Test case 2

Starting position:

• Baltimore CA certificate installed on both FortiAnalyzers.

• FAZHA001 is the primary.

• FAZHA002 is the secondary.

• lynx001 continuous ping targeting the VIP 10.0.10.10.

The Baltimore CA certificate can be downloaded here: https://learn.microsoft.com/en-us/azure/security/fundamentals/azure-ca-details

-----BEGIN CERTIFICATE-----

MIIDdzCCAl+gAwIBAgIEAgAAuTANBgkqhkiG9w0BAQUFADBaMQswCQYDVQQGEwJJ

RTESMBAGA1UEChMJQmFsdGltb3JlMRMwEQYDVQQLEwpDeWJlclRydXN0MSIwIAYD

VQQDExlCYWx0aW1vcmUgQ3liZXJUcnVzdCBSb290MB4XDTAwMDUxMjE4NDYwMFoX

DTI1MDUxMjIzNTkwMFowWjELMAkGA1UEBhMCSUUxEjAQBgNVBAoTCUJhbHRpbW9y

ZTETMBEGA1UECxMKQ3liZXJUcnVzdDEiMCAGA1UEAxMZQmFsdGltb3JlIEN5YmVy

VHJ1c3QgUm9vdDCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAKMEuyKr

mD1X6CZymrV51Cni4eiVgLGw41uOKymaZN+hXe2wCQVt2yguzmKiYv60iNoS6zjr

IZ3AQSsBUnuId9Mcj8e6uYi1agnnc+gRQKfRzMpijS3ljwumUNKoUMMo6vWrJYeK

mpYcqWe4PwzV9/lSEy/CG9VwcPCPwBLKBsua4dnKM3p31vjsufFoREJIE9LAwqSu

XmD+tqYF/LTdB1kC1FkYmGP1pWPgkAx9XbIGevOF6uvUA65ehD5f/xXtabz5OTZy

dc93Uk3zyZAsuT3lySNTPx8kmCFcB5kpvcY67Oduhjprl3RjM71oGDHweI12v/ye

jl0qhqdNkNwnGjkCAwEAAaNFMEMwHQYDVR0OBBYEFOWdWTCCR1jMrPoIVDaGezq1

BE3wMBIGA1UdEwEB/wQIMAYBAf8CAQMwDgYDVR0PAQH/BAQDAgEGMA0GCSqGSIb3

DQEBBQUAA4IBAQCFDF2O5G9RaEIFoN27TyclhAO992T9Ldcw46QQF+vaKSm2eT92

9hkTI7gQCvlYpNRhcL0EYWoSihfVCr3FvDB81ukMJY2GQE/szKN+OMY3EU/t3Wgx

jkzSswF07r51XgdIGn9w/xZchMB5hbgF/X++ZRGjD8ACtPhSNzkE1akxehi/oCr0

Epn3o0WC4zxe9Z2etciefC7IpJ5OCBRLbf1wbWsaY71k5h+3zvDyny67G7fyUIhz

ksLi4xaNmjICq44Y3ekQEe5+NauQrz4wlHrQMz2nZQ/1/I6eYs9HRCwBXbsdtTLS

R9I4LtD+gdwyah617jzV/OeBHRnDJELqYzmp

openssl x509 -in ~/Downloads/HA-Azure.crt -text

Certificate:

Data:

Version: 3 (0x2)

Serial Number: xxxxxxxx (0x20000b9)

Signature Algorithm: sha1WithRSAEncryption

Issuer: C=IE, O=Baltimore, OU=CyberTrust, CN=Baltimore CyberTrust Root

Validity

Not Before: May 12 18:46:00 2000 GMT

Not After : May 12 23:59:00 2025 GMT

Subject: C=IE, O=Baltimore, OU=CyberTrust, CN=Baltimore CyberTrustRoot

Subject Public Key Info:

Public Key Algorithm: rsaEncryption

Public-Key: (2048 bit)

Modulus:

00:a3:04:bb:22:ab:98:3d:57:e8:26:72:9a:b5:79:

d4:29:e2:e1:e8:95:80:b1:b0:e3:5b:8e:2b:29:9a:

64:df:a1:5d:ed:b0:09:05:6d:db:28:2e:ce:62:a2:

62:fe:b4:88:da:12:eb:38:eb:21:9d:c0:41:2b:01:

52:7b:88:77:d3:1c:8f:c7:ba:b9:88:b5:6a:09:e7:

73:e8:11:40:a7:d1:cc:ca:62:8d:2d:e5:8f:0b:a6:

50:d2:a8:50:c3:28:ea:f5:ab:25:87:8a:9a:96:1c:

a9:67:b8:3f:0c:d5:f7:f9:52:13:2f:c2:1b:d5:70:

70:f0:8f:c0:12:ca:06:cb:9a:e1:d9:ca:33:7a:77:

d6:f8:ec:b9:f1:68:44:42:48:13:d2:c0:c2:a4:ae:

5e:60:fe:b6:a6:05:fc:b4:dd:07:59:02:d4:59:18:

98:63:f5:a5:63:e0:90:0c:7d:5d:b2:06:7a:f3:85:

ea:eb:d4:03:ae:5e:84:3e:5f:ff:15:ed:69:bc:f9:

39:36:72:75:cf:77:52:4d:f3:c9:90:2c:b9:3d:e5:

c9:23:53:3f:1f:24:98:21:5c:07:99:29:bd:c6:3a:

ec:e7:6e:86:3a:6b:97:74:63:33:bd:68:18:31:f0:

78:8d:76:bf:fc:9e:8e:5d:2a:86:a7:4d:90:dc:27:

1a:39

Exponent: 65537 (0x10001)

X509v3 extensions:

X509v3 Subject Key Identifier:

E5:9D:59:30:82:47:58:CC:AC:FA:08:54:36:86:7B:3A:B5:04:4D:F0

X509v3 Basic Constraints: critical

CA:TRUE, pathlen:3

X509v3 Key Usage: critical

Certificate Sign, CRL Sign

Signature Algorithm: sha1WithRSAEncryption

85:0c:5d:8e:e4:6f:51:68:42:05:a0:dd:bb:4f:27:25:84:03:

bd:f7:64:fd:2d:d7:30:e3:a4:10:17:eb:da:29:29:b6:79:3f:

76:f6:19:13:23:b8:10:0a:f9:58:a4:d4:61:70:bd:04:61:6a:

12:8a:17:d5:0a:bd:c5:bc:30:7c:d6:e9:0c:25:8d:86:40:4f:

ec:cc:a3:7e:38:c6:37:11:4f:ed:dd:68:31:8e:4c:d2:b3:01:

74:ee:be:75:5e:07:48:1a:7f:70:ff:16:5c:84:c0:79:85:b8:

05:fd:7f:be:65:11:a3:0f:c0:02:b4:f8:52:37:39:04:d5:a9:

31:7a:18:bf:a0:2a:f4:12:99:f7:a3:45:82:e3:3c:5e:f5:9d:

9e:b5:c8:9e:7c:2e:c8:a4:9e:4e:08:14:4b:6d:fd:70:6d:6b:

1a:63:bd:64:e6:1f:b7:ce:f0:f2:9f:2e:bb:1b:b7:f2:50:88:

73:92:c2:e2:e3:16:8d:9a:32:02:ab:8e:18:dd:e9:10:11:ee:

7e:35:ab:90:af:3e:30:94:7a:d0:33:3d:a7:65:0f:f5:fc:8e:

9e:62:cf:47:44:2c:01:5d:bb:1d:b5:32:d2:47:d2:38:2e:d0:

fe:81:dc:32:6a:1e:b5:ee:3c:d5:fc:e7:81:1d:19:c3:24:42:

ea:63:39:a9

FAZHA001 Baltimore CA certificate installed:

config system certificate ca

edit "HA-Azure"

set ca "-----BEGIN CERTIFICATE-----

MIIDdzCCAl+gAwIBAgIEAgAAuTANBgkqhkiG9w0BAQUFADBaMQswCQYDVQQGEwJJ

RTESMBAGA1UEChMJQmFsdGltb3JlMRMwEQYDVQQLEwpDeWJlclRydXN0MSIwIAYD

VQQDExlCYWx0aW1vcmUgQ3liZXJUcnVzdCBSb290MB4XDTAwMDUxMjE4NDYwMFoX

DTI1MDUxMjIzNTkwMFowWjELMAkGA1UEBhMCSUUxEjAQBgNVBAoTCUJhbHRpbW9y

ZTETMBEGA1UECxMKQ3liZXJUcnVzdDEiMCAGA1UEAxMZQmFsdGltb3JlIEN5YmVy

VHJ1c3QgUm9vdDCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAKMEuyKr

mD1X6CZymrV51Cni4eiVgLGw41uOKymaZN+hXe2wCQVt2yguzmKiYv60iNoS6zjr

IZ3AQSsBUnuId9Mcj8e6uYi1agnnc+gRQKfRzMpijS3ljwumUNKoUMMo6vWrJYeK

mpYcqWe4PwzV9/lSEy/CG9VwcPCPwBLKBsua4dnKM3p31vjsufFoREJIE9LAwqSu

XmD+tqYF/LTdB1kC1FkYmGP1pWPgkAx9XbIGevOF6uvUA65ehD5f/xXtabz5OTZy

dc93Uk3zyZAsuT3lySNTPx8kmCFcB5kpvcY67Oduhjprl3RjM71oGDHweI12v/ye

jl0qhqdNkNwnGjkCAwEAAaNFMEMwHQYDVR0OBBYEFOWdWTCCR1jMrPoIVDaGezq1

BE3wMBIGA1UdEwEB/wQIMAYBAf8CAQMwDgYDVR0PAQH/BAQDAgEGMA0GCSqGSIb3

DQEBBQUAA4IBAQCFDF2O5G9RaEIFoN27TyclhAO992T9Ldcw46QQF+vaKSm2eT92

9hkTI7gQCvlYpNRhcL0EYWoSihfVCr3FvDB81ukMJY2GQE/szKN+OMY3EU/t3Wgx

jkzSswF07r51XgdIGn9w/xZchMB5hbgF/X++ZRGjD8ACtPhSNzkE1akxehi/oCr0

Epn3o0WC4zxe9Z2etciefC7IpJ5OCBRLbf1wbWsaY71k5h+3zvDyny67G7fyUIhz

ksLi4xaNmjICq44Y3ekQEe5+NauQrz4wlHrQMz2nZQ/1/I6eYs9HRCwBXbsdtTLS

R9I4LtD+gdwyah617jzV/OeBHRnDJELqYzmp

-----END CERTIFICATE-----"

set comment "Created by CA certificate"

next

end

FAZHA002 Baltimore CA certificate installed:

config system certificate ca

edit "HA-Azure"

set ca "-----BEGIN CERTIFICATE-----

MIIDdzCCAl+gAwIBAgIEAgAAuTANBgkqhkiG9w0BAQUFADBaMQswCQYDVQQGEwJJ

RTESMBAGA1UEChMJQmFsdGltb3JlMRMwEQYDVQQLEwpDeWJlclRydXN0MSIwIAYD

VQQDExlCYWx0aW1vcmUgQ3liZXJUcnVzdCBSb290MB4XDTAwMDUxMjE4NDYwMFoX

DTI1MDUxMjIzNTkwMFowWjELMAkGA1UEBhMCSUUxEjAQBgNVBAoTCUJhbHRpbW9y

ZTETMBEGA1UECxMKQ3liZXJUcnVzdDEiMCAGA1UEAxMZQmFsdGltb3JlIEN5YmVy

VHJ1c3QgUm9vdDCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAKMEuyKr

mD1X6CZymrV51Cni4eiVgLGw41uOKymaZN+hXe2wCQVt2yguzmKiYv60iNoS6zjr

IZ3AQSsBUnuId9Mcj8e6uYi1agnnc+gRQKfRzMpijS3ljwumUNKoUMMo6vWrJYeK

mpYcqWe4PwzV9/lSEy/CG9VwcPCPwBLKBsua4dnKM3p31vjsufFoREJIE9LAwqSu

XmD+tqYF/LTdB1kC1FkYmGP1pWPgkAx9XbIGevOF6uvUA65ehD5f/xXtabz5OTZy

dc93Uk3zyZAsuT3lySNTPx8kmCFcB5kpvcY67Oduhjprl3RjM71oGDHweI12v/ye

jl0qhqdNkNwnGjkCAwEAAaNFMEMwHQYDVR0OBBYEFOWdWTCCR1jMrPoIVDaGezq1

BE3wMBIGA1UdEwEB/wQIMAYBAf8CAQMwDgYDVR0PAQH/BAQDAgEGMA0GCSqGSIb3

DQEBBQUAA4IBAQCFDF2O5G9RaEIFoN27TyclhAO992T9Ldcw46QQF+vaKSm2eT92

9hkTI7gQCvlYpNRhcL0EYWoSihfVCr3FvDB81ukMJY2GQE/szKN+OMY3EU/t3Wgx

jkzSswF07r51XgdIGn9w/xZchMB5hbgF/X++ZRGjD8ACtPhSNzkE1akxehi/oCr0

Epn3o0WC4zxe9Z2etciefC7IpJ5OCBRLbf1wbWsaY71k5h+3zvDyny67G7fyUIhz

ksLi4xaNmjICq44Y3ekQEe5+NauQrz4wlHrQMz2nZQ/1/I6eYs9HRCwBXbsdtTLS

R9I4LtD+gdwyah617jzV/OeBHRnDJELqYzmp

-----END CERTIFICATE-----"

set comment "Created by CA certificate"

next

end

Result:

After executing diagnose ha failover on the primary (FAZHA001), the ping to the VIP was stocked. FortiAnalyzer HA worked as expected and the new primary is now FAZHA002 (see below).

After switch failover again back FAZHA001, the ping to the VIP immediately starts working again.

lynx001 ping:

azureuser@lynx01:~$ ping 10.0.10.10

PING 10.0.10.10 (10.0.10.10) 56(84) bytes of data.

64 bytes from 10.0.10.10: icmp_seq=1 ttl=64 time=0.614 ms

64 bytes from 10.0.10.10: icmp_seq=2 ttl=64 time=1.25 ms

64 bytes from 10.0.10.10: icmp_seq=3 ttl=64 time=0.727 ms

64 bytes from 10.0.10.10: icmp_seq=4 ttl=64 time=0.885 ms

64 bytes from 10.0.10.10: icmp_seq=5 ttl=64 time=0.727 ms

64 bytes from 10.0.10.10: icmp_seq=6 ttl=64 time=0.670 ms

64 bytes from 10.0.10.10: icmp_seq=7 ttl=64 time=0.757 ms

64 bytes from 10.0.10.10: icmp_seq=8 ttl=64 time=1.29 ms

FAZHA001 diagnose ha status:

HA-Status: Secondary

up-time: 4m49.389s

config-sync: Allow

serial-no: FAZVMSTMxxxxxxx3

fazuid: 3433169053

hostname: fazha001

load balance status: 0x0

HA-Primary fazha@10.0.10.5 FAZVMSTMxxxxxxx4

ip: 10.0.10.5

serial-no: FAZVMSTMxxxxxxx4

fazuid: 4148610926

hostname: fazha002

conn-st: up

up/down-time: 4m47.987s

conn-msg:

cfgsync-st: up, 4m29.881s

data-init-sync-st: done, 4m43.984

FAZHA001 checking HA log:

tail -f /var/private/clusterd/faz-ha.log

2023/02/02 10:45:30 [add-ip] retry...

2023/02/02 10:45:30 [add-ip] Error network.InterfacesClient#List: Failure sending request: StatusCode=0 -- Original Error: Get "https://management.azure.com/subscriptions/xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx/resourceGroups/CMM_RG_FAZHA/providers/Microsoft.Network/networkInterfaces?api-version=2020-05-01": x509: certificate signed by unknown authority

2023/02/02 11:11:40 <729> check_empty: platform=FAZVM64-AZURE

2023/02/02 11:11:40 <729> main: #0: 10.0.10.10 port1 00:0d:3a:bb:fc:4a

2023/02/02 11:11:40 <729> main: -> BACKUP

2023/02/02 11:11:40 <729> to_BACKUP: -> BACKUP

2023/02/02 11:16:16 <2716> check_empty: platform=FAZVM64-AZURE

2023/02/02 11:16:16 <2716> main: #0: 10.0.10.10 port1 00:0d:3a:bb:fc:4a

2023/02/02 11:16:16 <2716> main: -> MASTER

2023/02/02 11:16:17 [add-ip] 10.0.10.10 is private IP

2023/02/02 11:18:36 <3398> check_empty: platform=FAZVM64-AZURE

2023/02/02 11:18:36 <3398> main: #0: 10.0.10.10 port1 00:0d:3a:bb:fc:4a

2023/02/02 11:18:36 <3398> main: -> STOP

2023/02/02 11:18:36 <3398> main: -> STOP

2023/02/02 11:18:37 <3412> check_empty: platform=FAZVM64-AZURE

2023/02/02 11:18:37 <3412> main: #0: 10.0.10.10 port1 00:0d:3a:bb:fc:4a

2023/02/02 11:18:37 <3412> main: -> BACKUP

2023/02/02 11:18:37 <3412> to_BACKUP: -> BACKUP

FAZHA002 diagnose ha status:

HA-Status: Primary

up-time: 4m26.266s

config-sync: Allow

serial-no: FAZVMSTMxxxxxxx4

fazuid: 4148610926

hostname: fazha002

load balance status: 0x8

HA-Secondary fazha@10.0.10.4 FAZVMSTMxxxxxxx3

ip: 10.0.10.4

serial-no: FAZVMSTMxxxxxxx3

fazuid: 3433169053

hostname: fazha001

conn-st: up

up/down-time: 4m25.952s

conn-msg:

cfgsync-st: up, 4m5.542s

data-init-sync-st: done, 4m11.562s

FAZHA002 checking HA log:

tail -f /var/private/clusterd/faz-ha.log

2023/02/02 11:11:41 <7372> main: -> MASTER

2023/02/02 11:11:42 [add-ip] 10.0.10.10 is private IP

2023/02/02 11:16:15 <8220> check_empty: platform=FAZVM64-AZURE

2023/02/02 11:16:15 <8220> main: #0: 10.0.10.10 port1 60:45:bd:f5:2b:32

2023/02/02 11:16:15 <8220> main: -> STOP

2023/02/02 11:16:15 <8220> main: -> STOP

2023/02/02 11:16:16 <8233> check_empty: platform=FAZVM64-AZURE

2023/02/02 11:16:16 <8233> main: #0: 10.0.10.10 port1 60:45:bd:f5:2b:32

2023/02/02 11:16:16 <8233> main: -> BACKUP

2023/02/02 11:16:16 <8233> to_BACKUP: -> BACKUP

2023/02/02 11:18:37 <9783> check_empty: platform=FAZVM64-AZURE

2023/02/02 11:18:37 <9783> main: #0: 10.0.10.10 port1 60:45:bd:f5:2b:32

2023/02/02 11:18:37 <9783> main: -> MASTER

2023/02/02 11:18:38 [add-ip] 10.0.10.10 is private IP

2023/02/02 11:19:12 [add-ip] error: network.InterfacesClient#List: Failure sending request: StatusCode=0 -- Original Error: Get "https://management.azure.com/subscriptions/xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx/resourceGroups/CMM_RG_FAZHA/providers/Microsoft.Network/networkInterfaces?api-version=2020-05-01": x509: certificate signed by unknown authority

2023/02/02 11:19:17 [add-ip] retry...

2023/02/02 11:19:17 [add-ip] Error network.InterfacesClient#List: Failure sending request: StatusCode=0 -- Original Error: Get "https://management.azure.com/subscriptions/xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx/resourceGroups/CMM_RG_FAZHA/providers/Microsoft.Network/networkInterfaces?api-version=2020-05-01": x509: certificate signed by unknown authority

The above shows that the private VIP cannot be transferred to the new primary FAZHA002 due to the certificate signed by unknown authority error.