1900AAAA, HA operating index = 0
Secondary: FG101FTK1900BBBB, HA operating index = 1

A PC is plugged into port1 on 101F-1 and another FortiGate (FGT1A) to port1 on 101F-2.

The behavior of the hardware switches is:

  1. They will respond to ARP requests and therefore allow devices to connect at a Layer 2 level. This is normal for an active or standalone device but the passive device will do the same.
  2. If there is a link between the hardware switches on FGT101F-1 and FGT101F-2, 101F-2 will forward the information for those connected devices to 101F-1. and they will appear in the ARP table for both FortiGates.
  3. The devices that connect to 101F-2 can receive IPs via DHCP from 101F-1 and send traffic to any resources on 101F-1 or to the internet if the necessary policies are configured.

Sample output from the arp table and DHCP list:

FG101F-1 # get sys arp
Address Age(min) Hardware Addr Interface
10.9.31.254 0 00:09:0f:09:fe:1b mgmt

192.168.100.110 0 00:41:74:6c:2b:03 lan
192.168.100.111 0 00:43:68:61:06:01 lan
10.9.15.254 0 00:09:0f:09:fe:1b wan1
169.254.0.1 - e8:1c:ba:ef:16:f4 ha1




FG101F-2 # get sys arp
Address Age(min) Hardware Addr Interface
10.9.15.254 0 00:09:0f:09:fe:1b wan1
192.168.100.110 0 00:41:74:6c:2b:03 lan
192.168.100.111 0 00:43:68:61:06:01 lan
169.254.0.2 - e8:1c:ba:e5:ef:08 ha1




FG101F-1 # exec dhcp lease-list
lan
IP MAC-Address Hostname VCI SSID AP SERVER-ID Expiry
192.168.100.110 00:41:74:6c:2b:03 FGT1A FortiGate-VM64-KVM 1 Thu Jun 27 17:47:13
2024
192.168.100.111 00:43:68:61:06:01 DESKTOP-OLGFQ84 MSFT 5.0 1 Mon Jul 1 05:46:50
2024

The advantage of this behavior is that the passive device can be used in place of a physical switch if there is no one. This is not recommended though because:

  1. If one FortiGate is lost, all devices on it are also lost.
  2. A hardware switch cannot be monitored in HA so any failures on links in the hardware switch will not trigger a failover.