Multiple Site Redundancy Options

I'm hoping someone can straighten me out as to what my options are (if any!).

We have a backup site (of sorts) which is connected to the same ISP (via an entirely different path). Our primary site runs a 15400 Gateway running R80.20, the backup site is an older FortiGate 1000c (ew, I know). The LAN side of the firewalls is currently connected via a single core routing switch interconnected via 10gig fiber. We're planning on hosting some sort of backup of servers at the backup site.

Our ISP supports running BGP on the WAN side to handle a loss of connection and failing over to the backup site. This seems like it would be fairly straightforward since both firewalls support BGP.

However, where I'm running in to confusion is how to configure the LAN side of things. If the WAN link goes down and BGP fails over to the backup....the clients & servers have no idea about this and will happily continue talking to the primary firewall, which has no connection.

I considered VRRP on the LAN side, but that would only help if the firewall failed, not if the WAN failed and I can't seem to find a way to "link" a BGP change to a VRRP change (that sounds wacky anyway).

Unfortunately there isn't a way that we could afford to buy a second 15400 and make a proper cluster (I was lucky to get the Check Point!)

What other options are there? Our LAN side is very flexible and I'm certainly open to re-configuring things, I just don't have any ideas at the moment.

2019-04-08 15_39_52-Window.png


0 Kudos
1 Reply

can you support a routing protocol on your core switch? If so then just enable that and accept the default route from the active gateway, make sure the ISP also tells you gateways what the default route is.
You will need to make sure that you have set some statics that you realy need whichever of the 2 FW's is active and do not rely for all routes on the default.
Regards, Maarten
0 Kudos


