Fortinet black logo

Azure Administration Guide

Overview

Copy Link
Copy Doc ID a1b148db-687a-11ea-9384-00505692583a:522708
Download PDF

Overview

The virtual network

The virtual network (VNet) requires at least one subnet, referred as Subnet 1. Other subnets are optional.

  • The required subnet is directly associated with FortiGate Autoscale.
  • Two FortiGate VMSS will be deployed into Subnet 1.
  • Subnet 1 will be associated with Port 1 on the FortiGate.
  • One Network Security Group is be associated with Subnet 1.

The FortiGate Autoscale deployment template can configure up to 4 subnets per FortiGate in the cluster.

  • Each FortiGate will initially have one Network Interface available per subnet.
  • Additional subnets specified in the template will be associated as Port 2, Port 3, and Port 4 (as required) on the FortiGate. The association of ports depends on the order in which the subnet is specified in the template.
    • In a 3-subnet deployment, Port 2 will point to the subnet with the lower number and Port 3 will point to the subnet with the higher number. Port 4 will not be used.
    • In a 2-subnet deployment, Port 2 will point to the subnet. Ports 3 and 4 will not be used.
    • Example scenarios are described in the table below.

      Scenario

      Subnet parameter on the template

      FortiGate port associations

      4-subnet deployment

      Subnet 2: ✓

      Subnet 3: ✓

      Subnet 4: ✓

      Port 2 points to Subnet 2.

      Port 3 points to Subnet 3.

      Port 4 points to Subnet 4.

      3-subnet deployment

      Subnet 2: ✓

      Subnet 3: ✕

      Subnet 4: ✓

      Port 2 points to Subnet 2.

      Port 3 points to Subnet 4.

      2-subnet deployment

      Subnet 2: ✕

      Subnet 3: ✕

      Subnet 4: ✓

      Port 2 points to Subnet 4.

  • FortiGate Autoscale will be only configured for the subnets specified in the virtual network.
    • Users can modify the virtual network after the initial deployment. In this case, additional manual configuration will be required.

  • In a multiple subnet deployment scenario, it is recommended that users use one Network Security Group for Subnet 1, and another Network Security Group for the other subnets.

The Autoscale resource group must be created in the same region as the VNet resource group specified in the parameter VNet Resource Group Name.

Subnet 1 Network Security Group Rule Priority

This parameter refers to the highlighted area of the following image:

When using an existing VNet that has associated a network security group with Subnet 1 (the subnet that will be used to deploy the Autoscale VMSS) the network security group may already have existing rules. As the template deployment will add new rules to this network security group, specifying the Subnet 1 Network Security Group Rule Priority parameter can help users avoid potential rule conflicts. For details on setting the rule priority, refer to the Microsoft article Network security groups > Security rules.

FortiAnalyzer integration

When FortiAnalyzer integration is selected, a new FortiAnalyzer resource will be created in the virtual network to be used by FortiGate Autoscale. As FortiGate Autoscale and the FortiAnalyzer are configured to work with each other, this FortiAnalyzer is not intended to be replaced.

FortiAnalyzer requires a public IP address resource to work with and the deployment defaults to creating a new resource.

Using an existing public IP address

By default, the deployment template will create a new public IP address for the FortiAnalyzer (if deploying with FortiAnalyzer integration) and the front-end load balancer. Specifying the ID of a public IP resource will associate the existing resource for use in the FortiGate Autoscale deployment.

To use an existing public IP address:
  1. Ensure the public IP address is available for use.
  2. Look up the Resource ID of the existing public IP resource. This is found in the Properties of the Azure resource.
  3. Specify the full Resource ID in the relevant parameter:
Note

Confirm the public IP resource quota before starting a deployment to ensure resource allocation is successful. Not enough IP address resources will result in deployment failures.

Information

The SKU of the public IP address for the FortiAnalyzer isn’t restricted. In comparison, the IP address for the external Load Balancer must be of the 'standard' SKU in order to match the VMSS.

Election of the primary instance

A core feature of FortiGate Autoscale is the election of the primary instance. FortiGates in the VMSS are constantly monitored and if the conditions of the environment have changed, the election of a new primary instance may be required.

As depicted in the flowchart below, a primary election will happen:

  • when no primary record is found in the database

  • when the FortiGate noted in the primary record is deemed unhealthy

The preferred group primary election strategy is depicted in the flowchart below:

Heartbeat

FortiGate Autoscale monitors the heartbeat sent from each FortiGate. The default heartbeat interval is 30 seconds, as defined by the parameter Heart Beat Interval.

To change the heartbeat interval after deployment:
  1. Locate the Settings item with key: heartbeat-interval. For details, refer to the section Modifying the Autoscale settings in Cosmos DB.
  2. Update the numeric value to the desired duration.
  3. Update the auto-scale hb-interval interval on the primary FortiGate to match the value specified in the Cosmos DB using the following:
    config system auto-scale
    set hb-interval <desired interval>
    end

Late heartbeat

The FortiGate sends heartbeats to the Autoscale handler via HTTPS. As such, network conditions may result in heartbeats arriving later than expected. When this happens, the heartbeat is considered a late heartbeat and the Heart Beat Loss Count will be increased by 1.

Heartbeat loss count

Any late heartbeat will increase the heartbeat loss count by 1. If this count reaches a defined threshold, the FortiGate will be deemed temporarily unhealthy. Any heartbeat arriving at the handler on time will reset the count to 0. The default heartbeat loss count is 10 (seconds) and is defined in the parameter Heart Beat Loss Count.

To change the heartbeat loss count after deployment:
  1. Locate the Settings item with key: heartbeat-loss-count. For details, refer to the section Modifying the Autoscale settings in Cosmos DB.
  2. Update the numeric value to the desired duration.

Heartbeat delay allowance

FortiGate Autoscale offsets a certain amount of network latency on the Internet with the parameter Heart Beat Delay Allowance. The default allowance is 2 seconds.

To change the heartbeat delay allowance after deployment:
  1. Locate the Settings item with key: heartbeat-delay-allowance. For details, refer to the section Modifying the Autoscale settings in Cosmos DB.
  2. Update the numeric value to the desired duration.

Unhealthy state and eligibility for primary role

A FortiGate-VM in an unhealthy state is excluded from participating in the election of the primary instance.

If the current primary FortiGate is deemed unhealthy, it will still work in the primary role until the next Primary Election, after which the primary role will be assigned to another eligible FortiGate and the previous primary FortiGate will change its role to secondary during its next heartbeat.

An unhealthy VM will stay running in the cluster in a secondary role until it recovers from the unhealthy state. This behavior does not cause any scaling activity to happen.

It takes some time, usually within one heartbeat interval, for each FortiGate to be individually notified about the new primary so the change of primary does not happen synchronously on every FortiGate but eventually they will be in-sync with the new primary.

Sync recovery count

FortiGate Autoscale helps an unhealthy FortiGate recover by counting the on-time heartbeats it sends. When the counter reaches the sync recovery count, the FortiGate is deemed healthy and is again eligible to be elected the primary instance.

To change the sync recovery count after deployment:
  1. Locate the Settings item with key: sync-recovery. For details, refer to the section Modifying the Autoscale settings in Cosmos DB.
  2. Update the numeric value to the desired duration.

Selecting the instance type

The size of the FortiGate and the size of the FortiAnalyzer (optional) are specified in the Instance Type and FortiAnalyzer Instance Type parameters. The string value entered in these parameters is created from the words of the size.

To select the instance type for FortiGate:
  1. Go to Fortinet FortiGate Next-Generation Firewall in Azure Marketplace.

  2. Click Get It Now.
  3. Click Continue.
  4. Click Create using Plan: Single VM.
  5. Click Instance Type as illustrated.
  6. Click Change size to view the full list of available Instance types.
  7. Review the information and capacity of the VM sizes and select the best one for your deployment.
    NoteFor BYOL VM sizes, users should also match the vCPU capacity of the selected Instance Type with the limit of the FortiGate license. Each license has a limit for the maximum number of vCPU per VM.

    In the example below, F16s_v2 is chosen.
  8. Click Select.
To select the instance type for FortiAnalyzer:
  1. Go to FortiAnalyzer Centralized Log Analytics in Azure Marketplace.
  2. Click Get It Now.
  3. Click Continue.
  4. Click Create.
  5. Click Network and Instance Settings as illustrated.

  6. Click Change size to view the full list of available instance types.
  7. Review the information and capacity of the VM sizes and select the best one for your deployment.
    NoteFor BYOL VM sizes, users should also match the vCPU capacity of the selected Instance Type with their FortiGate License. The License has a limit for the maximum number of vCPU per VM.
  8. Click Select.
To create the instance type string:

During the template deployment the FortiGate instance type is entered in the parameter Instance Type and the FortiAnalyzer instance type is entered in the parameter FortiAnalyzer Instance Type. The value of each instance type is constructed by creating a string by joining the words of the Size (Virtual machine size) with an underscore ( _ ). In the screen shot below, these word are highlighted. The constructed string for Standard F16s v2 is Standard_F16s_v2.

Overview

The virtual network

The virtual network (VNet) requires at least one subnet, referred as Subnet 1. Other subnets are optional.

  • The required subnet is directly associated with FortiGate Autoscale.
  • Two FortiGate VMSS will be deployed into Subnet 1.
  • Subnet 1 will be associated with Port 1 on the FortiGate.
  • One Network Security Group is be associated with Subnet 1.

The FortiGate Autoscale deployment template can configure up to 4 subnets per FortiGate in the cluster.

  • Each FortiGate will initially have one Network Interface available per subnet.
  • Additional subnets specified in the template will be associated as Port 2, Port 3, and Port 4 (as required) on the FortiGate. The association of ports depends on the order in which the subnet is specified in the template.
    • In a 3-subnet deployment, Port 2 will point to the subnet with the lower number and Port 3 will point to the subnet with the higher number. Port 4 will not be used.
    • In a 2-subnet deployment, Port 2 will point to the subnet. Ports 3 and 4 will not be used.
    • Example scenarios are described in the table below.

      Scenario

      Subnet parameter on the template

      FortiGate port associations

      4-subnet deployment

      Subnet 2: ✓

      Subnet 3: ✓

      Subnet 4: ✓

      Port 2 points to Subnet 2.

      Port 3 points to Subnet 3.

      Port 4 points to Subnet 4.

      3-subnet deployment

      Subnet 2: ✓

      Subnet 3: ✕

      Subnet 4: ✓

      Port 2 points to Subnet 2.

      Port 3 points to Subnet 4.

      2-subnet deployment

      Subnet 2: ✕

      Subnet 3: ✕

      Subnet 4: ✓

      Port 2 points to Subnet 4.

  • FortiGate Autoscale will be only configured for the subnets specified in the virtual network.
    • Users can modify the virtual network after the initial deployment. In this case, additional manual configuration will be required.

  • In a multiple subnet deployment scenario, it is recommended that users use one Network Security Group for Subnet 1, and another Network Security Group for the other subnets.

The Autoscale resource group must be created in the same region as the VNet resource group specified in the parameter VNet Resource Group Name.

Subnet 1 Network Security Group Rule Priority

This parameter refers to the highlighted area of the following image:

When using an existing VNet that has associated a network security group with Subnet 1 (the subnet that will be used to deploy the Autoscale VMSS) the network security group may already have existing rules. As the template deployment will add new rules to this network security group, specifying the Subnet 1 Network Security Group Rule Priority parameter can help users avoid potential rule conflicts. For details on setting the rule priority, refer to the Microsoft article Network security groups > Security rules.

FortiAnalyzer integration

When FortiAnalyzer integration is selected, a new FortiAnalyzer resource will be created in the virtual network to be used by FortiGate Autoscale. As FortiGate Autoscale and the FortiAnalyzer are configured to work with each other, this FortiAnalyzer is not intended to be replaced.

FortiAnalyzer requires a public IP address resource to work with and the deployment defaults to creating a new resource.

Using an existing public IP address

By default, the deployment template will create a new public IP address for the FortiAnalyzer (if deploying with FortiAnalyzer integration) and the front-end load balancer. Specifying the ID of a public IP resource will associate the existing resource for use in the FortiGate Autoscale deployment.

To use an existing public IP address:
  1. Ensure the public IP address is available for use.
  2. Look up the Resource ID of the existing public IP resource. This is found in the Properties of the Azure resource.
  3. Specify the full Resource ID in the relevant parameter:
Note

Confirm the public IP resource quota before starting a deployment to ensure resource allocation is successful. Not enough IP address resources will result in deployment failures.

Information

The SKU of the public IP address for the FortiAnalyzer isn’t restricted. In comparison, the IP address for the external Load Balancer must be of the 'standard' SKU in order to match the VMSS.

Election of the primary instance

A core feature of FortiGate Autoscale is the election of the primary instance. FortiGates in the VMSS are constantly monitored and if the conditions of the environment have changed, the election of a new primary instance may be required.

As depicted in the flowchart below, a primary election will happen:

  • when no primary record is found in the database

  • when the FortiGate noted in the primary record is deemed unhealthy

The preferred group primary election strategy is depicted in the flowchart below:

Heartbeat

FortiGate Autoscale monitors the heartbeat sent from each FortiGate. The default heartbeat interval is 30 seconds, as defined by the parameter Heart Beat Interval.

To change the heartbeat interval after deployment:
  1. Locate the Settings item with key: heartbeat-interval. For details, refer to the section Modifying the Autoscale settings in Cosmos DB.
  2. Update the numeric value to the desired duration.
  3. Update the auto-scale hb-interval interval on the primary FortiGate to match the value specified in the Cosmos DB using the following:
    config system auto-scale
    set hb-interval <desired interval>
    end

Late heartbeat

The FortiGate sends heartbeats to the Autoscale handler via HTTPS. As such, network conditions may result in heartbeats arriving later than expected. When this happens, the heartbeat is considered a late heartbeat and the Heart Beat Loss Count will be increased by 1.

Heartbeat loss count

Any late heartbeat will increase the heartbeat loss count by 1. If this count reaches a defined threshold, the FortiGate will be deemed temporarily unhealthy. Any heartbeat arriving at the handler on time will reset the count to 0. The default heartbeat loss count is 10 (seconds) and is defined in the parameter Heart Beat Loss Count.

To change the heartbeat loss count after deployment:
  1. Locate the Settings item with key: heartbeat-loss-count. For details, refer to the section Modifying the Autoscale settings in Cosmos DB.
  2. Update the numeric value to the desired duration.

Heartbeat delay allowance

FortiGate Autoscale offsets a certain amount of network latency on the Internet with the parameter Heart Beat Delay Allowance. The default allowance is 2 seconds.

To change the heartbeat delay allowance after deployment:
  1. Locate the Settings item with key: heartbeat-delay-allowance. For details, refer to the section Modifying the Autoscale settings in Cosmos DB.
  2. Update the numeric value to the desired duration.

Unhealthy state and eligibility for primary role

A FortiGate-VM in an unhealthy state is excluded from participating in the election of the primary instance.

If the current primary FortiGate is deemed unhealthy, it will still work in the primary role until the next Primary Election, after which the primary role will be assigned to another eligible FortiGate and the previous primary FortiGate will change its role to secondary during its next heartbeat.

An unhealthy VM will stay running in the cluster in a secondary role until it recovers from the unhealthy state. This behavior does not cause any scaling activity to happen.

It takes some time, usually within one heartbeat interval, for each FortiGate to be individually notified about the new primary so the change of primary does not happen synchronously on every FortiGate but eventually they will be in-sync with the new primary.

Sync recovery count

FortiGate Autoscale helps an unhealthy FortiGate recover by counting the on-time heartbeats it sends. When the counter reaches the sync recovery count, the FortiGate is deemed healthy and is again eligible to be elected the primary instance.

To change the sync recovery count after deployment:
  1. Locate the Settings item with key: sync-recovery. For details, refer to the section Modifying the Autoscale settings in Cosmos DB.
  2. Update the numeric value to the desired duration.

Selecting the instance type

The size of the FortiGate and the size of the FortiAnalyzer (optional) are specified in the Instance Type and FortiAnalyzer Instance Type parameters. The string value entered in these parameters is created from the words of the size.

To select the instance type for FortiGate:
  1. Go to Fortinet FortiGate Next-Generation Firewall in Azure Marketplace.

  2. Click Get It Now.
  3. Click Continue.
  4. Click Create using Plan: Single VM.
  5. Click Instance Type as illustrated.
  6. Click Change size to view the full list of available Instance types.
  7. Review the information and capacity of the VM sizes and select the best one for your deployment.
    NoteFor BYOL VM sizes, users should also match the vCPU capacity of the selected Instance Type with the limit of the FortiGate license. Each license has a limit for the maximum number of vCPU per VM.

    In the example below, F16s_v2 is chosen.
  8. Click Select.
To select the instance type for FortiAnalyzer:
  1. Go to FortiAnalyzer Centralized Log Analytics in Azure Marketplace.
  2. Click Get It Now.
  3. Click Continue.
  4. Click Create.
  5. Click Network and Instance Settings as illustrated.

  6. Click Change size to view the full list of available instance types.
  7. Review the information and capacity of the VM sizes and select the best one for your deployment.
    NoteFor BYOL VM sizes, users should also match the vCPU capacity of the selected Instance Type with their FortiGate License. The License has a limit for the maximum number of vCPU per VM.
  8. Click Select.
To create the instance type string:

During the template deployment the FortiGate instance type is entered in the parameter Instance Type and the FortiAnalyzer instance type is entered in the parameter FortiAnalyzer Instance Type. The value of each instance type is constructed by creating a string by joining the words of the Size (Virtual machine size) with an underscore ( _ ). In the screen shot below, these word are highlighted. The constructed string for Standard F16s v2 is Standard_F16s_v2.