Comware

Until we get a smaller switch with 10GB uplnks we are stuck using "waisting" an HP5412zl2 for this scenario.

However looking past that, here is my question:

The Foritgate HA (active passive or active active) requires a swtich on each side of the Firewall.  This is becasue the Fortigate uses the same IP address for both Firewalls.  See: https://docs.fortinet.com/document/fortigate/6.2.6/cookbook/900885/ha-active-passive-cluster-setup

When we had our network set up with two switches like so:

ISP <---> 5412Zl2 OUTSIDE <--->  Foritgate  <---> 5412zl2 INSIDE <-----> INSIDE NETWORK

We continued to have random and multiple drops in DNS traffic every day.  During the issue a PC was able to ping an IP address on the Internet, but unable to resolve any regaurless of the DNS used. 

Since then, we powered down the Passive firewall, and plugged the Primary firewall directly to the ISP router.:

ISP <--->  Foritgate  <---> 5412zl2 INSIDE <-----> INSIDE NETWORK

Since then any issues so far.

Fortinet support has verified there is nothing wrong with the firewall configuration. Assuming this is true:

1. Is there anything the outside 5412zl2 switch would need to have configured that could lead to this issue?

The only difference between the OUTSIDE and INSIDE 5412's is that the outside 5412 has all ports untagged VLAN 212 wjhich is also set as its primary vlan. This outside switch has its management port assigned an internal IP address and pluged into the inside network for ssh and IMC monitoring. 

The config of the OUTSIDE switch is:

Running configuration:

; J9851A Configuration Editor; Created on release #KB.16.10.0007
; Ver #14:2f.6f.f8.1d.fb.7f.bf.bb.ff.7c.59.fc.7b.ff.ff.fc.ff.ff.3f.ef:40
hostname "OUTSIDE"
module A type j9990a
mirror 1 port A1
fault-finder broadcast-storm sensitivity high
fault-finder bad-driver sensitivity high
fault-finder bad-transceiver sensitivity high
fault-finder bad-cable sensitivity high
fault-finder too-long-cable sensitivity high
fault-finder over-bandwidth sensitivity high
fault-finder loss-of-link sensitivity high
fault-finder duplex-mismatch-hdx sensitivity high
fault-finder duplex-mismatch-fdx sensitivity high
fault-finder link-flap sensitivity high
no telnet-server
time daylight-time-rule continental-us-and-canada
time timezone -300
interface A21
name "Sec_Fortigate"
exit
interface A23
name "Pri_Foritgate"
exit
interface A24
name "ISP_Uplink"
exit
snmp-server community "public" operator
snmp-server community "Private" unrestricted
snmp-server host 10.1.0.38 community "public"
oobm
ip address 10.1.0.2 255.255.224.0
ip default-gateway 10.1.0.1
exit
vlan 1
name "DEFAULT_VLAN"
no untagged A1-A24
no ip address
exit
vlan 212
name "Internet"
untagged A1-A24
no ip address
exit
spanning-tree
no tftp server
no autorun
no dhcp config-file-update
no dhcp image-file-update
activate software-update disable
activate provision disable
password manager
password operator

Hi! I don't see any particular issue on the WAN Side HP 5412R zl2 Switch:

• Untagged VLAN 212 Port A23 <--> Fortigate HA Primary node WAN 1 interface
• Untagged VLAN 212 Port A21 <--> Fortigate HA Secondary node WAN 1 interface
• Untagged VLAN 212 Port A24 <--> ISP Router LAN Interface

You can evenutally tune Spanning Tree configurations on above ports (setting admin-edge and point-to-point mac)...but, technically speaking, the configuration you provided looks (basically) good enough to me.

Eventually you could verify if there is any mismatch (just a warning) about VLAN 212 on WAN Side interfaces and the respective Fortigate nodes and ISP Router interfaces (probably those ones were left untagged in VLAN 1 default). Not an issue di per sè...just will be logged (show logging -r).

OoBM (which is unrelated to data plane interfaces) is connected to LAN Side HP 5412R zl2 Switch...so it's OK too.