Fortinet black logo

Azure Administration Guide

Home FortiAnalyzer Public Cloud 7.0.0 Azure Administration Guide
7.0.0
7.4.0
7.2.0
7.0.0
6.4.0

Deploying FortiAnalyzer HA instances on Azure

Deploying FortiAnalyzer HA instances on Azure

To deploy FortiAnalyzer instances on Azure:
  1. In the Azure GUI, create the FortiAnalyzer instances in one Resource Group in the same or different subnets.
    Different VNET is currently not supported as the Public IP being assigned is regional resource.
  2. In the same Resource Group, create a Static Public IP to be used as the Virtual IP (VIP) of the FortiAnalyzer HA. Alternatively, a Secondary Internal IP can also be used as the VIP if necessary.
    While creating the External IP, ensure that SKU is Basic and Tier is Regional, and the location is the same as that of the FortiAnalyzer instances.
    Note

    For a more secure deployment, use Standard as the Public IP SKU. For further configuration information, see Azure Public IP and Azure Network Security Groups.

    The External VIP is assigned to an instance when its mode is transitioned to Primary by the fazutil to call Azure APIs from within the instance.

  3. For each FortiAnalyzer instance, navigate to the instance, go to Settings > Identity, and set System assigned to ON.
  4. Under Azure role assignments, add a role capable of editing the VM with the Scope set as Resource Group.
  5. On the Azure Network Security Group, create an inbound rule that allows traffic for the following ports between the primary and secondary units:

    Protocol

    Port

    Purpose

    Other*

    		112

    To allow the keepalived adverts from the primary.

    TCP

    514

    To allow initial log sync.

    TCP

    5199

    To allow for configuration sync.

* 112 VRRP (Virtual Router Redundancy Protocol), Common Address Redundancy Protocol (not IANA assigned)

You can now configure the HA settings in FortiAnalyzer. See Configuring FortiAnalyzer HA.

Transition of secondary IP address during failover topography

In the example below, FortiAnalyzer-A is the Primary-HA and FortiAnalyzer-B is the Secondary-HA.

During failover, FortiAnalyzer-B becomes the new Primary unit. The Static Public IP is transitioned from FortiAnalyzer-A to FortiAnalyzer-B, and can be accessed from the internet using the same IP. The addresses does not change during transition.

Prior to failover, the Secondary-HA (FortiAnalyzer-B) is not configured with a Static Public IP address.

Previous
Next

Deploying FortiAnalyzer HA instances on Azure

To deploy FortiAnalyzer instances on Azure:
  1. In the Azure GUI, create the FortiAnalyzer instances in one Resource Group in the same or different subnets.
    Different VNET is currently not supported as the Public IP being assigned is regional resource.
  2. In the same Resource Group, create a Static Public IP to be used as the Virtual IP (VIP) of the FortiAnalyzer HA. Alternatively, a Secondary Internal IP can also be used as the VIP if necessary.
    While creating the External IP, ensure that SKU is Basic and Tier is Regional, and the location is the same as that of the FortiAnalyzer instances.
    Note

    For a more secure deployment, use Standard as the Public IP SKU. For further configuration information, see Azure Public IP and Azure Network Security Groups.

    The External VIP is assigned to an instance when its mode is transitioned to Primary by the fazutil to call Azure APIs from within the instance.

  3. For each FortiAnalyzer instance, navigate to the instance, go to Settings > Identity, and set System assigned to ON.
  4. Under Azure role assignments, add a role capable of editing the VM with the Scope set as Resource Group.
  5. On the Azure Network Security Group, create an inbound rule that allows traffic for the following ports between the primary and secondary units:

    Protocol

    Port

    Purpose

    Other*

    		112

    To allow the keepalived adverts from the primary.

    TCP

    514

    To allow initial log sync.

    TCP

    5199

    To allow for configuration sync.

* 112 VRRP (Virtual Router Redundancy Protocol), Common Address Redundancy Protocol (not IANA assigned)

You can now configure the HA settings in FortiAnalyzer. See Configuring FortiAnalyzer HA.

Transition of secondary IP address during failover topography

In the example below, FortiAnalyzer-A is the Primary-HA and FortiAnalyzer-B is the Secondary-HA.

During failover, FortiAnalyzer-B becomes the new Primary unit. The Static Public IP is transitioned from FortiAnalyzer-A to FortiAnalyzer-B, and can be accessed from the internet using the same IP. The addresses does not change during transition.

Prior to failover, the Secondary-HA (FortiAnalyzer-B) is not configured with a Static Public IP address.

Previous
Next