Deploying FortiAnalyzer HA instances on GCP
To deploy FortiAnalyzer instances on GCP:
- In GCP, create the FortiAnalyzer instances in one Region in the same or different subnets.
The subnets must have the Private Google access option enabled in the Subnet details menu.
- Allocate a Static IP address to be used as the virtual IP (VIP) of the FortiAnalyzer HA.
Alternatively, a Secondary Internal IP can also be used as the VIP if necessary.- While creating the External IP, ensure that the Static IP Network Service Tier is Premium and the region is the same as that of the FortiAnalyzer instances.
The External VIP is assigned to an instance when its mode is transitioned to Primary by the fazutil to call Google APIs from within the instance.
- Assign the required permissions in IAM for the service account associated with each of the FortiAnalyzer instances.
- Also ensure that the Cloud API access scopes for Compute Engine in each instance is set to Read Write.
Ensure that all the Google Cloud Platform Quotas under ListGroup have the necessary allocation as this may cause HA to fail otherwise.
- On a GCP Firewall Policy, create an inbound rule that allows traffic for the following ports between the primary and secondary units:
Protocol
Port
Purpose
Other*
112 To allow the keepalived adverts from the primary.
TCP
514
To allow initial log sync.
TCP
5199
To allow for configuration sync.
* 112 VRRP (Virtual Router Redundancy Protocol), Common Address Redundancy Protocol (not IANA assigned)
You can now configure the HA settings in FortiAnalyzer. See Configuring FortiAnalyzer HA.
Transition of secondary IP address during failover topography
In the example below, FortiAnalyzer-A is the Primary-HA and FortiAnalyzer-B is the Secondary-HA.
During failover, FortiAnalyzer-B becomes the new Primary unit. The External Static IP is transitioned from FortiAnalyzer-A to FortiAnalyzer-B, and can be accessed from the internet using the same IP. The addresses does not change during transition.
Prior to failover, the Secondary-HA (FortiAnalyzer-B) is not configured with a External Static IP address.