Two FortiGates in a VRRP domain

I still remember when I wrote the HSRP, VRRP and GLBP post. I was studying for the CCNP Route exam. In fact, this post is the most viewed in my blog. I learnt how these First Hop Redundancy Protocols (FHRP) work. I learnt VRRP works with the multicast IP address and IP protocol number 112. It was great to know there were protocols for high-availability routing. Therefore, we can configure two routers with the same IP address, which is the default gateway for users, and if one of them fails, the other one takes over.

Last week, I’ve been configuring two FortiGates in a VRRP domain because I’ve needed high availability between different models of firewalls. I know the best architecture is a cluster with the same model of firewalls but when the project requires high availability with different model, we have to look for a solution. The configuration is easy. We have to enable vrrp-virtual-mac on the port, and set the Virtual IP address. In addition, we should set a higher priority number for the primary FortiGate and a lower priority number for the backup FortiGate.

Configuring two FortiGates in a VRRP domain

If we use FortiGate firewalls for secure services such as HTTP and HTTPS services, we’ll also want high availability for these services. Therefore, Virtual IPs will have to be configured in both firewalls. At first, if we configure the same Virtual IP in both firewalls, there will be IP duplicated and it doesn’t work properly. However, FortiOS 6.0 already supports failover of IPv4 firewall VIPs and IP Pools. Thanks to a new proxy ARP setting, we’ll be able to map VIP to each router’s Virtual MAC (VMAC).

Failover of IPv4 firewall VIPs
Another interesting setting is the VRRP load balancing, which is useful when we want both firewalls are processing traffic. Accordingly, one firewall is the primary router of one subnet and the other one is the primary router of the other subnet. However, if one firewall fails, all traffic fails over to the other one that is still operating. From my point of view, Active/Active configuration is not the best design but it could be useful in some architectures.

VRRP load balancing

All of these settings are configured using the CLI. There is no way to configure VRRP using the GUI in FortiGate. Consequently, the routing table have also to be got using the CLI. The command “get router info vrrp” show the status of VRRP. For instance, we can know what firewall is the master router and what is the backup router. We can also know the Virtual Router IP (vrip), the Virtual Router Group (vrgrp), etc, etc.

VRRP Routing Table

VRRP is a standard protocol thus we can also configure a VRRP domain between a firewall and a router. For example, we could configure a VRRP domain between a FortiGate firewall and a Cisco router. This is a great advantage of using standard protocols instead of private protocols such as HSRP or GLBP.

Your comments are welcome!!