Fortinet black logo

GCP Administration Guide

Deploying FortiGate-VM HA on GCP in one zone

Copy Link
Copy Doc ID b9e63a31-412a-11e9-94bf-00505692583a:590168
Download PDF

Deploying FortiGate-VM HA on GCP in one zone

FortiGate-VM for Google Cloud Marketplace supports using the FortiGate Clustering Protocol (FGCP) in unicast form to provide an active-passive (A-P) HA clustering solution for deployments in GCP. This feature shares a majority of the functionality, including configuration and session synchronization, that FGCP on FortiGate hardware provides with key changes to support GCP software-defined networking (SDN).

This solution works with two FortiGate instances configured as a primary and secondary pair, and requires that you deploy each instance with four network interfaces, within the same availability zone. These FortiGate instances act as a single logical instance and share interface IP addressing.

note icon

When deploying a FortiGate-VM HA cluster, choose a VM type that supports four or more network interfaces for each FortiGate-VM instance, as GCP does not allow adding network interfaces after you deploy the VMs. You can attach multiple network interfaces only when creating the VM instance on GCP.

Two FortiGate-VM instances must be the same machine type.

The main benefits of this solution are:

  • Fast and stateful failover of FortiGate without external automation/services
  • Automatic updates to route targets and IP addresses
  • Native FortiOS session synchronization of firewall, IPsec/SSL VPN, and voice over IP sessions
  • Native FortiOS configuration synchronization
  • Ease of use as the cluster is treated as a single logical FortiGate

You can deploy FortiGate-VM instances on GCP using one of the following methods and configure A-P HA:

Deploying FortiGate-VM HA on GCP in one zone

FortiGate-VM for Google Cloud Marketplace supports using the FortiGate Clustering Protocol (FGCP) in unicast form to provide an active-passive (A-P) HA clustering solution for deployments in GCP. This feature shares a majority of the functionality, including configuration and session synchronization, that FGCP on FortiGate hardware provides with key changes to support GCP software-defined networking (SDN).

This solution works with two FortiGate instances configured as a primary and secondary pair, and requires that you deploy each instance with four network interfaces, within the same availability zone. These FortiGate instances act as a single logical instance and share interface IP addressing.

note icon

When deploying a FortiGate-VM HA cluster, choose a VM type that supports four or more network interfaces for each FortiGate-VM instance, as GCP does not allow adding network interfaces after you deploy the VMs. You can attach multiple network interfaces only when creating the VM instance on GCP.

Two FortiGate-VM instances must be the same machine type.

The main benefits of this solution are:

  • Fast and stateful failover of FortiGate without external automation/services
  • Automatic updates to route targets and IP addresses
  • Native FortiOS session synchronization of firewall, IPsec/SSL VPN, and voice over IP sessions
  • Native FortiOS configuration synchronization
  • Ease of use as the cluster is treated as a single logical FortiGate

You can deploy FortiGate-VM instances on GCP using one of the following methods and configure A-P HA: