3750g etherchannel with two Fortigate Firewalls in HA

lukas-glonec · ‎01-27-2025

Hi guys,

have anybody experience with topology where is one cisco catalyst 3750g switch and two Fortigate firewalls in HA active - passive mode?
Here is the topology:
On cisco switch I have ports GigabitEthernet1/0/23 and 24 added in port-channel with ip address 10.53.254.253/30. Default ip route is set as 0.0.0.0 0.0.0.0 10.53.254.254.
My goal is, when active FW falls down, traffic automatically change the path through another port (to passive FW which become active).
Unfortunatelly, my port-channel port became suspended.

Any ideas, what is wrong please?

Thanks

Kasun Bandara · ‎01-27-2025

hi @lukas-glonec not sure how you connected the switch port channel to firewalls. if you only connecting two ports to two firewalls (in same HA cluster) make sure those ports are not in port channel. because in active-passive scenarios, only active firewall handle traffic. secondary will come up if active is down.

you can do port channel if you have 4 cables (2 per firewall). then make 1 port channel for active firewall and 2nd port channel for passive firewall.

Please rate this and mark as solution/answer, if this resolved your issue
Good luck
KB

lukas-glonec · ‎01-27-2025

Hi @Kasun Bandara , fortigates are connected with two cables. First is from port GigabitEthernet1/0/23 to active firewall, second is from port GigabitEthernet1/0/24 to passive firewall. Currently I have ip address 10.53.254.253 on port GigabitEthernet1/0/23 and i can´t added same ip address to port GigabitEthernet1/0/24. So I need to use etherchannel.

MHM Cisco World · ‎01-27-2025

If FW is active/standby you can't connect both FW to one SW via one PO.

MHM

Joseph W. Doherty · ‎01-27-2025

So how do you assign IP to PC, as L3 PC or PC as a L2 access port with IP assigned as a SVI?

Kasun Bandara · ‎01-27-2025

hi @lukas-glonec , ok.

if you do FortiGate active-passive, both firewall will have same IP for same port. setup need to be like as below.

option 1 - without port channel. just connect 2 ports in switch to 2 firewalls. no need to have port channel as firewall side you are only connecting 1 cable.

Fortigate 1 Fortigate 2

\ /

Switch 1

Option 2 - connect 2 cables each firewall. then create port channel at firewall for connected t ports and switch side create 2 port channels as 1 for 1st firewall cable pair and 2nd for second firewall cable pair.

Fortigate 1 Fortigate 2

\ \ / /

Switch 1

IP address -

IP address in switch will be bound to SVI (VLAN interface). allow that VLAN as access mode in the ports which are connected to firewalls (in option 1) or in Port channels (in option 1)

Please rate this and mark as solution/answer, if this resolved your issue
Good luck
KB

lukas-glonec · ‎01-27-2025

I need only 1 port-channel, because both firewalls in this scenario have same IP adresses. If I create two port-channels, each one could have a different IP address. I need only one IP address because on primary FW is only on IP address and this is copied to passive firewall.

MHM Cisco World · ‎01-27-2025

Both have same IP???? I DONT about Fotri but that not correct

Both FW have IP in same subnet bot have same IP

Check forti config guide

MHM

lukas-glonec · ‎01-28-2025

Yes, both have same IP, it´s correct. Standby FW copied all configuration from Active and when active failed, standby became active with same configuration. It´s configured according to Forti guide.

MHM Cisco World · ‎01-28-2025

So it run something like hsrp'

I already suggest to you how you config static route in SW

MHM

M02@rt37 · ‎01-27-2025

Hello @lukas-glonec

In an a/p HA mode with FortiGate firewalls, only the active firewall is handling the traffic at any given time. The passive firewall becomes active only if the active firewall fails. So, connecting the two ports of a port-channel to both firewalls in an HA setup can lead to issues because only one firewall (the active one) should be handling traffic on the port-channel at a time.

So, if using 2 ports for a/p HA, do not configure the port-channel on the switch if you only have two port connecting to the two firewalls (one per firewall). Instead, directly connect each switch port to a separate firewall interface. In this case, each firewall in the HA pair will have its own physical link from the switch, and only the active firewall will handle traffic through the connected port. The passive firewall will remain idle until a failover event occurs, at which point the previously idle link to the passive firewall becomes active.

Else follow @Kasun Bandara advices by using 4 cables (2 per Fw).

Best regards
.ı|ı.ı|ı. If This Helps, Please Rate .ı|ı.ı|ı.

lukas-glonec · ‎01-27-2025

Hi M02@rt37

thanks for reply. Unfortunately I can´t using more ports on firewalls because there are connected other devices (like VoIP switches etc.) So I can use only one port of each firewall. I understand how active-passive HA on fortigates works, I want to find the way how to set on 3750G catalyst switch to work primary and secondary way from our internal networks to the internet, if primary firewall fails. Port-channel was my first idea. Is there any other solution? Maybe using VLAN? Thank you very much.

MHM Cisco World · ‎01-27-2025

No need PO

Connect SW to each FW as access or trunk port.

The active FW will send traffic, the standby will be hidden non seen from SW, it only seen when active is down.

MHM

lukas-glonec · ‎01-27-2025

How SW finds which route to use, if I have a static route via 10.53.254.254 without IP address on interface, if i use access or trunk port.

MHM Cisco World · ‎01-27-2025

Now we start understanding issue

SW is GW for host or FW is GW?

MHM