Fortinet black logo

Deploying FortiAnalyzer HA instances on GCP

Copy Link
Copy Doc ID c19f496d-88e6-11eb-9995-00505692583a:120093
Download PDF

Deploying FortiAnalyzer HA instances on GCP

To deploy FortiAnalyzer instances on GCP:
  1. In GCP, create the FortiAnalyzer instances in one Region in the same or different subnets.
    The subnets must have the Private Google access option enabled in the Subnet details menu.
  2. Allocate a Static IP address to be used as the virtual IP (VIP) of the FortiAnalyzer HA.
    Alternatively, a Secondary Internal IP can also be used as the VIP if necessary.
    • While creating the External IP, ensure that the Static IP Network Service Tier is Premium and the region is the same as that of the FortiAnalyzer instances.

    The External VIP is assigned to an instance when its mode is transitioned to Primary by the fazutil to call Google APIs from within the instance.

  3. Assign the required permissions in IAM for the service account associated with each of the FortiAnalyzer instances.
  4. Also ensure that the Cloud API access scopes for Compute Engine in each instance is set to Read Write.

    Note

    Ensure that all the Google Cloud Platform Quotas under ListGroup have the necessary allocation as this may cause HA to fail otherwise.

  5. On a GCP Firewall Policy, create an inbound rule that allows traffic for the following ports between the primary and secondary units:

    Protocol

    Port

    Purpose

    Other*

    112

    To allow the keepalived adverts from the primary.

    TCP

    514

    To allow initial log sync.

    TCP

    5199

    To allow for configuration sync.

* 112 VRRP (Virtual Router Redundancy Protocol), Common Address Redundancy Protocol (not IANA assigned)

You can now configure the HA settings in FortiAnalyzer. See Configuring FortiAnalyzer HA.

Transition of secondary IP address during failover topography

In the example below, FortiAnalyzer-A is the Primary-HA and FortiAnalyzer-B is the Secondary-HA.

During failover, FortiAnalyzer-B becomes the new Primary unit. The External Static IP is transitioned from FortiAnalyzer-A to FortiAnalyzer-B, and can be accessed from the internet using the same IP. The addresses does not change during transition.

Prior to failover, the Secondary-HA (FortiAnalyzer-B) is not configured with a External Static IP address.

Deploying FortiAnalyzer HA instances on GCP

To deploy FortiAnalyzer instances on GCP:
  1. In GCP, create the FortiAnalyzer instances in one Region in the same or different subnets.
    The subnets must have the Private Google access option enabled in the Subnet details menu.
  2. Allocate a Static IP address to be used as the virtual IP (VIP) of the FortiAnalyzer HA.
    Alternatively, a Secondary Internal IP can also be used as the VIP if necessary.
    • While creating the External IP, ensure that the Static IP Network Service Tier is Premium and the region is the same as that of the FortiAnalyzer instances.

    The External VIP is assigned to an instance when its mode is transitioned to Primary by the fazutil to call Google APIs from within the instance.

  3. Assign the required permissions in IAM for the service account associated with each of the FortiAnalyzer instances.
  4. Also ensure that the Cloud API access scopes for Compute Engine in each instance is set to Read Write.

    Note

    Ensure that all the Google Cloud Platform Quotas under ListGroup have the necessary allocation as this may cause HA to fail otherwise.

  5. On a GCP Firewall Policy, create an inbound rule that allows traffic for the following ports between the primary and secondary units:

    Protocol

    Port

    Purpose

    Other*

    112

    To allow the keepalived adverts from the primary.

    TCP

    514

    To allow initial log sync.

    TCP

    5199

    To allow for configuration sync.

* 112 VRRP (Virtual Router Redundancy Protocol), Common Address Redundancy Protocol (not IANA assigned)

You can now configure the HA settings in FortiAnalyzer. See Configuring FortiAnalyzer HA.

Transition of secondary IP address during failover topography

In the example below, FortiAnalyzer-A is the Primary-HA and FortiAnalyzer-B is the Secondary-HA.

During failover, FortiAnalyzer-B becomes the new Primary unit. The External Static IP is transitioned from FortiAnalyzer-A to FortiAnalyzer-B, and can be accessed from the internet using the same IP. The addresses does not change during transition.

Prior to failover, the Secondary-HA (FortiAnalyzer-B) is not configured with a External Static IP address.