Another Fortinet question

You could instead just ask the ISPs if they can give you a second cable for the second firewall. Otherwise with a single switch to provide links to both firewalls, you're just making another single point of failure in the form of the single switch that the ISPs connect to.

First, I would definitely suggest you stick with an A/P setup and not try for A/A HA as that will have other complications I won't both to get into here.

I have a similar setup, but I would NOT suggest using an existing fortiswitch port group because maintenance and uptime on those is yet one more issue to deal with. I went with some basic unmanaged fanless switches by netgear that were rack-mountable since our infrastructure is in a rack. I got three of them... one for each WAN link we have and one as a cold spare should one ever die. Its technically a SPOF, but unmanaged switches are so infrequently issues I wouldn't go crazy about it when you have two WAN links. I am way more worried about the fortiswitch reliability and uptime with reboots and the number of times their firmware on the switches has required the switch to be wiped and new config downloaded from the fortigate (on a managed fortilink) is unfortunately way more frequent than it should be.

In addition to the above - one peculiarity of Fortinet's HA setup is that the MAC IDs on the WAN ports and LAN ports get replicated between the HA pair. That confuses some managed switches and you might see "MAC ID flapping" errors during failover.
I'll reiterate that the best way, by far, of splitting a WAN between the pair is via "dumb" switches. This is also simpler from a security standpoint because you are not potentially exposing a managed switch to the internet if there is a mis-configuration, switch software vulnerability, your password gets compromised via a dictionary attack, or if the switch dumps it's config due to age/corruption and reverts to a factory default setup (which I've had happen).
The only thing I'll add to this, though, is think through your redundant power situation, too. For example, if you don't have 2 independent power circuits coming in from 2 different panels and only have a UPS, then I'd still consider putting in a PDU with an auto-transfer switch (ATS) and put in one leg through the UPS and the other one bypassing it. Your UPS is more likely to fail than a PDU with an ATS, and the ATS will let you service the UPS without taking the network down. This will get you some power redundancy for the simpler "dumb" switches, and many time, the ISP's equipment does not have redundant power supplies, either.
Example of a PDU with ATS:

View: https://www.amazon.com/Tripp-Lite-100-127V-Rack-Mount-PDUMH15AT/dp/B000MNBWW0

The design of your redundant/backup power situation will depend highly on what your situation is, but the gist of the design boils down to making sure that any one failure of any cable, device, power circuit/breaker, or internet service will not result in a network outage.
If you want to be sure of your setup and to validate this, come in after hours and actually try to sabotage the setup by pulling out cords and shutting down equipment to actually test that the failover, backup power supplies, ATS devices, and resundancy actually works and, for example, that the ATS is defective and makes a device reboot during transfer.
Think about redundancy on the LAN side, too.

EDIT:L Oh - be aware of licensing implications with Fortinet. I think they charge 50% of the license costs for a 2nd device running in an HA setup, regardless of whether it's A/A or A/P

Xelas said:

EDIT:L Oh - be aware of licensing implications with Fortinet. I think they charge 50% of the license costs for a 2nd device running in an HA setup, regardless of whether it's A/A or A/P

Click to expand...

Its worse than that... I think they have a deal going on right now for a few select devices if you buy new hardware where that is the case, but otherwise its 100% the same price. That was really annoying coming from Watchguard where they just had an HA license for the 2nd unit that was at a significantly reduced price, but with Fortinet assuming your licensing costs just doubled! With the 80F, that shouldn't be too bad, but it really starts adding up with the 100+ series devices.