Fortinet white logo
Fortinet white logo

AliCloud Administration Guide

Deploying FortiGate-VM HA on AliCloud between availability zones

Deploying FortiGate-VM HA on AliCloud between availability zones

This guide provides sample manual configuration of active-passive FortiGate-VM HA on AliCloud between availability zones (AZ)s in a single region.

The following depicts the network topology for this sample deployment:

The following lists the IP address assignments for this sample deployment for FortiGate-A:

Port

AliCloud primary address

Subnet

port1

10.0.11.11

10.0.11.0/24 EIP3

port2

10.0.12.11

10.0.12.0/24

port3

10.0.13.11

10.0.13.0/24

port4

10.0.14.11

10.0.14.0/24 EIP1

The following lists the IP address assignments for this sample deployment for FortiGate-B:

Port

AliCloud primary address

Subnet

port1

10.0.21.12

10.0.21.0/24

port2

10.0.22.12

10.0.22.0/24

port3

10.0.23.12

10.0.23.0/24

port4

10.0.24.12

10.0.24.0/24 EIP2

Note

IPsec VPN phase 1 configuration does not synchronize between primary and secondary FortiGates across AZs. Phase 2 configuration does synchronize.

To check the prerequisites:

The following prerequisites must be met for this deployment:

  • One VPC with one subnet each for management, external, internal, and heartbeat purposes for each AZ
  • Three public IP addresses:
    • EIP1 and EIP2 for FortiGate-A and FortiGate-B management
    • EIP3 for the HA external traffic IP address
  • Two FortiGate-VM instances of the same instance type. Select a type that supports at least four network interfaces.
  • The following summarizes minimum sufficient RAM roles for this deployment:
    • AliyunECSFullAccess
    • AliyunEIPFullAccess
    • AliyunVPCFullAccess
    Note

    Actual role configurations may differ depending on your environments. Check with your company's public cloud administrators for details.

To configure FortiGate-VM HA in AliCloud:
  1. In the AliCloud management console, create a VPC with eight VSwitches (four for each AZ):

    VSwitch

    Purpose

    net1-external-za

    External data traffic on the public network-facing side.

    net2-internal-za

    Internal data traffic interface on the protected/trusted network-facing side.

    net3-heartbeat-za

    Heartbeat between two FortiGate nodes. Unicast communication.

    net4-mgmt-za

    Dedicated management interface.

    net1-external-zb

    External data traffic on the public network-facing side.

    net2-internal-zb

    Internal data traffic interface on the protected/trusted network-facing side.

    net3-heartbeat-zb

    Heartbeat between two FortiGate nodes. Unicast communication.

    net4-mgmt-zb

    Dedicated management interface.

  2. Add six ENIs: three for each AZ:

  3. Create two routing tables:
    1. Create a routing table called "rtb-internal" for the net2-internal VSwitch. Set the NIC2 IP address (10.0.12.11) as rtb-internal's default gateway. You can create this routing table after configuring NIC2 on FortiGate-A. Ensure that the default gateway is FortiGate-A's port2 ENI.

    2. Create a routing table called "rtb-external" for the remaining VSwitches. Set this VCN's Internet gateway as its default gateway. Ensure that this routing table can access the Internet.

To deploy the FortiGate-VMs in AliCloud:

To take advantage of A-P HA, you need four vNICs (port1 to port4) on each FortiGate-VM that constitutes an A-P HA cluster. Configure all required network interfaces (AliCloud ENIs and FortiGate-VM network interface configuration) that support A-P HA. You must choose an AliCloud instance type that supports at least four vNICs.

Ensure the following:

  • You have configured the security group on each subnet for egress and ingress interfaces appropriately. It is particularly important that the management interfaces have egress Internet access for API calls to the AliCloud metadata server.
  • You attached four NICs for each FortiGate-VM, and assigned the static private IP address.
  • EIP1 was bound to the FortiGate-A port4 management interface.
  • EIP3 was bound to the FortiGate-A port1 external interface.
  • EIP2 was bound to the FortiGate-B port4 management interface.

To configure FortiGate-A using the CLI:

The next steps show you how to configure A-P HA settings by using CLI commands on the GUI or via SSH. If using SSH, the FortiGate may lose connection due to routing table changes, so configuring HA via the GUI is recommended.

config system interface
    edit "port1"
        set mode static
        set ip 10.0.11.11 255.255.255.0
        set allowaccess ping https ssh snmp http fgfm
    next
    edit "port2"
        set ip 10.0.12.11 255.255.255.0
        set allowaccess ping https ssh snmp http telnet
    next
    edit "port3"
        set ip 10.0.13.11 255.255.255.0
        set allowaccess ping https ssh snmp http telnet
    next
    edit "port4"
        set ip 10.0.14.11 255.255.255.0
        set allowaccess ping https ssh snmp http telnet
    next
end
config router static
    edit 1
        set gateway 10.0.11.253
        set device "port1"
    next
end
config firewall policy
    edit 1
        set srcintf "port2"
        set dstintf "port1"
        set srcaddr "all"
        set dstaddr "all"
        set action accept
        set schedule "always"
        set service "ALL"
        set nat enable
    next
end
config system ha
    set group-name "FGT-HA"
    set mode a-p
    set hbdev "port3" 50
    set ha-mgmt-status enable
    config ha-mgmt-interfaces
        edit 1
            set interface "port4"
            set gateway 10.0.14.253
        next
    end
    set priority 192
    set unicast-hb enable
    set unicast-hb-peerip 10.0.23.12
end
To configure FortiGate-B using the CLI:

The next steps show you how to configure A-P HA settings by using CLI commands on the GUI or via SSH. If using SSH, the FortiGate may lose connection due to routing table changes, so configuring HA via the GUI is recommended.

config system interface
    edit "port1"
        set mode static
        set ip 10.0.21.12 255.255.255.0
        set allowaccess ping https ssh snmp http fgfm
    next
    edit "port2"
        set ip 10.0.22.12 255.255.255.0
        set allowaccess ping https ssh snmp http telnet
    next
    edit "port3"
        set ip 10.0.23.12 255.255.255.0
        set allowaccess ping https ssh snmp http telnet
    next
    edit "port4"
        set ip 10.0.24.12 255.255.255.0
        set allowaccess ping https ssh snmp http telnet
    next
end
config router static
    edit 1
        set gateway 10.0.21.253
        set device "port1"
    next
end
config firewall policy
    edit 1
        set srcintf "port2"
        set dstintf "port1"
        set srcaddr "all"
        set dstaddr "all"
        set action accept
        set schedule "always"
        set service "ALL"
        set nat enable
    next
end
config system ha
    set group-name "FGT-HA"
    set mode a-p
    set hbdev "port3" 50
    set ha-mgmt-status enable
    config ha-mgmt-interfaces
        edit 1
            set interface "port4"
            set gateway 10.0.24.253
        next
    end
    set priority 64
    set unicast-hb enable
    set unicast-hb-peerip 10.0.13.11
end
Note

You must set the FortiGate-B HA priority to a value lower than FortiGate-A's priority level. The node with the lower priority level is determined as the secondary node.

To check the HA status and function:
  1. In FortiOS on the primary FortiGate, go to System > HA. Check that the HA status is synchronized.

  2. Log into a PC that is located in the internal subnet. Verify that the PC can access the Internet via FortiGate-A when FortiGate-A is the primary node.
  3. Shut down FortiGate-A. Verify that FortiGate-B becomes the primary node.
  4. Log into the PC. Verify that the PC can access the Internet via FortiGate-B when FortiGate-B is the primary node.
  5. You can use the diagnose debug application alicloud-ha -1 command to see if the secondary private IP address moves from FortiGate-A to FortiGate-B during failover.

Deploying FortiGate-VM HA on AliCloud between availability zones

Deploying FortiGate-VM HA on AliCloud between availability zones

This guide provides sample manual configuration of active-passive FortiGate-VM HA on AliCloud between availability zones (AZ)s in a single region.

The following depicts the network topology for this sample deployment:

The following lists the IP address assignments for this sample deployment for FortiGate-A:

Port

AliCloud primary address

Subnet

port1

10.0.11.11

10.0.11.0/24 EIP3

port2

10.0.12.11

10.0.12.0/24

port3

10.0.13.11

10.0.13.0/24

port4

10.0.14.11

10.0.14.0/24 EIP1

The following lists the IP address assignments for this sample deployment for FortiGate-B:

Port

AliCloud primary address

Subnet

port1

10.0.21.12

10.0.21.0/24

port2

10.0.22.12

10.0.22.0/24

port3

10.0.23.12

10.0.23.0/24

port4

10.0.24.12

10.0.24.0/24 EIP2

Note

IPsec VPN phase 1 configuration does not synchronize between primary and secondary FortiGates across AZs. Phase 2 configuration does synchronize.

To check the prerequisites:

The following prerequisites must be met for this deployment:

  • One VPC with one subnet each for management, external, internal, and heartbeat purposes for each AZ
  • Three public IP addresses:
    • EIP1 and EIP2 for FortiGate-A and FortiGate-B management
    • EIP3 for the HA external traffic IP address
  • Two FortiGate-VM instances of the same instance type. Select a type that supports at least four network interfaces.
  • The following summarizes minimum sufficient RAM roles for this deployment:
    • AliyunECSFullAccess
    • AliyunEIPFullAccess
    • AliyunVPCFullAccess
    Note

    Actual role configurations may differ depending on your environments. Check with your company's public cloud administrators for details.

To configure FortiGate-VM HA in AliCloud:
  1. In the AliCloud management console, create a VPC with eight VSwitches (four for each AZ):

    VSwitch

    Purpose

    net1-external-za

    External data traffic on the public network-facing side.

    net2-internal-za

    Internal data traffic interface on the protected/trusted network-facing side.

    net3-heartbeat-za

    Heartbeat between two FortiGate nodes. Unicast communication.

    net4-mgmt-za

    Dedicated management interface.

    net1-external-zb

    External data traffic on the public network-facing side.

    net2-internal-zb

    Internal data traffic interface on the protected/trusted network-facing side.

    net3-heartbeat-zb

    Heartbeat between two FortiGate nodes. Unicast communication.

    net4-mgmt-zb

    Dedicated management interface.

  2. Add six ENIs: three for each AZ:

  3. Create two routing tables:
    1. Create a routing table called "rtb-internal" for the net2-internal VSwitch. Set the NIC2 IP address (10.0.12.11) as rtb-internal's default gateway. You can create this routing table after configuring NIC2 on FortiGate-A. Ensure that the default gateway is FortiGate-A's port2 ENI.

    2. Create a routing table called "rtb-external" for the remaining VSwitches. Set this VCN's Internet gateway as its default gateway. Ensure that this routing table can access the Internet.

To deploy the FortiGate-VMs in AliCloud:

To take advantage of A-P HA, you need four vNICs (port1 to port4) on each FortiGate-VM that constitutes an A-P HA cluster. Configure all required network interfaces (AliCloud ENIs and FortiGate-VM network interface configuration) that support A-P HA. You must choose an AliCloud instance type that supports at least four vNICs.

Ensure the following:

  • You have configured the security group on each subnet for egress and ingress interfaces appropriately. It is particularly important that the management interfaces have egress Internet access for API calls to the AliCloud metadata server.
  • You attached four NICs for each FortiGate-VM, and assigned the static private IP address.
  • EIP1 was bound to the FortiGate-A port4 management interface.
  • EIP3 was bound to the FortiGate-A port1 external interface.
  • EIP2 was bound to the FortiGate-B port4 management interface.

To configure FortiGate-A using the CLI:

The next steps show you how to configure A-P HA settings by using CLI commands on the GUI or via SSH. If using SSH, the FortiGate may lose connection due to routing table changes, so configuring HA via the GUI is recommended.

config system interface
    edit "port1"
        set mode static
        set ip 10.0.11.11 255.255.255.0
        set allowaccess ping https ssh snmp http fgfm
    next
    edit "port2"
        set ip 10.0.12.11 255.255.255.0
        set allowaccess ping https ssh snmp http telnet
    next
    edit "port3"
        set ip 10.0.13.11 255.255.255.0
        set allowaccess ping https ssh snmp http telnet
    next
    edit "port4"
        set ip 10.0.14.11 255.255.255.0
        set allowaccess ping https ssh snmp http telnet
    next
end
config router static
    edit 1
        set gateway 10.0.11.253
        set device "port1"
    next
end
config firewall policy
    edit 1
        set srcintf "port2"
        set dstintf "port1"
        set srcaddr "all"
        set dstaddr "all"
        set action accept
        set schedule "always"
        set service "ALL"
        set nat enable
    next
end
config system ha
    set group-name "FGT-HA"
    set mode a-p
    set hbdev "port3" 50
    set ha-mgmt-status enable
    config ha-mgmt-interfaces
        edit 1
            set interface "port4"
            set gateway 10.0.14.253
        next
    end
    set priority 192
    set unicast-hb enable
    set unicast-hb-peerip 10.0.23.12
end
To configure FortiGate-B using the CLI:

The next steps show you how to configure A-P HA settings by using CLI commands on the GUI or via SSH. If using SSH, the FortiGate may lose connection due to routing table changes, so configuring HA via the GUI is recommended.

config system interface
    edit "port1"
        set mode static
        set ip 10.0.21.12 255.255.255.0
        set allowaccess ping https ssh snmp http fgfm
    next
    edit "port2"
        set ip 10.0.22.12 255.255.255.0
        set allowaccess ping https ssh snmp http telnet
    next
    edit "port3"
        set ip 10.0.23.12 255.255.255.0
        set allowaccess ping https ssh snmp http telnet
    next
    edit "port4"
        set ip 10.0.24.12 255.255.255.0
        set allowaccess ping https ssh snmp http telnet
    next
end
config router static
    edit 1
        set gateway 10.0.21.253
        set device "port1"
    next
end
config firewall policy
    edit 1
        set srcintf "port2"
        set dstintf "port1"
        set srcaddr "all"
        set dstaddr "all"
        set action accept
        set schedule "always"
        set service "ALL"
        set nat enable
    next
end
config system ha
    set group-name "FGT-HA"
    set mode a-p
    set hbdev "port3" 50
    set ha-mgmt-status enable
    config ha-mgmt-interfaces
        edit 1
            set interface "port4"
            set gateway 10.0.24.253
        next
    end
    set priority 64
    set unicast-hb enable
    set unicast-hb-peerip 10.0.13.11
end
Note

You must set the FortiGate-B HA priority to a value lower than FortiGate-A's priority level. The node with the lower priority level is determined as the secondary node.

To check the HA status and function:
  1. In FortiOS on the primary FortiGate, go to System > HA. Check that the HA status is synchronized.

  2. Log into a PC that is located in the internal subnet. Verify that the PC can access the Internet via FortiGate-A when FortiGate-A is the primary node.
  3. Shut down FortiGate-A. Verify that FortiGate-B becomes the primary node.
  4. Log into the PC. Verify that the PC can access the Internet via FortiGate-B when FortiGate-B is the primary node.
  5. You can use the diagnose debug application alicloud-ha -1 command to see if the secondary private IP address moves from FortiGate-A to FortiGate-B during failover.