Fortinet Document Library

Version:

Version:


Table of Contents

Azure Administration Guide

Download PDF
Copy Link

Verifying the deployment

FortiGate Autoscale for Azure deploys the following components:

  • 1 Public Load balancer
    • This load balancer will be associated with the FortiGate subnet and the Frontend Public IP address to receive inbound traffic.
  • 1 Internal Load balancer
  • 1 Network security group
  • 1 Virtual machine scale set for BYOL
  • 1 Virtual machine scale set for PAYG
  • 1 Virtual network (only if deployed with creating a new virtual network)
  • 1 Public IP address
  • 1 Azure Cosmos DB account
  • 1 Function App
  • 1 Application Insights (automatically enabled if your region supports it)
  • 1 App Service plan
  • 1 Key vault
  • 1 Storage account

If deploying with FortiAnalyzer integration, the following are also deployed:

  • 1 Virtual machine for FortiAnalyzer
  • 1 virtual machine for the FortiAnalyzer
  • 1 network interface for the FortiAnalyzer
  • 1 Public IP address for the FortiAnalyzer (only if FortiAnalyzer Public IP Address ID is left empty)
  • 2 Disk components for use by FortiAnalyzer

For deployments that have two resource groups, the network related components are deployed to the VNet resource group and the DB, Storage account, and Function App related components are deployed to the Autoscale resource group.

FortiGate Autoscale for Azure is fully deployed once you verify the following components:

To load a resource group:
  1. In the Azure console, from the left navigation column, select Resource groups.
  2. Locate the resource group you wish to load by scrolling through the list or by using one or more of the name, subscription, and location filters. In the example below, this is fgtasg-rg.

    Locate resource group

  3. Click the name to load the resource group Overview page. In the example deployment, the VNet resource group is the same as the Autoscale resource group.

    Resource group overview page

To verify the Function App:
  1. From the Autoscale resource group Overview page, load the Function App by clicking the name of the item of type Function App.
  2. From the navigation column, select Functions.
    Function App overview page

You should see four functions on the right:

  • byol-license: The function to distribute BYOL licenses.
  • faz-auth-handler: The function to handle authorization of FortiGate in the FortiAnalyzer.
  • faz-auth-scheduler: The function to handle authorization of FortiGate in the FortiAnalyzer on a timely basis.
  • fgt-as-handler: The main autoscaling function.
To verify the database:
  1. From the Autoscale resource group Overview page, click the Azure Cosmos DB account name.
  2. From the navigation column, click Data Explorer.
  3. Expand the database FortiGateAutoscale.

You will see the following database and tables:

  • Database: FortiGateAutoscale
  • Tables:
    • ApiRequestCache
    • Autoscale
    • CustomLog
    • FortiAnalyzer
    • LicenseStock
    • LicenseUsage
    • PrimaryElection
    • Settings

The database Data Explorer page will look as shown below:

Database tables

To verify the primary election:

The elected primary FortiGate-VM will be logged in the CosmosDB FortiGateAutoscale in the table FortiGatePrimaryElection.

  1. Expand the FortiGatePrimaryElection table and click on Items.
  2. There will be one item in the table, select it.

Items page with the primary record

  • id is the unique identifier of a database record.
  • scalingGroupName is the name of the Scale Set in which the primary FortiGate-VM is located.
  • ip is the primary private IP address of the current primary FortiGate-VM.
  • vmId is the index of the FortiGate-VM in the Scale Set.
  • virtualNetworkID is the ID of the Virtual Network in which the primary FortiGate-VM instance is located.
  • subnetId is the ID of the subnet in which the primary FortiGate-VM is located.
  • voteEndTime is the Unix time stamp for when this primary election should expire if the vote state cannot change to done by this time.
  • voteState is the state of the voting process.
    • pending: election of the primary instance is still in progress. You should wait for its completion. At this point in time, the final primary instance is not yet known.
    • done: the primary election process has completed.

Verifying the deployment

FortiGate Autoscale for Azure deploys the following components:

  • 1 Public Load balancer
    • This load balancer will be associated with the FortiGate subnet and the Frontend Public IP address to receive inbound traffic.
  • 1 Internal Load balancer
  • 1 Network security group
  • 1 Virtual machine scale set for BYOL
  • 1 Virtual machine scale set for PAYG
  • 1 Virtual network (only if deployed with creating a new virtual network)
  • 1 Public IP address
  • 1 Azure Cosmos DB account
  • 1 Function App
  • 1 Application Insights (automatically enabled if your region supports it)
  • 1 App Service plan
  • 1 Key vault
  • 1 Storage account

If deploying with FortiAnalyzer integration, the following are also deployed:

  • 1 Virtual machine for FortiAnalyzer
  • 1 virtual machine for the FortiAnalyzer
  • 1 network interface for the FortiAnalyzer
  • 1 Public IP address for the FortiAnalyzer (only if FortiAnalyzer Public IP Address ID is left empty)
  • 2 Disk components for use by FortiAnalyzer

For deployments that have two resource groups, the network related components are deployed to the VNet resource group and the DB, Storage account, and Function App related components are deployed to the Autoscale resource group.

FortiGate Autoscale for Azure is fully deployed once you verify the following components:

To load a resource group:
  1. In the Azure console, from the left navigation column, select Resource groups.
  2. Locate the resource group you wish to load by scrolling through the list or by using one or more of the name, subscription, and location filters. In the example below, this is fgtasg-rg.

    Locate resource group

  3. Click the name to load the resource group Overview page. In the example deployment, the VNet resource group is the same as the Autoscale resource group.

    Resource group overview page

To verify the Function App:
  1. From the Autoscale resource group Overview page, load the Function App by clicking the name of the item of type Function App.
  2. From the navigation column, select Functions.
    Function App overview page

You should see four functions on the right:

  • byol-license: The function to distribute BYOL licenses.
  • faz-auth-handler: The function to handle authorization of FortiGate in the FortiAnalyzer.
  • faz-auth-scheduler: The function to handle authorization of FortiGate in the FortiAnalyzer on a timely basis.
  • fgt-as-handler: The main autoscaling function.
To verify the database:
  1. From the Autoscale resource group Overview page, click the Azure Cosmos DB account name.
  2. From the navigation column, click Data Explorer.
  3. Expand the database FortiGateAutoscale.

You will see the following database and tables:

  • Database: FortiGateAutoscale
  • Tables:
    • ApiRequestCache
    • Autoscale
    • CustomLog
    • FortiAnalyzer
    • LicenseStock
    • LicenseUsage
    • PrimaryElection
    • Settings

The database Data Explorer page will look as shown below:

Database tables

To verify the primary election:

The elected primary FortiGate-VM will be logged in the CosmosDB FortiGateAutoscale in the table FortiGatePrimaryElection.

  1. Expand the FortiGatePrimaryElection table and click on Items.
  2. There will be one item in the table, select it.

Items page with the primary record

  • id is the unique identifier of a database record.
  • scalingGroupName is the name of the Scale Set in which the primary FortiGate-VM is located.
  • ip is the primary private IP address of the current primary FortiGate-VM.
  • vmId is the index of the FortiGate-VM in the Scale Set.
  • virtualNetworkID is the ID of the Virtual Network in which the primary FortiGate-VM instance is located.
  • subnetId is the ID of the subnet in which the primary FortiGate-VM is located.
  • voteEndTime is the Unix time stamp for when this primary election should expire if the vote state cannot change to done by this time.
  • voteState is the state of the voting process.
    • pending: election of the primary instance is still in progress. You should wait for its completion. At this point in time, the final primary instance is not yet known.
    • done: the primary election process has completed.