Fabric connection setup using FortiGate as an LB
The current FortiGate to EMS Fortinet Security Fabric connection in a high availability (HA) environment has the following limitations:
- If round robin is enabled on the DNS server, FortiOS may reach a secondary EMS node during Fabric connection, resulting in Fabric connection failure.
- If there is a Fabric connection that is already configured, after EMS failover, the connector disconnects, since DNS still resolves to the primary EMS node.
For EMS HA failover to function correctly with FortiOS Fabric connectors, you can use a FortiGate as a load balancer (LB). This effectively brokers the data routing to the correct EMS based on availability.
To demonstrate this configuration, the example EMS HA environment uses the following components:
- Two EMS 7.0.6 nodes configured in an HA environment
- FortiGate running FortiOS 7.0.6, acting as the LB
- FortiGate running FortiOS 7.0.6, acting as the gateway
- Endpoint running FortiClient 7.0.6
To configure a FortiGate as the LB:
- On the FortiGate acting as the LB, configure the secondary IP address for port4. FortiOS uses this secondary IP address as a virtual IP address to connect with EMS. In this case, the virtual server IP address is 172.16.16.102.
- Go to Policy & Objects > Health Check.
- Click Create New.
- For Type, select TCP.
- In the Port field, enter 8013.
- Configure other fields as desired.
- Create virtual servers:
- Go to Policy & Objects.
- Create a virtual server.
- In the Virtual Server IP field, enter the secondary IP address that you configured in step 1. In this example, it is 172.16.16.102.
- In the Virtual Server Port field, enter 8013.
- For Load Balancing method, select First Alive.
- For Health check, select monitor that you configured.
- Configure real servers:
- On the Real Servers tab, select Create New.
- In the IPv4 address field, enter the primary EMS node IP address. In this example, it is 192.168.0.4.
- In the Port field, enter 8013.
- In the Max connections field, enter 0.
- For Mode, select Active.
- Repeat these steps for the secondary EMS node. Click Save.
- Repeat steps a-g to create three additional virtual servers. The additional servers use ports 443, 8015, and 10443, but otherwise have identical settings to the first virtual server created. If you have enabled Chromebook management, create a virtual server for port 8443. Similarly, if you require importing an ACME certificate, create a virtual server for port 80.
- Create a security policy that includes the LB virtual server as a destination address:
- Go to Policy & Objects > Firewall Policy.
- Click Create New.
- Configure the Incoming Interface and Outgoing Interface fields. The outgoing interface connects to the primary EMS node.
- For Source, select all.
- In the Destination field, select ports 10443, 443, 8013, and 8015.
- For Service, select ALL.
- For Inspection Mode, select Proxy-based.
- Save the policy.
- If the EMS nodes are in different subnets, repeat these steps to configure a policy for the secondary EMS node. In this example, the nodes are in the same subnet, so you do not need to add a separate policy for the secondary EMS.
The FortiGate LB monitors the EMS nodes' statuses and forwards traffic to the active EMS node for ports 8013, 8015, 443, and 10443.
To configure the Fabric connection between FortiOS and EMS:
- In FortiOS, go to Security Fabric > Fabric Connectors.
- Under FortiClient EMS Settings, in the IP/Domain name field, enter the EMS fully qualified domain name (FQDN). The FQDN resolves to the virtual server IP address, which in this case is 172.16.16.102.
Similarly, the end user uses the FQDN to connect FortiClient to EMS.