Reviewing the network topology
A recommended installation requires four network interfaces per FortiGate-VM node. In addition to inbound and outbound data interfaces, two interfaces are used for internal operations: management and heartbeat. Ensure you choose OCI VM instance sizes that can equip four network interfaces.
The table describes the usage of each port. Port1 and 2 are on public (or untrusted) subnets, and public IP addresses are allocated to them.
Port |
Description |
---|---|
Port 1 |
Dedicated management interface. In case of heartbeat failure, the passive firewall needs a dedicated port through which to communicate with OCI to issue failover-related commands. This port is always available, regardless of node status (active/passive), except when a node is down. DNS must work with port 1 to resolve OCI's API endpoint URLs at the time of HA failover. |
Port 2 |
External data interface on the public network-facing side. A public IP address for the protected server is associated with the active node's private IP address. FortiGate performs NAT for inbound traffic and outbound traffic. |
Port 3 |
Internal data traffic interface on the protected/trusted network-facing side. |
Port 4 |
Heartbeat between two FortiGate nodes. This is unicast communication. This heartbeat interface has its dedicated "hbdev" VDOM and cannot be used for any other purpose. |
You must configure port 1 as the management interface. The other ports are interchangeable. The best practice is to locate each port in a different subnet.
You must configure primary private IP addresses, even where not mentioned in the diagram. Although not required for HA purposes, you must be do this to comply with general networking requirements. |