When deploying FortiGate-VM active-passive HA on OCI between multiple ADs, the following differs from when deploying within one AD:
- You do not need to allocate a secondary private IP address for the OCI NIC because a private IP address cannot be moved across ADs.
- During failover, the public IP address detaches from the old primary FortiGate NIC and attaches to the new primary FortiGate NIC.
- Route next hop updates to point to the new primary FortiGate NIC's primary private IP address.
- System interfaces, static route configurations, and sessions do not sync between FortiGates when deployed between multiple ADs. They do sync when deploying within one AD.
This guide refers to the primary FortiGate in AD 1 as "FGT-A-AD1" and the secondary FortiGate, located in AD2, as "FGT-B-AD2".
IPsec VPN phase 1 configuration does not synchronize between primary and secondary FortiGates across ADs. Phase 2 configuration does synchronize.