There are two modes available to you when configuring HA for a FortiGate Cluster, Active-Active or Active-Passive. The section below outlines the main differences between the two modes.
Active-Active
- Load balances UTM (Antivirus, IPS, Web Filtering, etc.) packets between all cluster units. This can lead to overall improvement in UTM performance by sharing the processing load among the cluster units.
- The following sessions are processed by the primary unit & not load balanced: UDP, ICMP, Multicast, Broadcast, VoIP, IM, P2P, IPSEC VPN, HTTPS, SSL VPN, HTTP Multiplexing, SSL Offloading, WAN Optimization, Explicit Web Proxy & WCCP sessions.
- TCP traffic is not load balanced by default. It is recommended to test this setting in your environment as it may degrade performance rather than increase. The overhead required to load balance TCP traffic is as much as just processing it.
- If the primary unit fails, the other unit negotiates and becomes the primary unit. The remaining unit continues to function as the primary unit, maintaining the HA virtual MAC address for all of its interfaces.
- Session failover is provided for all TCP sessions except UTM, UDP, ICMP, Multicast & Broadcast sessions. This requires Session Pickup to be turned on.
Active-Passive
- All traffic is processed by the primary FortiGate unit.
- Provides Hot Standby failover protection
- Does not process communication sessions, the configuration is synchronized with the primary unit.
- Can be a more robust session failover solution than Active-Active by handling the failover of UDP, ICMP, Multicast & Broadcast sessions better. This is very condition specific. The cluster does not specifically support failover of these packets.
Recommendations
- Utilize Active-Active mode if you are utilizing UTM features.
- Utilize Active-Passive mode if you are not utilizing UTM features.
- Utilize Session Failover to maintain TCP, SIP & IPsec VPN sessions after a failure