April 26, 2018

FortiGate :: HA Routed Failover w/ Session Failover

(Last Updated On: 27th March 2018)

A recent requirement that came up was for there to be a redundant pair of firewalls, which allowed for session failover, configuration synchronisation and also maintain different external IPs and seperate BGP peering. A niche request, but something that was supported with FortiGates. Below details some configuration examples to achieve this.

Config and Session Sync

We start off by allowing the FortiGates to sync configuration and sessions without fully pairing them. This can be achieved through Fortinets “standalone-config-sync” setting under HA. This will allow configuration and sessions to be sync’d with the exception of interface settings*. This will need to be configured on both units and a “HA” link will need to be configured between the two.

config system ha
set hbdev port1 0
set session-pickup enable
set standalone-config-sync enable

*there is currently an issue where by IPv6 address interface configuration is sync’d across the two standalone devices.


As interface configuration is not sync’d in this set up and interfaces not monitored, we need something to replace the failover mechanism. This is where VRRP comes in. As units will not sync configuration relating to the interfaces, you will need to replicate this on both units – with the exception being the interface you want different IPs on for separate router peering.

config system interface
edit port2
set vrrp-virtual-mac enable
config vrrp
edit 50 (32)
set vrip
set priority 255
edit 100 (64)
set vrip
set priority 50

The example VRRP comfinguration here was taken direct from http://help.fortinet.com/fos50hlp/56/Content/FortiOS/fortigate-high-availability/HA_VRRPEx2.htm?Highlight=VRRP


Your final step is to configure routing as you would with any standalone device. This will vary depending on routing protocol in use so I won’t bother with an example in this post – a post about routing on FortiGates will come later.

Once all above has been configured, you should be left with a routed, redundant “pair” of firewalls. Session sync and configuration sync handled by the FGCP protocol, failover handled by a combined VRRP and routed failover mechanism. If an interface should go down, the FortiGate should stop advertising the route and the neighbouring FortiGate VRRP interface should take over.

Previous «
Next »

Jake is a security engineer working in West Yorkshire. He has experience with various firewall vendors including FortiGate, Check Point, Cisco and Palo Alto.

Leave a Reply

Subscribe to SYNACK via Email

%d bloggers like this: