Fortinet white logo
Fortinet docs logo DOCUMENT LIBRARY
Fortinet white logo
Fortinet docs logo DOCUMENT LIBRARY
Products Best Practices Hardware Guides Products A-Z
Summary
By Solution
By 4D Pillars
By Cloud
Secure Networking
Unified SASE
Security Operations
Secure SD-WAN
Secure Access Service Edge (SASE)
ZTNA
LAN Edge
Identity and Access Management
Next Generation Firewall
Public Cloud
Private Cloud
FortiCloud
Secure Networking
  • Hybrid Mesh Firewall
  • NOC Management
  • LAN
  • WAN
    • More >>
    Unified SASE
  • Single Vendor SASE
  • Cloud Network Security
  • Secure Endpoint Connectivity
  • Web Application / API Protection
    • More >>
    Security Operations
  • Security Operations Automation
  • Identity
  • Early Detection & Prevention
    • More >>
    Secure Networking
  • Hybrid Mesh Firewall
  • NOC Management
  • LAN
  • WAN
  • Communication & Surveillance
    • Unified SASE
  • Single Vendor SASE
  • Secure Endpoint Connectivity
  • Cloud Network Security
  • Cloud-Native Security
  • Web Application / API Protection
    • Security Operations
  • Security Operations Automation
  • Endpoint
  • Data Protection
  • Identity
  • Email
  • Early Detection & Prevention
  • Expert Services
  • Edge Firewall
  • Orchestration & management
  • SD Branch
  • Application Delivery
  • Single Vendor SASE
  • Secure Endpoint Connectivity
  • Secure Private Access
  • Thin Edge
  • Identity
  • Application Gateway
  • Enterprise Asset Management
  • Endpoint Agent
  • Agentless Security Posture
  • Identity
  • Wireless
  • Switching
  • Identity
  • Privilege Acccess Management
  • Next Generation Firewall
  • Orchestration & management
  • Expert Services
  • All
  • All
  • Account Management
  • SAAS Management
  • SAAS Application Security
  • Managed Services
  • Platform as a service (PAAS)
  • Other SAAS Services
    • 4D Resources
    Solution Hubs
  • 4D Pillars
  • Cloud
  • Popular Solutions

    • GCP Administration Guide

    Home FortiGate Public Cloud 7.4.0 GCP Administration Guide
    7.4.0
    7.6.0
    7.4.0
    7.2.0
    7.0.0
    6.4.0
    6.2.0

    Deploying the primary FortiGate

    Deploying the primary FortiGate

    Create the primary FortiGate A in zone1. The following command uses previously declared variables. See the prerequisites section for Configuring GCP SDN connector using metadata IAM.

    To deploy the primary FortiGate-VM instance:
    1. Edit and run the following commands in GCP:

      gcloud compute instances create fortigate-a \

      --project=$project \

      --zone=$zone1 \

      --machine-type=e2-custom-4-8192 \

      --network-interface=address=$reservedhaip,network-tier=PREMIUM,private-network-ip=10.0.1.10,subnet=unprotected-public-subnet \

      --network-interface=private-network-ip=10.0.2.10,subnet=protected-private-subnet,no-address \

      --network-interface=private-network-ip=10.0.3.10,subnet=ha-sync-subnet,no-address \

      --network-interface=address=$reservedfgtahamgmtip,network-tier=PREMIUM,private-network-ip=10.0.4.10,subnet=ha-mgmt-subnet \

      --can-ip-forward \

      --service-account=$serviceaccount \

      --scopes=https://www.googleapis.com/auth/cloud-platform \

      --create-disk=auto-delete=yes,boot=yes,device-name=fortigate-a,image=projects/fortigcp-project-001/global/images/fortinet-fgt-723-20221110-001-w-license,mode=rw,size=10,type=projects/$project/zones/$zone1/diskTypes/pd-balanced \

      --create-disk=auto-delete=yes,device-name=fgt-a-log,mode=rw,name=fgt-primary-log,size=10,type=projects/$project/zones/$zone1/diskTypes/pd-balanced

    2. Gain access to the FortiGate-VM and license the VM.
    3. Edit and run the following commands on FortiGate A:

      config system global

      set hostname fortigate-a

      end

      config system ha

      set group-id 21

      set group-name <Name of Cluster>

      set mode a-p

      set hbdev "port3" 50

      set session-pickup enable

      set session-pickup-connectionless enable

      set ha-mgmt-status enable

      config ha-mgmt-interfaces

      edit 1

      set interface "port4"

      set gateway <Gateway Address of the MGMT subnet>

      next

      end

      set override enable

      set priority 200

      set unicast-hb enable

      set unicast-hb-peerip <HA Sync network Address of the First Fortigate>

      set unicast-hb-netmask <subnet mask of the hasync network>

      end

      config system sdn-connector

      edit "gcp_ha"

      set type gcp

      set ha-status enable

      config external-ip

      edit "reserved-fgt-port1public"

      next

      end

      config route

      edit " protected-private-rt"

      next

      end

      set use-metadata-iam enable

      next

      end

    4. Configure a virtual domain (VDOM) exception. You must configure a VDOM exception to prevent interface synchronization between the two FortiGates:

      config system vdom-exception

      edit 1

      set object system.interface

      next

      edit 2

      set object router.static

      next

      edit 3

      set object firewall.vip

      next

      end

    Previous
    Next

    Deploying the primary FortiGate

    Deploying the primary FortiGate

    Create the primary FortiGate A in zone1. The following command uses previously declared variables. See the prerequisites section for Configuring GCP SDN connector using metadata IAM.

    To deploy the primary FortiGate-VM instance:
    1. Edit and run the following commands in GCP:

      gcloud compute instances create fortigate-a \

      --project=$project \

      --zone=$zone1 \

      --machine-type=e2-custom-4-8192 \

      --network-interface=address=$reservedhaip,network-tier=PREMIUM,private-network-ip=10.0.1.10,subnet=unprotected-public-subnet \

      --network-interface=private-network-ip=10.0.2.10,subnet=protected-private-subnet,no-address \

      --network-interface=private-network-ip=10.0.3.10,subnet=ha-sync-subnet,no-address \

      --network-interface=address=$reservedfgtahamgmtip,network-tier=PREMIUM,private-network-ip=10.0.4.10,subnet=ha-mgmt-subnet \

      --can-ip-forward \

      --service-account=$serviceaccount \

      --scopes=https://www.googleapis.com/auth/cloud-platform \

      --create-disk=auto-delete=yes,boot=yes,device-name=fortigate-a,image=projects/fortigcp-project-001/global/images/fortinet-fgt-723-20221110-001-w-license,mode=rw,size=10,type=projects/$project/zones/$zone1/diskTypes/pd-balanced \

      --create-disk=auto-delete=yes,device-name=fgt-a-log,mode=rw,name=fgt-primary-log,size=10,type=projects/$project/zones/$zone1/diskTypes/pd-balanced

    2. Gain access to the FortiGate-VM and license the VM.
    3. Edit and run the following commands on FortiGate A:

      config system global

      set hostname fortigate-a

      end

      config system ha

      set group-id 21

      set group-name <Name of Cluster>

      set mode a-p

      set hbdev "port3" 50

      set session-pickup enable

      set session-pickup-connectionless enable

      set ha-mgmt-status enable

      config ha-mgmt-interfaces

      edit 1

      set interface "port4"

      set gateway <Gateway Address of the MGMT subnet>

      next

      end

      set override enable

      set priority 200

      set unicast-hb enable

      set unicast-hb-peerip <HA Sync network Address of the First Fortigate>

      set unicast-hb-netmask <subnet mask of the hasync network>

      end

      config system sdn-connector

      edit "gcp_ha"

      set type gcp

      set ha-status enable

      config external-ip

      edit "reserved-fgt-port1public"

      next

      end

      config route

      edit " protected-private-rt"

      next

      end

      set use-metadata-iam enable

      next

      end

    4. Configure a virtual domain (VDOM) exception. You must configure a VDOM exception to prevent interface synchronization between the two FortiGates:

      config system vdom-exception

      edit 1

      set object system.interface

      next

      edit 2

      set object router.static

      next

      edit 3

      set object firewall.vip

      next

      end

    Previous
    Next