What's the difference between "Active-Passive" and "Active-Active" HA modes in FortiGates?
A brief description of HA modes on FortiGates
FortiGate firewalls (like other vendor firewalls) support high availability (HA). The basic idea here is to establish some resiliency; if something goes wrong with a single firewall unit, the users are still protected and service remains intact (perhaps with a small interruption during automated transition). As with most things, there are multiple ways to implement this type of solution. In this article, we'll briefly describe two different HA "modes" that can be used with FortiGates and the difference between them.
General concepts
Before we step into the mode details, let's have a quick refresher on FortiGate HA operations.
FortiGate HA uses "FortiGate Clustering Protocol" (FGCP) as a way to handle clustering activity. It handles stuff like:
- Discovering HA units (referred to as "members")
- Monitoring health and availability of HA units
- Copying (synchronizing) data between members
A core concept in FortiGate's implementation of HA revolves around an idea of a "cluster" (grouping) of HA units. A cluster needs at least two FortiGate firewalls but can have more. Within the cluster, there's a device designated as a "primary" FortiGate.
At a minimum, you can think of the primary FortiGate as the source of truth for the cluster. It's the authoritative source for a lot of useful information including (but not limited to):
- Configurations
- Session information
- FIB routing entries
- FortiGuard definitions
- Etc, etc.
In addition to synchronizing information, it's important for all members of a FortiGate cluster to know the health status of all other members. FGCP helps with this as well. It does this via "heartbeat" interfaces and persistent checks that examine a variety of health conditions (e.g. Device failover, link failover, SSD failover, memory-based failover, etc). That's important because there's a lot of different reasons why a device could be offline.
One more important detail: HA setup requires units/members of a cluster to be very similar. That means:
- Same physical model
- Same FortiOS version
- Same licensing (there's some small exceptions for discrepancies here but let's save that for another day)
- Same operating mode
With me thus far? Cool. Let's keep going.
Active-Passive HA Mode
Active-Passive mode is the simplest way to implement HA. It basically relies on a "primary" FortiGate to do everything (including processing live traffic). Secondary FortiGate unit(s) are connected but remain passive – meaning that they don't handle any live user traffic.
As long as everything is working OK, the secondary units would just be hanging around in the background, staying synchronized with changes, and continuously monitoring the health of the primary unit. In a situation where the primary unit goes down, one of the secondary units takes over. Nice and simple right?
One more thing: the monitoring goes both ways. If a secondary FortiGate were to go down, the primary would update it's local list of available backup HA devices.
Active-Active HA Mode
Active-Active mode still has all of the fail-over functionality described earlier (replicates configuration and operational data to other units), but one big difference is how live user traffic is handled. Instead of having a single device process all production traffic for the entire cluster, Active-Active HA mode allows that load to be distributed across other cluster members.
Perhaps a bit of an oversimplification but if it helps, think of the primary FortiGate like a quarterback; choosing which units in the cluster would ultimately handle a given network session.
More Information
Phew! That barely scratched the surface but hopefully helps to explain the concept a bit better. Ready for more info? Check out these resources and articles:
