What you did is the most appropriate way.
Now, if you target to have 2 FWs, one active and one standby, as Charlie said, a VSX LAG (i.e MCLAG) between the VSX cluster and each FW is the most appropriate, in the context of it is likely that your config on the standby FW must be identical than on the active FW. So you may need to use a L3 transit VLAN
instead of routed-ports on 8360 as you will not be able to use same IP address for routed-port on 2 different interfaces on the same 8360.
You have example in
https://support.hpe.com/hpsc/doc/public/display?docId=a00094242en_us------------------------------
Vincent Giles
------------------------------
Original Message:
Sent: Jan 04, 2022 04:14 AM
From: Milan Babic
Subject: VSX and one firewall
Hello, I have interested about correct design with two 8360 Aruba CX switches in VSX cluster and one Firewall (Fortinet FortiGate 100E). Attached picture.
I have dynamic routing protocol OSPF between two 8360 switches and FortiGate 100E. To avoid problem of asymetric routing I have spoiled route over link (10.99.99.4/30) - ip ospf cost 65535 and force that all traffic pass over link (10.99.99.8/30).
I'm interested in is it correct design, is it possible to accomplish this on another way (agrgated interfaces on firewall, VRFs, VSX active-forwarding). Also, I'm interseted in correct design if I have two firewalls in active-standby mode.
Best regards,
Milan Babic
------------------------------
Milan Babic
------------------------------