Configuring the HAVIP on the AliCloud web console
- Create a new HAVIP address. Select the VPC and FortiGate-VM port1 VSwitch, and set the HAVIP address.
- Set the HA configuration on the FortiGate via the VNC console on the AliCloud Web GUI, or via SSH.
- Set the configuration on the primary FortiGate-As follows. In this example, 192.168.3.253 is the gateway on the VSwitch, while 192.168.1.250 is the secondary FortiGate's port2's IP address. Note the FortiGate with a higher priority value will be the primary FortiGate.
config system ha
set group-name "ha"
set mode a-p
set hbdev "port2" 0
set session-pickup enable
set ha-mgmt-status enable
config ha-mgmt-interface
edit 1
set interface “port3”
set gateway 192.168.3.253
next
end
set priority 200
set monitor "port1"
set unicast-hb enable
set unicast-hb-peerip 192.168.1.250
end
- Set the configuration on the secondary FortiGate-As follows. Here, 192.168.1.249 is the primary FortiGate's port2's IP address.
config system ha
set group-name "ha"
set mode a-p
set hbdev "port2" 0
set session-pickup enable
set ha-mgmt-status enable
config ha-mgmt-interface
edit 1
set interface “port3”
set gateway 192.168.3.253
next
end
set priority 100
set monitor "port1"
set unicast-hb enable
set unicast-hb-peerip 192.168.1.249
end
- Set the configuration on the primary FortiGate-As follows. In this example, 192.168.3.253 is the gateway on the VSwitch, while 192.168.1.250 is the secondary FortiGate's port2's IP address. Note the FortiGate with a higher priority value will be the primary FortiGate.
- Reboot the two FortiGates.
- Check the HA status by running
diagnose sys ha status
in the CLI. It should show the following: - Set the HAVIP address to the port1 secondary IP address on the two FortiGates. On both FortiGates, configure the following. The secondary IP address configured below should be the same as the HAVIP address.
config system interface
edit "port1"
set secondary-IP enable
config secondaryip
edit 1
set ip 192.168.0.252 255.255.255.0
set allowaccess ping https ssh
next
end
next
end
- Bind the elastic IP address and the two FortiGate ECS to HAVIP.
- Create a new EIP.
- Bind the EIP to the HAVIP.
- Bind the two FortiGates to the HAVIP.
- You must add the route entry to the FortiGate to ensure all outgoing traffic from ECS goes through the FortiGate.