Designing Multi-DC Health Aggregation in Front of a Fortinet SASE PoP: Architecture and Failover Strategies

As enterprises transition toward cloud-delivered security and zero-trust connectivity, designing reliable multi-data-center connectivity to SASE infrastructure becomes a critical architecture challenge.

In modern SASE deployments based on Fortinet solutions, connectivity design is no longer only about network availability — it is about aligning application health, security policy enforcement, and routing intelligence into a single decision framework.

The primary engineering problem is how multi-DC health states can be aggregated without creating routing instability, split-brain scenarios, or application blackholing.

• Part 1: Multi-DC Topology Patterns
• Part 2: Health Aggregation Methods
• Part 3: Preventing Routing Instability
• Part 4: Production Architecture Patterns
• Part 5: Migration and Procurement Checklist
• Part 6: FAQ

Part 1: Typical Multi-DC to Single SASE PoP Topology Patterns

In enterprise SASE deployments, traffic from multiple data centers is typically aggregated toward a single SASE Point of Presence (PoP). The design must ensure high availability while preventing routing loops and blackholing conditions.

Active-Active Multi-DC Architecture

In active-active designs, multiple data centers provide simultaneous connectivity to SASE PoPs.

• Improved geographic redundancy
• Faster user access performance
• Better application availability

This model requires intelligent health aggregation logic instead of relying only on tunnel state status.

Primary-Secondary DC Architecture

Primary-secondary models provide simpler operational design but slower failover convergence.

Traffic is normally routed to the primary DC until a hard failure is detected.

Geo-Distributed SASE Edge Model

Global enterprises often deploy SASE PoPs near end-user populations to reduce latency.

Part 2: Options for Health Aggregation

VM-Based Health Proxies

Some legacy architectures use VM-based monitoring proxies to poll backend application health.

While functional, this design can introduce:

• Single point of failure risk
• Increased licensing complexity
• Higher operational overhead

BGP-Based Health Signaling

Health state can be propagated using Border Gateway Protocol routing attributes.

Example design pattern:

Example CLI command to verify routing status:

router# show ip bgp summary

BGP Multi-Exit Discriminator (MED) can be dynamically modified based on backend application health.

SD-WAN Path Intelligence

Modern SD-WAN platforms continuously measure network SLA metrics including latency, jitter, and packet loss.

Routing decisions are made using SLA policy compliance instead of simple link up/down state.

Fortinet Native SASE Intelligence

Fortinet integrates security and networking intelligence using Secure Private Access (SPA) capabilities.

Primary Fortinet security gateway platform:

FortiGate devices provide firewall, VPN, and SD-WAN orchestration capabilities.

Part 3: Design Pitfalls — Split-Brain, Flapping, and False Positives

Split-Brain Routing

Split-brain routing occurs when different PoPs or DCs make conflicting routing decisions.

Symptoms may include session instability and authentication failures.

Path Flapping

Flapping can be caused by overly aggressive health monitoring thresholds.

Engineers should implement hysteresis-based decision logic to stabilize routing behavior.

Latency Skew

Geographic latency asymmetry can cause inconsistent path selection decisions.

Transport diversity and ISP peering quality must be considered during design.

Part 4: Production Reference Architectures

BGP Per Overlay Model

Each IPsec tunnel establishes independent BGP sessions.

• Simple operational troubleshooting
• Direct correlation between tunnel and routing health

Loopback-Based BGP with ADVPN

Auto-Discovery VPN (ADVPN) improves scalability for multi-DC environments.

This model is recommended for complex global enterprise networks.

Example verification command:

diagnose vpn tunnel list

Fortinet SASE Architecture Components

Fortinet SASE solutions typically integrate:

• FortiSASE cloud security services
• FortiGate SD-WAN edge networking
• ZTNA security enforcement

Part 5: Migration and Procurement Validation Checklist

Lab Simulation Validation

Before production deployment, simulate failure scenarios and traffic load patterns.

Production Rollout Strategy

1. Deploy SASE connectivity in controlled environments
2. Validate application performance metrics
3. Gradually migrate production traffic

Infrastructure Lifecycle Considerations

Hardware lifecycle and supply chain reliability should be evaluated when planning SASE deployments.

Infrastructure sourcing platforms such as Router-switch and IT-Price may assist during procurement research.

Part 6: FAQ

Q1.What is Fortinet SASE composed of?

Fortinet SASE typically includes FortiSASE cloud security services and FortiGate SD-WAN networking capabilities.

Q2.How does SASE prevent blackholing?

Through health SLA monitoring, routing policy control, and application-aware path selection.

Q3.Is SD-WAN required for SASE?

Not strictly required, but highly recommended for path optimization and automated failover.

Q4.What is the biggest design mistake in multi-DC SASE?

Relying only on tunnel interface state without validating application health metrics.