Fortinet Document Library

Version:


Table of Contents

AliCloud Administration Guide

6.4.0
Download PDF
Copy Link

Configuring the HAVIP on the AliCloud web console

  1. Create a new HAVIP address. Select the VPC and FortiGate-VM port1 VSwitch, and set the HAVIP address.

  2. Set the HA configuration on the FortiGate via the VNC console on the AliCloud Web GUI, or via SSH.
    1. Set the configuration on the primary FortiGate-As follows. In this example, 192.168.3.253 is the gateway on the VSwitch, while 192.168.1.250 is the secondary FortiGate's port2's IP address. Note the FortiGate with a higher priority value will be the primary FortiGate.

      config system ha

      set group-name "ha"

      set mode a-p

      set hbdev "port2" 0

      set session-pickup enable

      set ha-mgmt-status enable

      config ha-mgmt-interface

      edit 1

      set interface “port3”

      set gateway 192.168.3.253

      next

      end

      set priority 200

      set monitor "port1"

      set unicast-hb enable

      set unicast-hb-peerip 192.168.1.250

      end

    2. Set the configuration on the secondary FortiGate-As follows. Here, 192.168.1.249 is the primary FortiGate's port2's IP address.

      config system ha

      set group-name "ha"

      set mode a-p

      set hbdev "port2" 0

      set session-pickup enable

      set ha-mgmt-status enable

      config ha-mgmt-interface

      edit 1

      set interface “port3”

      set gateway 192.168.3.253

      next

      end

      set priority 100

      set monitor "port1"

      set unicast-hb enable

      set unicast-hb-peerip 192.168.1.249

      end

  3. Reboot the two FortiGates.
  4. Check the HA status by running diagnose sys ha status in the CLI. It should show the following:

  5. Set the HAVIP address to the port1 secondary IP address on the two FortiGates. On both FortiGates, configure the following. The secondary IP address configured below should be the same as the HAVIP address.

    config system interface

    edit "port1"

    set secondary-IP enable

    config secondaryip

    edit 1

    set ip 192.168.0.252 255.255.255.0

    set allowaccess ping https ssh

    next

    end

    next

    end

  6. Bind the elastic IP address and the two FortiGate ECS to HAVIP.
    1. Create a new EIP.

    2. Bind the EIP to the HAVIP.

    3. Bind the two FortiGates to the HAVIP.

  7. You must add the route entry to the FortiGate to ensure all outgoing traffic from ECS goes through the FortiGate.

Configuring the HAVIP on the AliCloud web console

  1. Create a new HAVIP address. Select the VPC and FortiGate-VM port1 VSwitch, and set the HAVIP address.

  2. Set the HA configuration on the FortiGate via the VNC console on the AliCloud Web GUI, or via SSH.
    1. Set the configuration on the primary FortiGate-As follows. In this example, 192.168.3.253 is the gateway on the VSwitch, while 192.168.1.250 is the secondary FortiGate's port2's IP address. Note the FortiGate with a higher priority value will be the primary FortiGate.

      config system ha

      set group-name "ha"

      set mode a-p

      set hbdev "port2" 0

      set session-pickup enable

      set ha-mgmt-status enable

      config ha-mgmt-interface

      edit 1

      set interface “port3”

      set gateway 192.168.3.253

      next

      end

      set priority 200

      set monitor "port1"

      set unicast-hb enable

      set unicast-hb-peerip 192.168.1.250

      end

    2. Set the configuration on the secondary FortiGate-As follows. Here, 192.168.1.249 is the primary FortiGate's port2's IP address.

      config system ha

      set group-name "ha"

      set mode a-p

      set hbdev "port2" 0

      set session-pickup enable

      set ha-mgmt-status enable

      config ha-mgmt-interface

      edit 1

      set interface “port3”

      set gateway 192.168.3.253

      next

      end

      set priority 100

      set monitor "port1"

      set unicast-hb enable

      set unicast-hb-peerip 192.168.1.249

      end

  3. Reboot the two FortiGates.
  4. Check the HA status by running diagnose sys ha status in the CLI. It should show the following:

  5. Set the HAVIP address to the port1 secondary IP address on the two FortiGates. On both FortiGates, configure the following. The secondary IP address configured below should be the same as the HAVIP address.

    config system interface

    edit "port1"

    set secondary-IP enable

    config secondaryip

    edit 1

    set ip 192.168.0.252 255.255.255.0

    set allowaccess ping https ssh

    next

    end

    next

    end

  6. Bind the elastic IP address and the two FortiGate ECS to HAVIP.
    1. Create a new EIP.

    2. Bind the EIP to the HAVIP.

    3. Bind the two FortiGates to the HAVIP.

  7. You must add the route entry to the FortiGate to ensure all outgoing traffic from ECS goes through the FortiGate.