How to connect FortiGate firewall cluster & Checkpoint firewall cluster without a switch in between
This article explains connecting FortiGate HA & Checkpoint HA together using FortiGate Virtual Switch (Software Switch) and Checkpoint Bond, without using a hardware switch. And I have briefly explained the outcomes!
Note: This is not a recommended way of implementing high availability setup on a production environment.
Long story short, Recently an organization wanted to directly connect their FortiGate HA cluster & Checkpoint HA cluster without a switch in between.
Requirement was they have on going network topology change, current setup have core switch connected in between FortiGate and Checkpoint. Proposed new topology’s FortiGate and Checkpoint directly connected to each other.
Current setup.
Checkpoint Bond : with 2 physical interfaces. | Operation Mode: 802.3ad [LACP]| Three IP addresses : Each cluster & VIP
FortiGate: 802.3ad Aggregate interface [LACP] with one IP.
So yes! This a the most traditional way of having two clusters like Internal Firewall & Perimeter firewall. And this works fine.
Proposed setup
“the more you look the worse it gets”
Checkpoint Bond: with 2 physical interfaces. | Operation Mode: Active-Backup | Three IP addresses : Each cluster & VIP
FortiGate: Virtual Switch with 2 physical interfaces.
Hence it is not LACP anymore. But it works.
FortiGate HA status : Active-Passive : Hardware failover & monitored interface failover works without issue.
Checkpoint HA status : Active-Stand By : Hardware failover & monitored interface failover works without issue.
Tested Operating systems: FortiGate FortiOS 6.2.3 | Checkpoint R80.30 | Hardware appliances with physical connectivity.
What if we use LACP (Aggregates) than this Virtual switches.
FortiGate HA will not show any issue because it works as Active-Passive. However Checkpoint HA status will be Active-Down. The reason is checkpoint will identify as the FortiGate secondary firewall’s interfaces down. Due to that failover will never happen! FortiGate keeps its passive appliance’s interfaces inactive whereas Checkpoint keeping its interfaces up and manage the communications via Virtual IP addresses.
State change: INIT -> DOWN
Reason for state change: Incorrect configuration — Local cluster member has fewer cluster interfaces configured compared to other cluster member(s)
Due to that LACP was not an option.
Limitations in Virtual Switch configuration.
In FortiGate, High Availability cannot monitor virtual switches. Due to that reason, Automatic failover is not possible if illustrated active cable (or interface) got faulty / malfunction. In that rare scenario there will be an complete service outage.
As far as my knowledge this FortiGate limitation exist on the newest 6.4.x series too. Let me know if we have workaround for that.
Incase you needed to implement this on your production environment make sure to get existing configuration backups and mark the cables properly. Also, to get best out of this solution you should cable the exactly as this (Cross).
I’m sharing this article because I could not find any article in this specific scenario. We had to design this workaround for temporally usage. If you know a better solution for this, let me know too ❤
This solution has been worked for the specific scenario, It may not work in other scenarios. Do so at your own risk!
