topic Re: 3750g etherchannel with two Fortigate Firewalls in HA in Cisco Catalyst Center

3750g etherchannel with two Fortigate Firewalls in HA

lukas-glonec — Mon, 27 Jan 2025 13:45:53 GMT

Hi guys,

have anybody experience with topology where is one cisco catalyst 3750g switch and two Fortigate firewalls in HA active - passive mode?
Here is the topology:
On cisco switch I have ports GigabitEthernet1/0/23 and 24 added in port-channel with ip address 10.53.254.253/30. Default ip route is set as 0.0.0.0 0.0.0.0 10.53.254.254.
My goal is, when active FW falls down, traffic automatically change the path through another port (to passive FW which become active).
Unfortunatelly, my port-channel port became suspended.

Any ideas, what is wrong please?

Thanks

Re: 3750g etherchannel with two Fortigate Firewalls in HA

Kasun Bandara — Mon, 27 Jan 2025 13:49:42 GMT

hi @lukas-glonec not sure how you connected the switch port channel to firewalls. if you only connecting two ports to two firewalls (in same HA cluster) make sure those ports are not in port channel. because in active-passive scenarios, only active firewall handle traffic. secondary will come up if active is down.

you can do port channel if you have 4 cables (2 per firewall). then make 1 port channel for active firewall and 2nd port channel for passive firewall.

Re: 3750g etherchannel with two Fortigate Firewalls in HA

lukas-glonec — Mon, 27 Jan 2025 14:05:05 GMT

Hi @Kasun Bandara , fortigates are connected with two cables. First is from port GigabitEthernet1/0/23 to active firewall, second is from port GigabitEthernet1/0/24 to passive firewall. Currently I have ip address 10.53.254.253 on port GigabitEthernet1/0/23 and i can´t added same ip address to port GigabitEthernet1/0/24. So I need to use etherchannel.

Re: 3750g etherchannel with two Fortigate Firewalls in HA

MHM Cisco World — Mon, 27 Jan 2025 14:15:37 GMT

If FW is active/standby you can't connect both FW to one SW via one PO.

MHM

Re: 3750g etherchannel with two Fortigate Firewalls in HA

Joseph W. Doherty — Mon, 27 Jan 2025 14:37:30 GMT

So how do you assign IP to PC, as L3 PC or PC as a L2 access port with IP assigned as a SVI?

Re: 3750g etherchannel with two Fortigate Firewalls in HA

M02@rt37 — Mon, 27 Jan 2025 16:13:19 GMT

Hello @lukas-glonec

In an a/p HA mode with FortiGate firewalls, only the active firewall is handling the traffic at any given time. The passive firewall becomes active only if the active firewall fails. So, connecting the two ports of a port-channel to both firewalls in an HA setup can lead to issues because only one firewall (the active one) should be handling traffic on the port-channel at a time.

So, if using 2 ports for a/p HA, do not configure the port-channel on the switch if you only have two port connecting to the two firewalls (one per firewall). Instead, directly connect each switch port to a separate firewall interface. In this case, each firewall in the HA pair will have its own physical link from the switch, and only the active firewall will handle traffic through the connected port. The passive firewall will remain idle until a failover event occurs, at which point the previously idle link to the passive firewall becomes active.

Else follow @Kasun Bandara advices by using 4 cables (2 per Fw).

Re: 3750g etherchannel with two Fortigate Firewalls in HA

lukas-glonec — Mon, 27 Jan 2025 16:53:25 GMT

Hi M02@rt37

thanks for reply. Unfortunately I can´t using more ports on firewalls because there are connected other devices (like VoIP switches etc.) So I can use only one port of each firewall. I understand how active-passive HA on fortigates works, I want to find the way how to set on 3750G catalyst switch to work primary and secondary way from our internal networks to the internet, if primary firewall fails. Port-channel was my first idea. Is there any other solution? Maybe using VLAN? Thank you very much.

Re: 3750g etherchannel with two Fortigate Firewalls in HA

lukas-glonec — Mon, 27 Jan 2025 16:56:53 GMT

I need only 1 port-channel, because both firewalls in this scenario have same IP adresses. If I create two port-channels, each one could have a different IP address. I need only one IP address because on primary FW is only on IP address and this is copied to passive firewall.

Re: 3750g etherchannel with two Fortigate Firewalls in HA

MHM Cisco World — Mon, 27 Jan 2025 16:58:14 GMT

No need PO

Connect SW to each FW as access or trunk port.

The active FW will send traffic, the standby will be hidden non seen from SW, it only seen when active is down.

MHM

Re: 3750g etherchannel with two Fortigate Firewalls in HA

MHM Cisco World — Mon, 27 Jan 2025 17:01:19 GMT

Both have same IP???? I DONT about Fotri but that not correct

Both FW have IP in same subnet bot have same IP

Check forti config guide

MHM

Re: 3750g etherchannel with two Fortigate Firewalls in HA

lukas-glonec — Mon, 27 Jan 2025 17:08:13 GMT

How SW finds which route to use, if I have a static route via 10.53.254.254 without IP address on interface, if i use access or trunk port.

Re: 3750g etherchannel with two Fortigate Firewalls in HA

MHM Cisco World — Mon, 27 Jan 2025 17:11:29 GMT

Now we start understanding issue

SW is GW for host or FW is GW?

MHM

Re: 3750g etherchannel with two Fortigate Firewalls in HA

Joseph W. Doherty — Mon, 27 Jan 2025 17:16:09 GMT

"Connect SW to each FW as access or trunk port."

Possibly, the way it should be done.

Using a portable channel assumes both ends can accept frames/packets on either link, which it sounds like Fortigate is like FHRP.

Re: 3750g etherchannel with two Fortigate Firewalls in HA

lukas-glonec — Mon, 27 Jan 2025 17:16:17 GMT

SW is GW for all hosts and servers. FW is another step before we reach the internet and only forwards traffic.

Re: 3750g etherchannel with two Fortigate Firewalls in HA

MHM Cisco World — Mon, 27 Jan 2025 17:22:33 GMT

Yes I think you correct, Forti support Hsrp,

So each FW will have common one VIP

And SW will have default route toward this VIP.

MHM

Re: 3750g etherchannel with two Fortigate Firewalls in HA

Kasun Bandara — Tue, 28 Jan 2025 03:01:52 GMT

hi @lukas-glonec , ok.

if you do FortiGate active-passive, both firewall will have same IP for same port. setup need to be like as below.

option 1 - without port channel. just connect 2 ports in switch to 2 firewalls. no need to have port channel as firewall side you are only connecting 1 cable.

Fortigate 1 Fortigate 2

\ /

Switch 1

Option 2 - connect 2 cables each firewall. then create port channel at firewall for connected t ports and switch side create 2 port channels as 1 for 1st firewall cable pair and 2nd for second firewall cable pair.

Fortigate 1 Fortigate 2

\ \ / /

Switch 1

IP address -

IP address in switch will be bound to SVI (VLAN interface). allow that VLAN as access mode in the ports which are connected to firewalls (in option 1) or in Port channels (in option 1)

Re: 3750g etherchannel with two Fortigate Firewalls in HA

lukas-glonec — Tue, 28 Jan 2025 10:54:15 GMT

Yes, both have same IP, it´s correct. Standby FW copied all configuration from Active and when active failed, standby became active with same configuration. It´s configured according to Forti guide.

Re: 3750g etherchannel with two Fortigate Firewalls in HA

MHM Cisco World — Tue, 28 Jan 2025 11:38:27 GMT

So it run something like hsrp'

I already suggest to you how you config static route in SW

MHM

Re: 3750g etherchannel with two Fortigate Firewalls in HA

Aref Alsouqi — Tue, 28 Jan 2025 14:17:57 GMT

I skimmed through this thread quickly so apologies if I'm missing anything. Are you trying to configure a layer 3 or a layer 2 port channel between the switch and the firewalls?

As already mentioned, if you're trying to connect the two firewalls to the same port channel on the switch that won't work because you have one active and one passive device that won't be processing any traffic. However, as already suggested you can connect firewall 1 to a port channel on the switch, and firewall 2 to another port channel, or you can discard the port channels all the way and just use single connections to the switch one from each firewall.

Also, if the you are trying to configure a L3 switch port that is connected to the firewalls, then I think you would need to convert it to be a switch port and moving the IP to an SVI.