Fortinet black logo

AWS Administration Guide

Home FortiAnalyzer Public Cloud 7.2.0 AWS Administration Guide
7.2.0
7.4.0
7.2.0
7.0.0
6.4.0

Deploying FortiAnalyzer HA instances on AWS

Deploying FortiAnalyzer HA instances on AWS

To deploy FortiAnalyzer instances on AWS:
  1. In AWS, create the FortiAnalyzer instances in one VPC in the same or different subnet.
  2. Allocate an Elastic IP address to be used as the virtual IP (VIP) of the FortiAnalyzer HA. Alternatively, a Secondary Internal IP can also be used as the VIP if necessary.
    • The External VIP is assigned to an instance when its mode is transitioned to Primary by the fazutil to call AWS EC2 APIs within the instance.
  3. Assign an existing IAM role or create one with the permissions required to assign/re-assign IP addresses for the FortiAnalyzer instance.
    1. Assign said IAM role to both FortiAnalyzer instances by going to the FortiAnalyzer Instance Summary > Actions > Security > Modify IAM Role.
    2. Select the previously mentioned IAM role, and click Save.
    3. In cases where an IAM role assignment cannot be completed, you can add the AWS Access ID and Shared Access Key for an IAM user with the appropriate access using the FortiAnalyzer CLI. In the FortiAnalyzer CLI, enter the following:

      config system ha

      set aws-access-key-id <access_key_id>

      set aws-secret-access-key <secret_key>

      end

  4. Create an Inbound Rule on the AWS Network Security Group assigned to the FortiAnalyzer HA interface.
    1. To allow the keepalived adverts from the Primary:
      • On the Primary instance, allow TCP traffic destined for Port 112 from the local subnet of the Secondary instance and vice versa.
        • If both instances are in the same subnet, allow Port 112 from the same local subnet.
    2. To allow initial logs sync:
      • On the Primary instance, allow inbound TCP traffic destined for port 514, originating from the local subnet of the Secondary instance and vice versa.
    3. To allow for configuration sync:
      • On the Primary instance, allow inbound TCP traffic destined for port 5199, originating from the local subnet of the Secondary instance and vice versa.

Transition of secondary IP address during failover topography

In the example below, FortiAnalyzer-A is the Primary-HA and FortiAnalyzer-B is the Secondary-HA.

During failover, FortiAnalyzer-B becomes the new Primary unit. The secondary IP is transitioned from FortiAnalyzer-A to FortiAnalyzer-B, and can be accessed from the internet using the same Elastic IP. Neither the secondary IP or Elastic IP addresses change during transition.

Prior to failover, the Secondary-HA (FortiAnalyzer-B) is not configured with a secondary IP address.

Previous
Next

Deploying FortiAnalyzer HA instances on AWS

To deploy FortiAnalyzer instances on AWS:
  1. In AWS, create the FortiAnalyzer instances in one VPC in the same or different subnet.
  2. Allocate an Elastic IP address to be used as the virtual IP (VIP) of the FortiAnalyzer HA. Alternatively, a Secondary Internal IP can also be used as the VIP if necessary.
    • The External VIP is assigned to an instance when its mode is transitioned to Primary by the fazutil to call AWS EC2 APIs within the instance.
  3. Assign an existing IAM role or create one with the permissions required to assign/re-assign IP addresses for the FortiAnalyzer instance.
    1. Assign said IAM role to both FortiAnalyzer instances by going to the FortiAnalyzer Instance Summary > Actions > Security > Modify IAM Role.
    2. Select the previously mentioned IAM role, and click Save.
    3. In cases where an IAM role assignment cannot be completed, you can add the AWS Access ID and Shared Access Key for an IAM user with the appropriate access using the FortiAnalyzer CLI. In the FortiAnalyzer CLI, enter the following:

      config system ha

      set aws-access-key-id <access_key_id>

      set aws-secret-access-key <secret_key>

      end

  4. Create an Inbound Rule on the AWS Network Security Group assigned to the FortiAnalyzer HA interface.
    1. To allow the keepalived adverts from the Primary:
      • On the Primary instance, allow TCP traffic destined for Port 112 from the local subnet of the Secondary instance and vice versa.
        • If both instances are in the same subnet, allow Port 112 from the same local subnet.
    2. To allow initial logs sync:
      • On the Primary instance, allow inbound TCP traffic destined for port 514, originating from the local subnet of the Secondary instance and vice versa.
    3. To allow for configuration sync:
      • On the Primary instance, allow inbound TCP traffic destined for port 5199, originating from the local subnet of the Secondary instance and vice versa.

Transition of secondary IP address during failover topography

In the example below, FortiAnalyzer-A is the Primary-HA and FortiAnalyzer-B is the Secondary-HA.

During failover, FortiAnalyzer-B becomes the new Primary unit. The secondary IP is transitioned from FortiAnalyzer-A to FortiAnalyzer-B, and can be accessed from the internet using the same Elastic IP. Neither the secondary IP or Elastic IP addresses change during transition.

Prior to failover, the Secondary-HA (FortiAnalyzer-B) is not configured with a secondary IP address.

Previous
Next