Deploying FortiGate-VM HA on AliCloud using routing tables and EIPs
This guide provides a sample configuration of active-passive FortiGate-VM HA on AliCloud within one availability zone.
The following depicts the network topology for this sample deployment:
The following lists the IP address assignments for this sample deployment for FortiGate-A:
Port |
AliCloud primary address |
Subnet |
---|---|---|
port1 |
10.0.1.11 |
10.0.1.0/24 EIP3 |
port2 |
10.0.2.11 |
10.0.2.0/24 |
port3 |
10.0.3.11 |
10.0.3.0/24 |
port4 |
10.0.4.11 |
10.0.4.0/24 EIP1 |
The following lists the IP address assignments for this sample deployment for FortiGate-B:
Port |
AliCloud primary address |
Subnet |
---|---|---|
port1 |
10.0.1.12 |
10.0.1.0/24 |
port2 |
10.0.2.12 |
10.0.2.0/24 |
port3 |
10.0.3.12 |
10.0.3.0/24 |
port4 |
10.0.4.12 |
10.0.4.0/24 |
To check the prerequisites:
The following prerequisites must be met for this deployment:
- One VPC with one subnet each for management, external, internal, and heartbeat purposes
- Three public IP addresses:
- EIP1 and EIP2 for FortiGate-A and FortiGate-B management
- EIP3 for the HA external traffic IP address
- Two FortiGate-VM instances, both PAYG or BYOL
- The following summarizes minimum sufficient RAM roles for this deployment:
- AliyunECSFullAccess
- AliyunEIPFullAccess
- AliyunVPCFullAccess
Actual role configurations may differ depending on your environments. Check with your company's public cloud administrators for details.
To configure FortiGate-VM HA in AliCloud:
- In the AliCloud management console, create a VPC with four VSwitches:
VSwitch
Purpose
net1-external
External data traffic on the public network-facing side.
net2-internal
External data traffic on the private network-facing side.
net3-heartbeat
Heartbeat between two FortiGate nodes. This is unicast communication.
net4-mgmt
Dedicated management interface.
- Add six ENIs.
- Create two routing tables:
- Create a routing table called "rtb-internal" for the net2-internal VSwitch. Set the NIC2's IP address (10.0.2.11) as rtb-internal's default gateway. You can create this routing table after configuring NIC2 on FortiGate-A. Ensure that the default gateway is FortiGate-A's port2 ENI.
- Create a routing table called "rtb-external" for the remaining VSwitches. Set this VPC's Internet gateway as its default gateway. Ensure that this routing table can access the Internet.
To deploy the FortiGate-VMs in AliCloud:
To take advantage of A-P HA, you need four vNICs (port1 to port4) on each FortiGate-VM that constitutes an A-P HA cluster. Configure all required network interfaces (AliCloud ENIs and FortiGate-VM network interface configuration) that support A-P HA. You must choose an AliCloud instance type that supports at least four vNICs.
Ensure the following:
- You have configured the security group on each subnet for egress and ingress interfaces appropriately. It is particularly important that the management interfaces have egress Internet access for API calls to the AliCloud metadata server.
- You attached four NICs for each FortiGate-VM, and assigned the static private IP address.
- EIP1 was bound to the FortiGate-A port4 management interface.
- EIP3 was bound to the FortiGate-A port1 external interface.
- EIP2 was bound to the FortiGate-B port4 management interface.
You can attach a public IP address on the primary FortiGate-VM's external interface instead of an EIP by creating an HAVIP address in the VPC, then binding this HAVIP address to both FortiGates' external interfaces. This approach may shorten the failover time depending on the network environment. |
To configure FortiGate-A using the CLI:
The next steps show you how to configure A-P HA settings by using CLI commands on the GUI or via SSH. If using SSH, the FortiGate may lose connection due to routing table changes, so configuring HA via the GUI is recommended.
config system interface edit "port1" set mode static set ip 10.0.1.11 255.255.255.0 set allowaccess ping https ssh snmp http fgfm next edit "port2" set ip 10.0.2.11 255.255.255.0 set allowaccess ping https ssh snmp http telnet next edit "port3" set ip 10.0.3.11 255.255.255.0 set allowaccess ping https ssh snmp http telnet next edit "port4" set ip 10.0.4.11 255.255.255.0 set allowaccess ping https ssh snmp http telnet next end
config router static edit 1 set gateway 10.0.1.253 set device "port1" next end
config firewall policy edit 1 set srcintf "port2" set dstintf "port1" set srcaddr "all" set dstaddr "all" set action accept set schedule "always" set service "ALL" set nat enable next end
config system ha set group-name "FGT-HA" set mode a-p set hbdev "port3" 50 set ha-mgmt-status enable config ha-mgmt-interfaces edit 1 set interface "port4" set gateway 10.0.4.253 next end set priority 128 set unicast-hb enable set unicast-hb-peerip 10.0.3.12 end
To configure FortiGate-B using the CLI:
The next steps show you how to configure A-P HA settings by using CLI commands on the GUI or via SSH. If using SSH, the FortiGate may lose connection due to routing table changes, so configuring HA via the GUI is recommended.
config system interface edit "port1" set mode static set ip 10.0.1.12 255.255.255.0 set allowaccess ping https ssh snmp http fgfm next edit "port2" set ip 10.0.2.12 255.255.255.0 set allowaccess ping https ssh snmp http telnet next edit "port3" set ip 10.0.3.12 255.255.255.0 set allowaccess ping https ssh snmp http telnet next edit "port4" set ip 10.0.4.12 255.255.255.0 set allowaccess ping https ssh snmp http telnet next end
config router static edit 1 set gateway 10.0.1.253 set device "port1" next end
config firewall policy edit 1 set srcintf "port2" set dstintf "port1" set srcaddr "all" set dstaddr "all" set action accept set schedule "always" set service "ALL" set nat enable next end
config system ha set group-name "FGT-HA" set mode a-p set hbdev "port3" 50 set ha-mgmt-status enable config ha-mgmt-interfaces edit 1 set interface "port4" set gateway 10.0.4.253 next end set priority 64 set unicast-hb enable set unicast-hb-peerip 10.0.3.11 end
You must set the FortiGate-B HA priority to a value lower than FortiGate-A's priority level. The node with the lower priority level is determined as the secondary node. |
To check the HA status and function:
- In FortiOS on the primary FortiGate, go to System > HA. Check that the HA status is synchronized.
- Log into a PC that is located in the internal subnet. Verify that the PC can access the Internet via FortiGate-A when FortiGate-A is the primary node.
- Shut down FortiGate-A. Verify that FortiGate-B becomes the primary node. Use an API call to verify that the secondary private IP address moves to FortiGate-B.
- Log into the PC. Verify that the PC can access the Internet via FortiGate-B when FortiGate-B is the primary node.
- You can use the following diagnose commands to see if the secondary private IP address moves from FortiGate-A to FortiGate-B during failover:
FGT-B # diagnose debug application alicloud-ha -1 Debug messages will be on for 30 minutes. FGT-B # Become HA master mode 2 ===== start acs ha failover ===== send_vip_arp: vd root master 1 intf port1 ip 10.0.1.12 send_vip_arp: vd root master 1 intf port2 ip 10.0.2.12 acs meta info [instance id]: i-rj9f5xs9cp9xsweedlcs acs meta info [ram role]: fhua-ecs-role acs meta info [region]: us-west-1 acs meta info [vpc id]: vpc-rj9h5m14eo5lu97hjaptw acs ecs endpoint is resolved at ecs.us-west-1.aliyuncs.com:47.88.73.18 acs vpc endpoint is resolved at vpc.aliyuncs.com:106.11.61.112 acs is parsing page 1 of total 3(1 page) instances acs is checking tags on instance FGT-A Tag.FGT_port1: eni-rj9dirnvg0hykoddvv7z Tag.FGT_port2: eni-rj94jig06fag0v1jneyv Tag.FGT_port3: eni-rj91wj13vwjs7y1n25ow Tag.FGT_port4: eni-rj9il1iuoh9t3qd5doe3 acs is checking tags on instance FGT-B Tag.FGT_port1: eni-rj9f5xs9cp9xswekw6zh Tag.FGT_port2: eni-rj9j4eztzg3bv65yqd6x Tag.FGT_port3: eni-rj9ga16wcti7anp0ot7m Tag.FGT_port4: eni-rj9dirnvg0hykei8bl8o acs is parsing page 1 of total 13(1 page) EIPs acs local instance: FGT-B(i-rj9f5xs9cp9xsweedlcs) eni: 0, 10.0.1.12(eni-rj9f5xs9cp9xswekw6zh, port1) eni: 1, 10.0.2.12(eni-rj9j4eztzg3bv65yqd6x, port2) eni: 2, 10.0.3.12(eni-rj9ga16wcti7anp0ot7m, port3) eni: 3, 10.0.4.12(eni-rj9dirnvg0hykei8bl8o, port4) <--- eip(47.254.42.40) acs peer instance: FGT-A(i-rj9il1iuoh9t408i1a60) eni: 0, 10.0.1.11(eni-rj9dirnvg0hykoddvv7z, port1) <--- eip(47.251.3.246) eni: 1, 10.0.2.11(eni-rj94jig06fag0v1jneyv, port2) eni: 2, 10.0.3.11(eni-rj91wj13vwjs7y1n25ow, port3) eni: 3, 10.0.4.11(eni-rj9il1iuoh9t3qd5doe3, port4) <--- eip(47.254.46.147) acs is moving eip(47.251.3.246) from eni0(10.0.1.11) to eni0(10.0.1.12) acs eip(47.251.3.246) status: Unassociating acs eip(47.251.3.246) status: Unassociating acs eip(47.251.3.246) status: Available acs unassociated eip(47.251.3.246) from instance FGT-A successfully acs eip(47.251.3.246) status: Associating acs eip(47.251.3.246) status: Associating acs eip(47.251.3.246) status: InUse acs associated eip(47.251.3.246) to instance FGT-B successfully acs local instance: FGT-B(i-rj9f5xs9cp9xsweedlcs) eni: 0, 10.0.1.12(eni-rj9f5xs9cp9xswekw6zh, port1) <--- eip(47.251.3.246) eni: 1, 10.0.2.12(eni-rj9j4eztzg3bv65yqd6x, port2) eni: 2, 10.0.3.12(eni-rj9ga16wcti7anp0ot7m, port3) eni: 3, 10.0.4.12(eni-rj9dirnvg0hykei8bl8o, port4) <--- eip(47.254.42.40) acs peer instance: FGT-A(i-rj9il1iuoh9t408i1a60) eni: 0, 10.0.1.11(eni-rj9dirnvg0hykoddvv7z, port1) eni: 1, 10.0.2.11(eni-rj94jig06fag0v1jneyv, port2) eni: 2, 10.0.3.11(eni-rj91wj13vwjs7y1n25ow, port3) eni: 3, 10.0.4.11(eni-rj9il1iuoh9t3qd5doe3, port4) <--- eip(47.254.46.147) acs route table: vtb-rj9q1tgufwqqe5ps3q60i rule: cidr: 0.0.0.0/0, nexthop: 10.0.2.11(eni-rj94jig06fag0v1jneyv) acs is deleting route table entry: 0.0.0.0/0 via 10.0.2.11 acs route table entry deleting acs route table entry deleted acs deleted route table entry: 0.0.0.0/0 via 10.0.2.11 successfully acs is creating route table entry: 0.0.0.0/0 via 10.0.2.12 acs route table entry created acs created route table entry: 0.0.0.0/0 via 10.0.2.12 successfully acs route table: vtb-rj9q1tgufwqqe5ps3q60i rule: cidr: 0.0.0.0/0, nexthop: 10.0.2.12(eni-rj9j4eztzg3bv65yqd6x) ===== exit acs ha failover =====